TryHackMe write-up: Pickle Rick

Disclaimer

The content of this article is for educational purposes only. Do not use the techniques described here on any system without the explicit consent of the owner.

Objective

This Rick and Morty-themed challenge requires you to exploit a web server and find three ingredients to help Rick make his potion and transform himself back into a human from a pickle.

Recon

The first step is to gather as much information as possible about the target. Browsing to the target reveals a simple web page:

Inspecting the page source provides useful information, including a username that may be helpful later.

Checking the robots.txt file reveals an interesting entry that could contain sensitive information:

Next, let's perform directory enumeration using Gobuster

gobuster dir -u http://10.64.187.33 -w /usr/share/wordlists/dirb/common.txt

gobuster dir -u http://10.64.187.33 -w /usr/share/wordlists/dirb/common.txt

Initially, the results are not particularly useful:

One important thing to remember is that Gobuster searches for the exact paths listed in the wordlist. Many web servers don't expose directories directly and instead use files such as:

• /login.php
• /admin.php
• /portal.php

Gobuster will not test these files unless extensions are explicitly specified. Running the scan again with common extensions produces much better results:

gobuster dir -u 10.64.187.33 -w /usr/share/wordlists/dirb/common.txt -x php,txt,html

gobuster dir -u 10.64.187.33 -w /usr/share/wordlists/dirb/common.txt -x php,txt,html

The scan discovers several interesting files:

• login.php
• portal.php
• denied.php

These are much more promising targets:

The /assets directory does not contain anything immediately useful:

Attempting an SSH connection confirms that SSH is available, but authentication requires a private key that we do not possess.

We already know a username from the page source, so we can try a few common passwords. Unsurprisingly, guesses such as admin and qwerty fail. During reconnaissance, however, we discovered an interesting entry in robots.txt. Using that value as the password successfully authenticates us.

After logging in, we gain access to a command execution panel that allows us to run commands directly on the server. This effectively gives us a web shell and the ability to explore the filesystem:

Questions & Flags

• What is the first ingredient that Rick needs?

Now that we can execute commands, let's begin enumerating the system. Listing the current directory:

Attempting to read files with cat fails because the command has been disabled:

Fortunately, other utilities are available. Using less, we can read the file contents and obtain the first ingredient:

A file named clue.txt provides guidance on where to look next:

• What is the second ingredient in Rick's potion?

Let's inspect the /home directory. Inside, we discover a file whose name contains spaces:

When working with filenames that contain spaces, wrap the path in quotes. Here is the second ingredient:

• What is the last and final ingredient?

To locate the final ingredient, we can try to gain elevated privileges. Checking our sudo permissions:

The output shows that the current user can execute any command as root without providing a password. This is a straightforward privilege escalation path.

Check what's inside the root folder:

Read the 3rd.txt file to get the last ingredient:

Conclusion

This was a fun beginner-friendly challenge that covered the basics of web application exploitation. The path was straightforward: gather information during reconnaissance, use the discovered credentials to gain access, enumerate the system to find the first two ingredients, and leverage overly permissive sudo rights to retrieve the final one. Along the way, it reinforced the importance of checking robots.txt, performing directory enumeration with file extensions, and reviewing sudo permissions during privilege escalation.

Originally published at https://vchalyi.substack.com.