Pickle Rick CTF Walkthrough
This Rick and Morty themed challenge requires you to exploit a webserver to find 3 ingredients that will help Rick make his potion to transform himself back into a human from a pickle.
Link to the challenge : https://tryhackme.com/room/picklerick
The first flag
First, let's start by deploying the virtual machine to be attacked. For this challenge, the IP address that was provided to me for the virtual machine is : 10.10.120.45
Once the IP address is obtained, we can then type the server's IP address in the search bar of a web browser to make a GET request and get a web page in return. The web page that will be returned to us in response by the web server is the following :
One of the first reflexes we should have is to inspect the source code of the web page to find a clue. In fact, we can find the following comment that was accidentally left there: "Note to self, remember username ! Username: R1ckRul3s".
Then, we have to find other clues. Since there is no hyperlink or button on the web page that allow us to go to another page, we have to find more resources on the web server, because otherwise we are limited in clues.
Lucky for us, there is an excellent tool called Gobuster that can help us identify directories and files on the web server. In order to fulfill our needs with this tool, we need to provide the IP address of the web server and a .txt file containing a list of words. The list of words that we will use is the following one:
https://github.com/danielmiessler/SecLists/blob/master/Discovery/Web-Content/common.txt
Let's open the terminal. To use Gobuster to identify directories and files on the web server, we need to type a command in the following form :
gobuster dir -u MACHINE_IP -w WORD_LIST
In our case, MACHINE_IP will be the IP address of the web server (10.10.120.45 in my case) and WORD_LIST will be our downloaded common.txt file.
Once Gobuster has finished applying its magic, we can notice a robots.txt file that piques our interest. We retrieve this resource on the web server and suddenly we find an interesting string.
Cool! Maybe this string is a password. After all, we had previously found a username at the very beginning of the challenge. Why not try to connect via SSH? Let's start by identifying the open ports on the web server with the Nmap port scanner.
We can see that port 22 is open and accepting connections via SSH. That's great! We can try to connect to the web server via SSH with the username found at the very beginning of the challenge (R1ckRul3s) and with the string found in the robots.txt file (Wubbalubbadubdub) as the password. However we will encounter a problem.
Unfortunately, we were denied permission to connect. However, we don't give up. If you recall, we are attacking a web server and among the ports listed by Nmap during the port scan, port 80 was open and accepting connections. Why not use a tool like Nikto to scan for vulnerabilities on the web server? We can use the following command :
nikto -h http://MACHINE_IP -o scan.txt
Once the command is executed and the scan is finished, we can go and see the result in scan.txt. There we will find this:
- Nikto v2.1.6/2.1.5
+ Target Host: 10.10.20.45
+ Target Port: 80
+ GET The anti-clickjacking X-Frame-Options header is not present.
+ GET The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ GET The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ HEAD Apache/2.4.18 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ GET Server may leak inodes via ETags, header found with file /, inode: 426, size: 5818ccf125686, mtime: gzip
+ OPTIONS Allowed HTTP Methods: OPTIONS, GET, HEAD, POST
+ GET Cookie PHPSESSID created without the httponly flag
+ OSVDB-3233: GET /icons/README: Apache default file found.
+ GET /login.php: Admin login page/section found.
Great! It seems that our scan has discovered a /login.php page on the web server. Let's access this page.
Now let's try to connect with the username R1ckRul3s and the password Wubbalubbadubdub. Unbelievable! It works! Now we obtain a new web page.
On this web page, we can notice an input field that seems to take in entry commands that can be executed on the web server. Why not take the opportunity to list files and directories that are on the web server? Let's use the following command to achieve this:
In the results presented to us on the screen, there is Sup3rS3cretPickl3Ingred.txt that should interest us.
Obviously, our first intuition would be to read this file's content with the command 'cat Sup3rS3cretPickl3Ingred.txt'. However, this command does not seem to be allowed.
Ok. Let's try another command like 'less Sup3rS3cretPickl3Ingred.txt'.
Great! We just found our first flag!
The second flag
Among the files/directories we listed earlier, there was a file named clue.txt. We can use the command 'less clue.txt' to read this file's content.
Cool! In this case, we will explore several directories on the web server until we find something that might interest us. It is precisely when we find ourselves in the /home/ directory that things get interesting.
Let's look in the /home/rick directory. Interesting... We can see a file named 'second ingredients'.
Let's read its content with 'less /home/rick/"second ingredients" '
Amazing ! Our second flag !
The third flag
In the previous section, you probably noticed /root while exploring the various directories on the web server.
First, let's check the user's permission by typing 'sudo -l'.
Wow! We have no restrictions and we can run commands as sudo. Let's try to list the files and directories in /root with 'sudo ls /root'.
We have two files that are listed. 3rd.txt is the one that should interest us. We just have to read its content with 'sudo less /root/3rd.txt'.
Here is our last flag!