Sitemap
Open in app

Sign in

Medium Logo
Write
Search

Sign in

Pickle Rick! — TryHackMe writeup

4 min readDec 22, 2024

TryHackMe Room : https://tryhackme.com/r/room/picklerick

Press enter or click to view image in full size

Room Objectives

A Rick and Morty CTF. Help turn Rick back into a human!

Let Start!!

In order to assess the security posture of the network, the first step is to scan the ports using the nmap tool.

Press enter or click to view image in full size

The results show that ports 22 and 80 are open.

Next, try accessing the website from the target IP address.

nmap -A -sC -sV [ip]
Press enter or click to view image in full size

The message instructs us to find the three ingredients needed to create a special potion!!!.

I tried right-clicking and selecting ‘View Page Source’ to look for clues, and I found something — a Username!

Press enter or click to view image in full size

But I didn’t find the password, so I tried using a command dirsearch -u 10.10.85.44 -t 15 -e php,html,txt to scan for interesting paths.

dirsearch -u [ip] -t 15 -e php,html,txt
Press enter or click to view image in full size

When I tried opening the path I found, wow, I discovered a code!

Press enter or click to view image in full size

Let’s try logging in with that password.

Press enter or click to view image in full size

Great, it worked! I found an input field where I can enter some commands.

Press enter or click to view image in full size

“I tried entering the command ls to see what’s inside.

Press enter or click to view image in full size

I found a .txt file, so I opened it and discovered the first ingredient!

Next, I tried to find the second ingredient by opening other tabs, but didn’t find anything.

Press enter or click to view image in full size

So, I went back and tried using the sudo command, and I found that no password was required to elevate privileges.

Press enter or click to view image in full size

Commands can be used, so I’ll try setting up a reverse shell to make it easier to find clues.

I tried establishing a connection using port 4444.

sudo nc -lvnp 4444

And used a Reverse Shell Generator with Python 3.

Press enter or click to view image in full size

Execute the command obtained for processing.

Press enter or click to view image in full size

Connection successful. I checked the permissions using the whoami command and found that the user is www-data.

Use the command cd /home/rick to change the directory to the “rick” folder, then list all files in that folder with the command ls. Finally, use the command cat second ingredients to display the content of the file named "second ingredients".

I found the second ingredient! Let’s find the final ingredient!

To open a new shell with administrative privileges, use the command sudo bash -i. Then, change to the /root directory with the command cd /root. List all files in that directory using ls. Finally, display the content of the file named 3rd.txt with the command cat 3rd.txt

sudo bash -i

Finally, we have found all three ingredients. Rick will be a person again.

Press enter or click to view image in full size

--

--

GrimTheRipper
GrimTheRipper

Written by GrimTheRipper

32 followers
7 following

You get the best out of others when you give the best of yourself

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Rules

Terms

Text to speech