Web Hacking 101: Solving the TryHackMe Pickle Rick “Capture The Flag” Challenge

5/5 - (4 votes)

The Pickle Rick CTF (capture the flag) challenge requires basic webhacking techniques including:

  • inspecting the source of a webpage for hidden text left by the developers,
  • running an nmap scan to check for open ports and services, sniffing out hidden webpages with dirbuster through a brute force attack based on a wordlist, and directory traversal to access files outside of the user’s home folder on the target machine.

The theme of the challenge is Rick and Morty, the animated tv show. The silly premise of this box is that we need to find the three hidden ingredients that Rick needs to change himself from a pickle back to a human.

💡 For this challenge, I ended up using the attackbox, a browser-based kali linux instance available through TryHackMe. My openvpn connection was having some issues causing the target machine to disconnect periodically. The attackbox had a solid connection during the challenge.

Here’s my walkthrough video:

Web Hacking 101: Explaining the Pickle Rick "Capture The Flag" Challenge on TryHackMe

Enumeration

First, we load up the IP of the target machine in our browser and discover a website with a picture of Rick and Morty running away in fear.

Checking the source of the webpage, we find a hidden note from the developers that includes the username: R1ckRul3s

Next, we do an nmap scan with the command:

sudo nmap 10.10.149.46 -sC -Pn -O -p- -T4

Flags Explanation:

  • -sC runs default scripts,
  • -Pn skips host discovery,
  • -O enables operating system detection,
  • -p- scans all ports, and
  • -T4 sets the scan speed.

The results of the scan show open ports 22 and 80.

  • 22 is running an SSH service and
  • 80 is hosting the HTML for the website.

We still need to do further enumeration to find more interesting leads.

Next we do some directory sniffing with dirb (directory buster).

This attack uses a brute-force technique to discover more urls by running through a long list of common urls to probe.

sudo dirb http://<Target Machine IP> /root/Tools/wordlists/dirb/big.txt

Dirbuster found several things of note:

  • /assets/ is probably worth checking out
  • /robots.txt may have more useful information

After checking the robots.txt file in our browser, we found the string: Wubbalubbadubdub.

Perhaps this is the missing password that goes with the username we found earlier hidden in the source HTML code.

An attempt to connect with these credentials via SSH on port 22 is denied. Using our results from the nmap scan, we can probe into the site a little more at http://<Target IP>/login.php 

Checking on <TargetIP>/assets shows us an index of files on the target system.

Let’s take note of the line “Apache/2.4.18 (Ubuntu) Server at 10.10.66.103 Port 80” for possible use in looking up exploits.

The portal.jpg is a curious filename. Perhaps there is an url extension to a portal on <targetIP>/portal.jpg. It turns out that there is, and we are redirected to a login/password form.

We’ll use our user:password combination from our enumeration to log in.

Success! We are now presented with a single box form where we can issue commands to the system. 

Exploitation

We can look around the filesystem a bit with “ls -la” to list files and “cd ..” to change directories.

However, this command always resets the pwd after each command is issued.

To work around this limitation we can chain together multiple commands by putting a ; between each sequential command. We attempt to cat out the txt file using:

cat Sup3rS3cretPickl3Ingred.txt

This attempt fails saying that the cat command has been disabled. Let’s try using a “less” command instead to see if it will print the files contents to the screen:

less Sup3rS3cretPickl3Ingred.txt

🔥 Bingo! We found our 1st ingredient.

***First Ingredient***
mr. meeseek hair

Let’s use the same technique to read the clue.txt file:

less clue.txt

The output is: “Look around the file system for the other ingredient.” Perhaps we can do some directory traversal to have a look at some other folders of interest.

Issuing these chains of commands helps us find the location of the 2nd ingredient:

cd /home; ls -la; pwd

Now we can see Rick’s folder.

cd /home/rick; ls -la; pwd

Now we see and can use “less” to read the contents of the file “second ingredients”. 

cd /home/rick; ls -la; less second\ ingredients

The \ is an escape character that shows the filename includes a space between the two words “second ingredients”. 

***Second Ingredient***
1 jerry tear

Privilege Escalation

Let’s continue with our directory traversal by hopping over to the /root directory with the following command:

cd ../../../root/; pwd; ls -la

We now see our target file in the /root folder: 3rd.txt

Issuing the command “sudo -l” we can see that we have root permissions to all commands. So we can use the sudo command to read the 3rd.txt file in the /root folder with “less”.

sudo ls /root
sudo less /root/3rd.txt

***3rd ingredient***
3rd ingredients: fleeb juice

Voilà. Challenge solved! 💪