Introduction

We performed an Nmap scanning to enumerate open ports and we discovered an HTTP service which after enough enumeration we were able to extract username from the page source code. Using directory brute force we were able to discover a password in robot.txt file which led us to log in to the web application. Enumerating the web application for vulnerabilities using the authenticated access we discovered a vulnerable command module which enabled us to gain reverse shell and extract the ingredients related to the challenge. Linux privilege escalation was accomplished by exploiting sudo permissions to gain Root shell.

This Rick and Morty-themed challenge requires you to exploit a web server and find three ingredients to help Rick make his potion and transform himself back into a human from a pickle.

To Complete the challenge, we performed an Nmap scanning to enumerate open ports and we discovered an HTTP service which after enough enumeration we were able to extract username from the page source code. Using directory brute force we were able to discover a password in robot.txt file which led us to log in to the web application. Enumerating the web application for vulnerabilities using the authenticated access we discovered a vulnerable command module which enabled us to gain reverse shell and extract the ingredients related to the challenge. Linux privilege escalation was accomplished by exploiting sudo permissions to gain Root shell.

OSCP Study Notes

Initial Enumeration

An Nmap scan reveals two open ports:

  • Port 22 (SSH)
  • Port 80 (HTTP)

The tester navigates to the web page and checks the source code for hints. A username, “rickrul3s,” is found hidden in the source code.

Directory Enumeration

The tester uses directory enumeration to find hidden directories on the web server, discovering /assets/, /robots.txt, and /login.php.

Exploiting the Login Portal

Using the username “rickrul3s” and a guessed password, the tester logs into the login.php portal. Inside the portal, there’s a command execution panel that allows the tester to execute system commands.

Command Execution

The tester tries basic commands like ls to list files in the /var/www/html directory and discovers files named secret, clue.txt, and others.Since the command cat is disabled in the command panel, the tester decides to use a reverse shell by generating one with a Pentest Monkey reverse shell script.

Reverse Shell Access

After setting up a listener and gaining a reverse shell, the tester obtains full command-line access to the target machine.

The tester navigates through the file system:

  • The first ingredient is found in the clue.txt file.
  • The second ingredient is located in the home directory of user rick.
  • The third ingredient requires privilege escalation to the root user.

Privilege Escalation

By using the sudo -l command, the tester discovers that they can run all commands as the root user without a password.The tester switches to the root user and finds the third ingredient in the /root/ directory.

Conclusion

The tester successfully collects all three ingredients by following a simple methodology of enumeration, exploitation, reverse shell access, and privilege escalation.

Pickle Rick CTF TryHackMe | Challenge Answers

What is the first ingredient that Rick needs?

 

What is the second ingredient in Rick’s potion?

 

What is the last and final ingredient?

 
Video Walkthrough
 

 

, , , ,
Show Comments

MasterMind Study Notes

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles