Jasper Alblas
TryHackMe: Pickle Rick - Walkthrough
Hi! It’s time for another CTF on TryHackMe. This time we are having a look at Pickle Rick, which is a nice thematic challenge based on Rick and Morty. Let’s go!
Room URL: https://tryhackme.com/room/picklerick
I am making these walkthroughs to keep myself motivated to learn cyber security, and ensure that I remember the knowledge gained by THMs rooms. Join me on learning cyber security. I will try and explain concepts as I go, to differentiate myself from other walkthroughs.
Task 1: Pickle Rick
This Rick and Morty themed challenge requires you to exploit a webserver to find 3 ingredients that will help Rick make his potion to transform himself back into a human from a pickle.
Deploy the virtual machine on this task and explore the web application: <target ip>.
You can also access the web app using the following link: https://<target ip>.p.thmlabs.com.
Questions
Let’s start finding the first ingredient!
What is the first ingredient Rick needs?
Web Enumeration
Let’s get going! The first thing we should do is take a thorough look at the target machine. This includes both the homepage itself, as well as the server and network.
Home page
There is not much to see or do. I spent some time looking around but I did not find anything out of the ordinary so let’s move on straight ahead.
Source code
Let’s look at the source code. Here we find a username in a comment, likely forgotten by a developer:
Let’s definitely remember this. But we have nowhere to use it for now.
Burp Suite
It is also a good idea to send a simple GET request to the homepage, and intercept it in Burp Suite. This gives the following info:
We can see a PHPSESSID, which points us to the fact that the server is running on PHP.
Wappalyzer
Wappalyzer is a plugin for Firefox that can be run to fetch information about the web server, frameworks, and more. This is an alternative to manually looking at the different aspects. Running it while visiting the webpage gives us the following info:
NMap:
Webpages normally run on port 80 (HTTP) and 443 (HTTPS), but can be run on any port. There might also be running other services so let’s use NMap to map the network.
nmap -sS -Pn -T4 -p- <target ip>
- -sS → TCP SYN scan (Stealth Scan) – Sends SYN packets to detect open ports without completing the handshake (stealthier than a full TCP connect scan -sT).
- -Pn → Skip Host Discovery – Assumes the host is up, even if it does not respond to ICMP pings. Useful when firewalls block pings.
- -T4 → Aggressive Timing – Increases scan speed but may be more detectable.
- -p- → Scan All 65,535 Ports
Note: This is one of my older writeups. I suppose there was no reason to run a stealthy scan, and we could also avoid running all 65,535 ports. In essence, you could just write nmap <target ip>
No surprise here. We know the web server is runnong on port 80 and the SSH is running on port 22.
We can get more info on them by using the -A flag:
sudo nmap -A -Pn -T4 -p22,80 TARGET_IP
We found out about the version of SSH running on port 22, the hostkeys, as well as more info about the webserver on port 80. Let’s move on.
Nikto
Nikto is a web server scanner, and is quite useful when we are dealing with a web application. You can use the following command:
nikto -h <target ip>
Interesting. It found a login page! This also confirms that we are dealing with PHP. Let’s look at that later after we used gobuster.
We also found a robots.txt file. A robots.txt file tells search engine crawlers which URLs the crawler can access on your site. This can often be a source of valuable information in a CTF. In this case the robots.txt exists and contains the following text:
Wubbalubbadubdub
Hmmm? This apparently is one of Rick’s iconic catchphrase
Gobuster
Gobuster can be used to bruteforce directories and file on a web site. Let’s run a gobuster scan to get a feel for the directory structure of the website:
gobuster dir -u <target ip> -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
Gobuster outputs two results: assets and server-status. We don’t have permission to visit server-status, but let’s take a look at the assets folder:
The .js files seem normal, and so do the images.
Let’s run gobuster again, but now with specific file extension to look for. We know that the server is running PHP, and therefore we can search specific for that type of file, as well as other .html and .txt files.
gobuster dir -u <target ip> -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,html,txt
Now we are talking:
Lots of interesting files and pages.
We found a login.php page:
In addition, we found a portal.php and denied.php page which both return a 302 (temporarily moved).
Let’s try the portal page. We have a username: R1ckRul3s, and also have found the text Wubbalubbadubdub in the robots.txt file. Might this be a password?
HURRAH!
I guess it is time for some Command Injection!
Look at that! A text file called Sup3rPickl3Ingred.txt. That seems like something worth checking out.
We are not allowed to use the cat command 🙁
So we know that cat is blocked. Luckily, we might be able to use other commands to read a file.
Nano? Nope.. Less? YES! Tac is possible as well. We found the first ingredient: mr. meeseek hair.
Answer: mr. meeseek hair
Whats the second ingredient Rick needs?
One down, two to go. Let’s continue entering commands.
If we write tac portal.php we can read portal.php. Remember, this is the page that return a 302 earlier.
We get to see some interesting code:
This shows us the commands that are blocked.
Seems like sudo is not blocked. We can use sudo -l to list all commands that our user is allowed to run:
This means that we can run all commands (well, except for the 7 mentioned above) without password!
Before moving on it is important to remember the clue.txt we found. which says:
Look around the file system for the other ingredient.
So we should be looking more around in the file system!
Nothing in the root. Let’s look in the home directory.
Interesting. Let’s look in the rick home directory. There we are:
We found a file called second ingredients. Read it to find the second ingredient:
Answer: 1 jerry tear
Whats the final ingredient Rick needs?
We only need one ingredient more.
Finally, we can have a look at the root user’s home directory. To see the files in that directory we need to use sudo before ls:
Yay! We found 3rd.txt file which does sound like a third ingedrient. Read 3rd.txt with tac or less:
There we have the third ingredient!
Answer: fleeb juice
That was awesome. Pickle Rick was my first CTF ever done, and I definitely had to stop myself from overthinking 🙂
In the end all it took was some looking around in the source code and cookie.txt file, and then some command injection.
Like my articles?
You are welcome to give my article a clap or two 🙂
I would be so grateful if you support me by buying me a cup of coffee:
I learned a lot through HackTheBox’s Academy. If you want to sign up, you can get extra cubes, and support me in the process, if you use the following link:
