A writeup for Pickle Rick room on TryHackMe.com
URL for Pickle Rick CTF room is: https://tryhackme.com/room/picklerick
- Pickle Rick Writeup
- Directory Enumeration
- Login Credentials
- First Ingredient
- Second Ingredient
- Third Ingredient
- Extra
Firstly, I had conducted a gobuster scan against the target with directory-list-2.3-medium.txt list provided to it.
The scan found an accessible /assets directory (status code 301).
Then I used nikto tool to scan the webserver.
The scan found Admin login page at /login.php. Also, robots.txt does not contain any disallow entries.
The login page had a broken CSS, but login procedure worked.
Reloading page for a few times fixed the CSS.
Inspecting the source code of the page revealed the username to login with.
I have tried to guess the password by entering some common values to the password field, but no luck there.
Next I decided to check the robots.txt file. This file contained a single string - a reference to Rick and Morty show and also the password for the previously found user.
These credentials gave access to Rick Portal.
As of now, only Command Panel section could be accessed. This panel accepted shell commands.
Issuing ls command showed Sup3rS3cretPickl3Ingred.txt file.
When I tried cat command in the Command Panel,Command disabled error was shown.
Less command did the trick though and the first ingredient was shown.
There was also clue.txt file that told to look around the file system for the other ingredient.
Looking at /home/rick directory the second ingredients file was found.
Opening this file with less command gave the second ingredient.
Lastly, it was neccessary to find the third ingredient for Rick.
One interesting directory to look at was the /root directory. One problem - this folder was only accessible by the root user.
For that purpose I had checked what commands the current user could run as root with sudo -l.
Turned out that the current user could run any commands as root without password!
Listing contents of /root showed 3rd.txt file.
Viewing the 3rd.txt with less command gave the third ingredient.
Challenge solved!
The source code of Command panel had a Base64 encoded string which, when decoded for several times, gave a two-word phrase, rabbit hole, which I had not used in solving this CTF, but thought it was a fun thing to add.
