Mar 15, 2021

3 min read

TryHackMe: Pickle Rick CTF Walkthrough

Pickle Rick

#Enum/Recon

Command used: nmap -A <machine IP>

From the nmap scan result we came to know that two ports are open and they are, 22/tcp ssh and 80/tcp http. Let’s check out port 80 on the browser.

Well, seems like Rick is in danger!! In the webpage, I couldn’t find any clue but when I viewed the page source, I got the username: R1ckRul3s

Since we got the username, let’s start looking for password using brute force techniques. First, I did the directory brute forcing with my favorite tool dirb and got /robots.txt with status: 200

command used: dirb http://<target-ip>

When I checked in my browser, I think I got the password!!

password:Wubbalubbadubdub

With the collected login credentials, I tried to connect to the server via SSH and the permission was denied.

Well at this point I felt pretty stupid as rick said and then realized that enumeration is the key. So, I looked around in /assets in my browser and this is what I got…A big nothing except gifs and images and nothing interesting.

Now I tried with Nikto tool to get even more results and observed that there is /login.php.

command used: nikto -h <machine IP>

I just tried it and bingo! I got the login page.

username: R1ckRul3s

password: Wubbalubbadubdub

#Exploit:

Now, we should execute some linux commands get the ingredients flags.

command used: ls -la

We got the .txt file. If we use cat command, we won’t get the flag because the command is disabled.

So, I used less command instead of cat and got the first flag.

command used: less Sup3rS3cretPickl3Ingred.txt

mr. meeseek hair

For the second flag the command used: less /home/rick/’second ingredients’

1 jerry tear

Now it’s time for 3rd and the last flag. To get this, I just checked the user permission by typing sudo -l and we can see that there is no restrictions and the existing user can run commands as sudo.