In this article, we are going to solve the PickleRick CTF that you can solve at TryHackMe’s website. This Rick and Morty-themed challenge requires you to exploit a webserver to find 3 ingredients that will help Rick make his potion to transform himself back into a human from a pickle.
Steps to solve the CTF
Step 1: Get Your IP Address
We now have our IP address after pressing the deploy button.
We can see that the aim of this challenge is to identify bugs in a web server.
Step 2: Enumeration and Scanning
Let’s see what we can find with Nmap, Nikto, and dirbuster.
Starting with a search for any available ports on your computer is a reasonable rule of thumb.
sudo nmap -sC -sV -A 10.10.78.128
Using Nmap, we can see that two ports are open: 22 (ssh) and 80 (HTTP).
- Port 22(SSH)– We can see that our SSH port is open in this window. Unless we’ve discovered someone’s passwords, this port isn’t particularly vulnerable. We’re not going to mess with it.
- Port 80(HTTP)– It is here that a web service can be used. Let’s take a look around and see what we can find.
We don’t seem to have anything to smash, just two ports. For ssh, use 22 and for HTTP, use 80. So, first and foremost, normally search the site’s source code to see if anything is hidden there, and then, once we know what we’re working with, we’ll look for some directories.
Next, we’ll talk about Dirbuster for Finding hidden directories. We’ll use Dirbuster to look for some secret directories.
sudo dirb http://10.10.78.128
We have an access directory, an index.html file, and a robots.txt file with dirbuster (both returning a 200 which is good). We also have a server-status that returns a prohibited HTTP code of 403 for whatever reason.
Next, we’ll talk about Nikto.
sudo nikto -h 10.10.216.96
When we run Nikto, we notice that there is a login.php file that is of interest. Let’s switch on to the web app and see if we can find any more hints now that we’ve completed simple enumeration.
Step 3: Let’s go with the first one.
What is the first ingredient Rick needs? In a tab, we will see the following as we go to the IP address.
But for the burping, nothing else stands out. Let’s take a look at the source code and see what we can find.
Step 4: When we look at the source code (right-click on the page and pick display source code), we see a username at the bottom. Let’s see if we can figure out what the password is. Maybe our Dirbuster findings would be useful.
Step 5: When we return to our Dirb data, we find a robots.txt file. When we open this file, we see the following. This is an odd robots.txt file, to say the least. If this is the password; let’s see how it works.
Step 6: We had a login page in our Nikto reports. We get the following when we go to that website and type our username from the index.html page and a password from the robots.txt page.
Step 7: Now, since this page is called the command portal, let’s try entering a command and checking what happens. We will see that certain results are returned if we use the ls -al command. It seems that we’ve already discovered our first ingredient.
Step 8: Visit the Sup3rS3cretPickl3Ingred.txt file
Now we have to visit the Sup3rS3cretPickl3Ingred.txt file in the same way we did in the robots.txt file. Visit http://ipAddress>/Sup3rS3cretPickl3Ingred.txt in the browser, and we now have the content of the text file.
Step 9: Let’s get to the second question.
What’s the second ingredient Rick needs?
Let’s see if we can do a directory traversal to access other aspects of the program now that we know it’s vulnerable to command injection. Returning to the directory listing, we discover a clue.txt format. When we open the document, we see the following:
Step 10: Concentrate on the word “file system”
The word “file system” links with computers. So, let’s use ls /home on the command portal.
This will list everything in our home directory. So here we got a directory called Rick. Let’s keep searching with ls /home/rick, and we may find a file called second ingredients inside the rick’s directory.
Step 11: We open the second ingredient with less command. Because of the spacing, the filename is in quotations. Linux will view the second in second ingredients without the quotations.
Now we’ve got our second ingredient
Step 12: let’s get to the last question
What’s the final ingredient Rick needs?
We just need to find the third and final ingredient now that we know the less command will work for us. Let’s see how we can use ls to navigate to the /root directory. It seems that we are unable to view anything in the /root directory. We should use sudo to escalate our administrator privileges.
We can see that when we are using sudo then no passwords are being asked(This surely is NOT good security!). This could be just what we’re looking for to see what’s in the /root directory. To see what’s in that directory, we’ll just need to use sudo and ls together.
sudo ls /root
Step 13: Getting the final ingredient
We can see that we have the third and final ingredient by using the sudo command in combination with the less command on the 3rd.txt file.
sudo less /root/3rd.txt
Hence we are done finishing the Pickle Rick challenge.