TryHackMe: Pickle Rick


This is the first CTF challenge of the “Starter Series” on TryHackMe. It is themed after a cartoon character called Pickle Rick (never heard of this one before..).

pickleRick-Box


Pickle Rick

Enumeration

First, let’s run the full port scan, although the description already hints that we are dealing with a webpage. Not surprisingly we find that port 80 is open.

$ sudo nmap -sC -sV 10.10.140.170 -oA 1000ports 

Nmap scan report for 10.10.140.170
Host is up (0.18s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.6 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 b6:a1:80:4d:10:f8:b9:73:81:cb:a5:2f:74:f6:3c:34 (RSA)
|   256 0d:12:91:f3:78:04:bd:b4:6f:53:54:3b:27:53:d7:b3 (ECDSA)
|_  256 ec:eb:82:2b:03:8a:03:3c:f4:c9:ca:56:0a:f1:7b:c4 (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Rick is sup4r cool
|_http-server-header: Apache/2.4.18 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.57 seconds

The website looks like this:

pickleRick-Box

Apparently we have to find some credentials. The HTML-view of the page gives away the username R1ckRul3s:

pickleRick-Box

Since this is a CTF-Challenge, it’s always worth to check robots.txt, which reveals this text:

Wubbalubbadubdub

Might be nonsense, or a password. Seems to be some joke referring to the original series.


Next let’s start a directory scan:

sudo gobuster dir -u http://10.10.140.170 -w /usr/share/dirbuster/wordlists/directory-list-2.3-small.txt 

The first hit is assets, which reveals a list of files and pictures.

pickleRick-Box

Unfortunately this is also the only hit we get, so it seems the other pages are not inlcuded in the directory wordlist. One image is called portal.jpg and shows a greenish swirling circle. At this point I got stuck, but the walkthrough showed that it only takes an elaborated guess and try to access the /portal.php link…

pickleRick-Box

Initial Foothold

…and with the previously found username and password we are logged in. What we get seems to be a kind of command access to the webserver.

pickleRick-Box

Turns out the “first ingredient” is just lying around on the website at /Sup3rS3cretPickl3Ingred.txt, and the clue tells us to “Look around the file system for the other ingredient”. So let’s do that.

There are more tabs called “Potions”, “Creatures” and so on, but it seems only the “real” pickle rick can view it, not our current user.

pickleRick-Box


We can find the second ingredient in the /home/rick folder, but it seems that the cat command is disabled. So let’s try to find an alternative to cat.

pickleRick-Box

Solving this was pretty easy, for example by putting the c of cat into quotations: "c"at .... It returns the second ingredient.


Privilege Escalation

The last flag is probably somewhere within the /root directory. So let’s try to check out how we can escalate our privileges. And this one is really easy: It turns out that the current user can run any command as sudo without password.

pickleRick-Box

For example, we can run sudo ls /root to check all the files in the root directory and find the third ingredient there.