Pickle Rick is quite an easy and beginner friendly CTF at TryHackMe. Here’s my write-up on how I solved this room.
- Port Scan
Port scan is the first things you should try to gain information about the attack surface. I use NMAP for this purpose.
I just did a basic nmap scan using “nmap -A -sV — top-ports 1000 TARGET_IP”
Upon running this scan, I was able to find that port 22 and 80 were open, ie ssh and http.
2. Web Server Check
Since I knew http was open, I visited http://TARGET_IP and found this.
Checking the source code (Right Click -> View Page Source), I found this.
At this point, I have another information with me, which is the username.
3. Content Discovery
After finding the username, I was looking for some password.txt or some file that has the password stored.
Hence, I ran gobuster for directories and files using dirbuster-medium word-list that I use pretty much everywhere for content discovery.
I was able to find juicy information from the scan and I first checked robots.txt as robots.txt usually contains locations that aren’t supposed to be indexed.
Upon vising http://TARGET_IP/robots.txt I was able to find the below information.
My instinct said this is the password and I quickly visited http://TARGET_IP/login.php to test it out.
And viola, I got logged in.
Now since there’s something called Command Panel, I wanted to test various commands and see if I can pull off something.
4. Flag 1
First, I ran ls to see what all files are listed.
Ran “cat Sup3rS3cretPickl3Ingred.txt”, and I got this.
Tried running head, tail but they didn’t work either. At last, I tried running “less Sup3rS3cretPickl3Ingred.txt” and I got the first flag.
Flag 1 : mr. meeseek hair
5. Flag 2
I had quite a lot of information in hand. I had /assets folder which I wanted to check and I had clue.txt which I wanted to check as well. I first checked clue.txt using the same less command and got this.
Now that I know I’ve to check for file system. I first ran ls /home to which I got this below.
Navigating inside rick, I was able to find a directory named “second ingredients”. Navigating inside that folder, there was a file named “/home/rick/second ingredients” without any extension.
So I ran file FILENAME to see what the file type was.
Knowing that it is a text file, I ran “less FILENAME” and got the second flag.
Flag 2 : 1 jerry tear
6. Flag 3
I checked the /assets directory, but couldn’t find anything interesting there.
I tried checking ls /home/ubuntu instead of ls /home/rick but that didn’t result in anything. Moving a step back I checked “ls /”, to which I got this.
There obviously is a root directory and I wanted to check it but “ls /root” didn’t work. So I tried running it with escalated privilege by using “sudo ls /root” to which I got this.
Now running “sudo less /root/3rd.txt”, I got the final flag and solved this challenge.
Flag 3 : fleeb juice
Feel free to contact me at @thebinarybot in twitter if you feel there’s any correction(s) to be made in this article or for help to solve this room. Cheers :)
