The Pickle Rick CTF (capture the flag) challenge requires basic webhacking techniques including:
- inspecting the source of a webpage for hidden text left by the developers,
- running an nmap scan to check for open ports and services, sniffing out hidden webpages with
dirbusterthrough a brute force attack based on a wordlist, and directory traversal to access files outside of the user’s home folder on the target machine.
The theme of the challenge is Rick and Morty, the animated tv show. The silly premise of this box is that we need to find the three hidden ingredients that Rick needs to change himself from a pickle back to a human.
💡 For this challenge, I ended up using the
attackbox, a browser-based kali linux instance available through TryHackMe. My openvpn connection was having some issues causing the target machine to disconnect periodically. The attackbox had a solid connection during the challenge.
Here’s my walkthrough video:
First, we load up the IP of the target machine in our browser and discover a website with a picture of Rick and Morty running away in fear.
Checking the source of the webpage, we find a hidden note from the developers that includes the username:
Next, we do an
nmap scan with the command:
sudo nmap 10.10.149.46 -sC -Pn -O -p- -T4
-sCruns default scripts,
-Pnskips host discovery,
-Oenables operating system detection,
-p-scans all ports, and
-T4sets the scan speed.
The results of the scan show open ports
22is running an SSH service and
80is hosting the HTML for the website.
We still need to do further enumeration to find more interesting leads.
Next we do some directory sniffing with
dirb (directory buster).
This attack uses a brute-force technique to discover more urls by running through a long list of common urls to probe.
sudo dirb http://<Target Machine IP> /root/Tools/wordlists/dirb/big.txt
Dirbuster found several things of note:
/assets/is probably worth checking out
/robots.txtmay have more useful information
After checking the
robots.txt file in our browser, we found the string:
Perhaps this is the missing password that goes with the username we found earlier hidden in the source HTML code.
An attempt to connect with these credentials via SSH on port 22 is denied. Using our results from the
nmap scan, we can probe into the site a little more at
<TargetIP>/assets shows us an index of files on the target system.
Let’s take note of the line “
Apache/2.4.18 (Ubuntu) Server at 10.10.66.103 Port 80” for possible use in looking up exploits.
portal.jpg is a curious filename. Perhaps there is an url extension to a portal on
<targetIP>/portal.jpg. It turns out that there is, and we are redirected to a login/password form.
We’ll use our
user:password combination from our enumeration to log in.
Success! We are now presented with a single box form where we can issue commands to the system.
We can look around the filesystem a bit with “
ls -la” to list files and “
cd ..” to change directories.
However, this command always resets the pwd after each command is issued.
To work around this limitation we can chain together multiple commands by putting a
; between each sequential command. We attempt to
cat out the txt file using:
This attempt fails saying that the cat command has been disabled. Let’s try using a “
less” command instead to see if it will print the files contents to the screen:
🔥 Bingo! We found our 1st ingredient.
***First Ingredient*** mr. meeseek hair
Let’s use the same technique to read the
The output is: “
Look around the file system for the other ingredient.” Perhaps we can do some directory traversal to have a look at some other folders of interest.
Issuing these chains of commands helps us find the location of the 2nd ingredient:
cd /home; ls -la; pwd
Now we can see Rick’s folder.
cd /home/rick; ls -la; pwd
Now we see and can use “
less” to read the contents of the file “second ingredients”.
cd /home/rick; ls -la; less second\ ingredients
\ is an escape character that shows the filename includes a space between the two words “second ingredients”.
***Second Ingredient*** 1 jerry tear
Let’s continue with our directory traversal by hopping over to the
/root directory with the following command:
cd ../../../root/; pwd; ls -la
We now see our target file in the
Issuing the command “
sudo -l” we can see that we have root permissions to all commands. So we can use the
sudo command to read the
3rd.txt file in the
/root folder with “
sudo ls /root sudo less /root/3rd.txt ***3rd ingredient*** 3rd ingredients: fleeb juice
Voilà. Challenge solved! 💪