THM: Pickle Rick Writeup

Pickle Rick is an extremely basic THM room to learn basic enumeration and tools like dirbuster and others. I will be completing this THM room as part of “30 days of TryHackMe” where I will try and complete 30 rooms in 30 days. Kenobi is the room for Day 4. So let’s get it going.

Disclaimer: The tools used in this tutorial are powerful. Please use them on systems you can legally tamper with. These tutorials are for educational purposes only.

Connect to TryHackMe via OpenVPN

You can learn how to do so here.

Discovery

As always we will begin with basic discovery Nmap scans to scan all open ports and services with a command like:

sudo nmap -sV -sC <MACHINE IP>

The output should look something like this:

We see the basic HTTP and SSH running on usual ports.

Enumeration

We begin checking the machine IP in a browser and looking around. We find a website. It's a basic one with no juicy information so we start by looking at the page source code.

good job

Sure enough, we find the username. Still not enough information to move forward. We found ssh open as well and we found a username, so lets try bruteforcing the SSH password by using hydra as follows:

FAIL!

Both hydra and passwordless SSH failed. Guess the only option is to brute-forcing directories by using DirBuster as follows:

busted

Now we are talking. We head to the login.php page and are greeted with a login page. Guess where we found the username? The page source code! Use that as username and DirBuster also gives us that robots.txt is available. User the password from there to enter the portal. We reach the portal and find a command space and execute button, let's check that out!

We try cat’ing into the files and this is what we get:

Damn it!

The command is disabled. But, if we could access the robots.txt by typing it in, we can do the same with Sup3rS3cretPickl3Ingred.txt. And it work, we have the first flag!

Sup3rS3cretPickl3Ingred.txt

Moving forward, we get to clue.txt in a similar manner:

a good one

We accept the advice given and look around further.

We move up the directory ladder, list all the files, and print the working directory with the following command:

cd ../../../; ls -l; pwd
so weird

/home is seen, cd into that and list directories using:

cd /home; ls -l; 
still weird

We see two users, cd into rick, and check the files there. BOOM! Second flag down. I forgot cat was disabled. Finally, tac command gave in and we have flag two.

Flag 2

There was also a root directory which was interesting. But moving there doesn't work. So we just try to sudo -l to check if passwords are required to sudo any command. Looks like we don't need a password, they need better admins here.

sudo -l worked. what?

We use the following command to check the contents of root directory:

sudo ls root 
rooted

Sure enough, we find the third and final flag. Use tac command again to print it out:

That's about it, folks! This was an easy one. We will meet again in the next room tomorrow. Good Day!

Random Quote:
Those who flee temptation generally leave a forwarding address.
- Lane Olinghouse

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Gaurav Sarraf

Gaurav Sarraf

Security Engineer cum Researcher | Graduate Student @ Syracuse University | Space Enthusiast | bit.ly/gs-LinkedIn | bit.ly/gs-GitHub | thinkrobotics.in