Today we have another walkthrough from the Try Hack Me site for the Pickle Rick box. This box is a beginner box with a Rick and Morty theme, where you have to find three ingredients to help him transform back into a human from a pickle:-)
Lets start with a nmap scan of the IP address with version and scripts set.
nmap -sC -sV 10.10.118.215
So we have Open SSH running on port 22 and an Apache web server running on port 80.
Lets take a look at the website:
So we have to find three secret ingredients to reverse the pickle potion. There is also a lot of BURRRRP going on, so I am note sure whether this is a reference that we may need to use Burp Suit to intercept some web requests etc.
Checking the page source code we find the following:
We can see the main image that I will download just to see whether there is any Stenography involved, should I feel that I am hitting a dead end with the enumeration. We can also see a comment, giving a username R1ckRul3s. This maybe the SSH server username, so we will keep this for later.
I also like to check whether there is a robots.txt file, which in this case there is:
The file gives us “Wubbalubbadubdub”, not sure what this means at this time but it could be a password.
I will now further enumerate the website using Gobuster to brute force any additional directories and files. Straight away we have some hits.
I will try each of these in turn on the website; however, I first notice the /clue.txt which stands out.
The next is /portal.php which gives us a login page:
Using the username: R1ckRul3s and the password: Wubbalubbadubdub and we are in:
The first menu is Command Panel which allows us to enter Linux commands, the others all state that, “Only the REAL rick can view this page..”
Using the Command Panel I try the ‘ls -al’ command:
We can see “Sup3rS3cretPickl3Ingred.txt” which looks interesting.
In the clue.txt file it advised us to look around the file system, so using the Command Panel, we can have a look around.
Entering ‘cd /home/rick; ls -al’, we see the following:
Hopefully we can ‘cat’ the second ingredients, using the command
cd /home/rick;cat ‘second ingredient’
It looks like this command is disabled, a quick bit of Googling suggests using the command ‘less’ as an alternative to ‘cat’/
cd/home/rick; less ‘second ingredient’
We get our second ingredient.
As we are now on the third ingredient, I assume that it will require root or some type of privesc to get the last flag. To start, let see what sudo privileges we have with the command ‘sudo -l -l’
So user www.data can all commands as root, this should make it really easy and will not require any privesc. Having this information my instinct tells me to look at the /root directory for the last ingredient / flag. To do this we will run the command as sudo as follows:
sudo ls -al /root
so we thought correctly, we can see a file called 3rd.txt, which is probably the final ingredient. We can try the same approach to read the file:
sudo less /root/3rd.txt`
We now have all the ingredients needed to turn Rick back into a human.
A big thank you to the developer of this fun box.
