TryHackMe Walkthrough on Pickle Rick CTF
My dream career has always been in cyber security, things to do with tech,play around with keyboard,google stuffs,explore new things.I am a beginner in cyber security but so far have gained a lot through out the short time,and therefore am gonna take you through Pickle Rick ctf room in Tryhackme, an online learning platform which has helped me a lot in terms of hands on work,have gained useful and valuable skills to apply in the real world. This is my first walk-through and honestly am so nervous about it but am sure i will make it,what motivates me about doing my best work is knowing that this article is gonna help someone somewhere who is also learning new skills on cyber security.
And without wasting much time lets dive in right away:
This challenge is a beginner friendly, what you just have to do is sit back,make sure you have everything setup,by that i mean you are connected to their network,start up the machine and wait for some seconds to have the machine’s Ip address, and to check that your are good to start,i always ping the target machine to confirm whether it is alive by using the command ping <ip address>, and if that is right we move on to our first step of enumeration.
This Rick and Morty themed challenge requires you to exploit a web server to find 3 ingredients that will help Rick make his potion to transform himself back into a human from a pickle.So lets start by running nmap -sC -sV -oA nmap/picklerick <ip address> -v and wait for the results,
-sC performs a script scan using default set of scripts and -sV for version detection, -oA to output all nmap format and save them in nmap/picklerick folder,-v increases the verbosity level,below is a screenshot:
We find that only 2 ports are open,port 22 for ssh and port 80 for a web server as shown below
That is a good start,we move on to checking the site running on port 80,type in the ip address in your preferred browser and boom,this is the website:
Checking on the source code we found something interesting, a username R1ckRul3s, that was so easy,but now we don’t know exactly where to use that but just make sure you put it down,it might be useful later,so we run gobuster to look for hidden directories,
And the only directories we can access are those with the status code 200,we start by checking robots.txt file and there is something interesting too,just don’t know yet what that is but put it down somewhere,it might be something useful later,
We are on the right track,lets proceed to the next file, index.html is the home page, then we have login.php
Remember the username we found earlier? we can try our best brute-forcing this login page with hydra,or using zaproxy,but before we dive into that let us just try logging in with that username R1ckRul3s and what we got in robots.txt file as the password Wubbalubbadubdub and luckily we are in:
Wau,this is so damn interesting,that was so simple,we find that other navigation links aren’t helpful except #commands, now we can play around with the command panel,try all bunch of terminal commands starting with ls, it list files on the current directory of the target machine. There is something that looks like our first ingredient,check it out the first file:
Now we have to find a way to read it,but i realized that cat command isn’t working,so i tried bunch of other commands and luckily less command worked for me and i was able to read the file,and that was it
Now we need to go for the second ingredient,meaning we need to get ourselve into the machine for easy navigation,work around with it,therefore we need a reverse shell back to our machine,so lets try if we have nc on the target machine by running nc — version, unfortunately we don’t have nc, the first option that came into my mind is checking out pentestmonkey reverse shell cheat sheet,but before that i had to check whether python is installed by executing a hello world message, python -c “print(‘hello world’)”, it didn’t work,so i tried using python3,python3 -c “print(‘hello world’)” and voila!,it did work,so lets us set up a nc listener on our machine and execute a python reverse shell script on the command panel, make sure to change your ip address and use a port of your choice that is not in use by other processes: and voila!! we got the shell,
And running pwd command we find that we are in a web server root directory,going back to home directory we find two folders, rick and ubuntu, navigating to rick folder we find another ingredient,the second ingredient for this case,then using the cat command to read the file we get 1 jerry tear, two down one to go, one remaining ingredient needs us to root the box to find it,so lets dive in,as usual i normally start by checking the commands that the user runs using sudo with no password and we find that the user www-data can run all the commands using sudo with no password,this last part is so interesting, i used sudo -l command to check that,so i ran sudo bash command and hurray! am root,checking with the command whoami,
And by listing the files in the root directory we find 3rd.txt and by using cat command to read it we find ourself the third and the last ingredient,guys that was so amazing,another alternative to gain root to the box is by running the command sudo -i,boom we are in
I love this box,and with that we have come to the end of our journey, Rick will be so happy now that you have helped him to find all the ingredients he wanted,he can now transform himself back from Pickle to human again,hahahaa
Thanks guys, leave a comment below in case i missed something out,i will really appreciate
