Pickle Rick Walkthrough TryHackMe

Room link : https://tryhackme.com/room/picklerick

Pickle Rick

As always we need to enumerate the services running on the machine. Let’s start with a nmap scan on the machine

nmap IP -sV -T4

IP : IP address of the machine
-sV : Enable service detection
-T4 : Make the scan faster

Now we know there are 2 open ports running 22 and 80.

22 runs SSH
80 runs HTTP

Let’s visit port 80. (Webserver)

Website

Checking the page source we find a interesting username.

Page Source

Let’s use dirsearch to find all the sub directories.

sudo dirsearch -u http://IP -x 404,403 -t 200

-u : URL to brute
-x : Hide specific status codes
-t : Specify the number of threads

Lets visit /robots.txt

We find a weird text. Maybe this is a password?
Let’s try that in the /login.php page.

login.php

We can successfully login using those credentials.

After logging in we can see this page

Command Panel

Let’s try to use the ls -la command to list all the files.

Files

We can see a lot of files. Now we can try to get a reverse shell on the machine using a python reverse shell.

Firstly let’s check if the machine has python or python3. We can check that by using which python or which python3

which python3

We can see that it has python3 installed. So let’s use a python3 reverse shell.

On the attackers machine lets set up a netcat listener using : nc -lvnp 1337
You can specify any port, I like to use the port 1337

You can find the reverse shell code here → https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md

PayloadsAllTheThings

Click on Python

revshell code

(Remember to change python in the beginning to python3 as the machine has python3 installed.)
Copy that reverse shell code and use any text edittor to change the IP address to your tun0 IP (ifconfig tun0) and the port you set for listening the reverse connection in netcat. (We specified 1337)

So the code would look like this for me (I have changed python to python3, port to 1337 and IP to the IP address of my tun0 interface)

Let’s paste this in the command execution panel.

Make sure to set up the listener nc -lvnp 1337

Rev shell success

Now lets look at the contents of Sup3rS3cretPickl3Ingred.txt.

This gives us the answer for the first question : What is the first ingredient Rick needs?

Let’s look at the clue.txt file.

I first went to the /home directory where we found 2 users rick and ubuntu.

Browsing in rick’s directory we find the second ingredient.

second ingredients

The contents of the file answers the second question : Whats the second ingredient Rick needs?

Remeber to use ”” because the name of the file is 2 words. Else you will get an error like this.

cat error

cat “second ingredients”

Now for the final task.
I got a hint that the final answer is hidden in the /root directory.

We get a permission denied error, so let’s escalate to the root user.

The most common way is to check the sudo rights of the user using the sudo -l command.

sudo -l

We can run any command with sudo to get root user access
Let’s run sudo su. This will give us the root shell

sudo su

Let’s browse the /root directory and get the answer to task 3 : Whats the final ingredient Rick needs?

3rd.txt

Well done! We have solved the room!!

Hope you enjoyed the writeup!