TryHackMe: Pickle Rick

This is the first CTF challenge of the “Starter Series” on TryHackMe. It is themed after a cartoon character called Pickle Rick (never heard of this one before..).


Pickle Rick


First, let’s run the full port scan, although the description already hints that we are dealing with a webpage. Not surprisingly we find that port 80 is open.

$ sudo nmap -sC -sV -oA 1000ports 

Nmap scan report for
Host is up (0.18s latency).
Not shown: 998 closed tcp ports (reset)
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.6 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 b6:a1:80:4d:10:f8:b9:73:81:cb:a5:2f:74:f6:3c:34 (RSA)
|   256 0d:12:91:f3:78:04:bd:b4:6f:53:54:3b:27:53:d7:b3 (ECDSA)
|_  256 ec:eb:82:2b:03:8a:03:3c:f4:c9:ca:56:0a:f1:7b:c4 (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Rick is sup4r cool
|_http-server-header: Apache/2.4.18 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at .
Nmap done: 1 IP address (1 host up) scanned in 10.57 seconds

The website looks like this:


Apparently we have to find some credentials. The HTML-view of the page gives away the username R1ckRul3s:


Since this is a CTF-Challenge, it’s always worth to check robots.txt, which reveals this text:


Might be nonsense, or a password. Seems to be some joke referring to the original series.

Next let’s start a directory scan:

sudo gobuster dir -u -w /usr/share/dirbuster/wordlists/directory-list-2.3-small.txt 

The first hit is assets, which reveals a list of files and pictures.


Unfortunately this is also the only hit we get, so it seems the other pages are not inlcuded in the directory wordlist. One image is called portal.jpg and shows a greenish swirling circle. At this point I got stuck, but the walkthrough showed that it only takes an elaborated guess and try to access the /portal.php link…


Initial Foothold

…and with the previously found username and password we are logged in. What we get seems to be a kind of command access to the webserver.


Turns out the “first ingredient” is just lying around on the website at /Sup3rS3cretPickl3Ingred.txt, and the clue tells us to “Look around the file system for the other ingredient”. So let’s do that.

There are more tabs called “Potions”, “Creatures” and so on, but it seems only the “real” pickle rick can view it, not our current user.


We can find the second ingredient in the /home/rick folder, but it seems that the cat command is disabled. So let’s try to find an alternative to cat.


Solving this was pretty easy, for example by putting the c of cat into quotations: "c"at .... It returns the second ingredient.

Privilege Escalation

The last flag is probably somewhere within the /root directory. So let’s try to check out how we can escalate our privileges. And this one is really easy: It turns out that the current user can run any command as sudo without password.


For example, we can run sudo ls /root to check all the files in the root directory and find the third ingredient there.