THM: Pickle Rick Writeup
Pickle Rick is an extremely basic THM room to learn basic enumeration and tools like dirbuster and others. I will be completing this THM room as part of “30 days of TryHackMe” where I will try and complete 30 rooms in 30 days. Kenobi is the room for Day 4. So let’s get it going.
Disclaimer: The tools used in this tutorial are powerful. Please use them on systems you can legally tamper with. These tutorials are for educational purposes only.
Connect to TryHackMe via OpenVPN
You can learn how to do so here.
As always we will begin with basic discovery Nmap scans to scan all open ports and services with a command like:
sudo nmap -sV -sC <MACHINE IP>
The output should look something like this:
We see the basic HTTP and SSH running on usual ports.
We begin checking the machine IP in a browser and looking around. We find a website. It's a basic one with no juicy information so we start by looking at the page source code.
Sure enough, we find the username. Still not enough information to move forward. We found ssh open as well and we found a username, so lets try bruteforcing the SSH password by using hydra as follows:
Both hydra and passwordless SSH failed. Guess the only option is to brute-forcing directories by using DirBuster as follows:
Now we are talking. We head to the login.php page and are greeted with a login page. Guess where we found the username? The page source code! Use that as username and DirBuster also gives us that robots.txt is available. User the password from there to enter the portal. We reach the portal and find a command space and execute button, let's check that out!
We try cat’ing into the files and this is what we get:
The command is disabled. But, if we could access the robots.txt by typing it in, we can do the same with Sup3rS3cretPickl3Ingred.txt. And it work, we have the first flag!
Moving forward, we get to clue.txt in a similar manner:
We accept the advice given and look around further.
We move up the directory ladder, list all the files, and print the working directory with the following command:
cd ../../../; ls -l; pwd
/home is seen, cd into that and list directories using:
cd /home; ls -l;
We see two users, cd into rick, and check the files there. BOOM! Second flag down. I forgot cat was disabled. Finally, tac command gave in and we have flag two.
There was also a root directory which was interesting. But moving there doesn't work. So we just try to sudo -l to check if passwords are required to sudo any command. Looks like we don't need a password, they need better admins here.
We use the following command to check the contents of root directory:
sudo ls root
Sure enough, we find the third and final flag. Use tac command again to print it out:
That's about it, folks! This was an easy one. We will meet again in the next room tomorrow. Good Day!
Those who flee temptation generally leave a forwarding address.
- Lane Olinghouse