Jin and the Amazing Technicolor Dreamcode

TryHackMe: Pickle Rick

Jin's photo
Jin
·

10 min read

Welcome to the Jungle

Hey everyone, and welcome to my next write-up. This one is about the CTF-style TryHackMe room Pickle Rick.

Before we get started, I just want to say a little something first. This might be a bit different than write-ups you may be used to. I've noticed a lot of the write-ups I read just get straight to the point, the answer, and kind of gloss over how they got there. The steps might be there, but we don't really get a peek at the process, the misses, the rabbit holes. For my write-ups that aren't guided rooms, I think I want to try and include all of that.

My reasoning? Methodology doesn't just coalesce from the aether. By doing my write-up in this way, I hope to find patterns in my process and, from there, refine my method into something efficient and effective. And I hope seeing me stumble through enumeration and exploitation can help those of you who also don't have the most solid of methods as well. Let's build that confidence and perfect that process together, yeah?

Anyway, on with the show~

Task 1 - Pickle Rick

‘This Rick and Morty themed challenge requires you to exploit a webserver to find 3 ingredients that will help Rick make his potion to transform himself back into a human from a pickle.’

That's it, that's all the guidance we get. My first real unguided CTF. Let's dive in.

Question 1: What is the first ingredient Rick needs?

First thing's first, what we want to do is start with some enumeration. Let's get an nmap running with nmap -sC -sS -sV 10.10.230.16 -vv. And while that runs, let's check the source code.

In the source code of the main page, we find some goodies. 37-1.png

There's a note telling us the username of ‘R1ckRul3s’ for some unknown login. 37-2.png

We also see there's an /assets directory. Navigating there gets us this. 37-3.png

Hm. Not much here, and downloading the pictures and examining the exif data doesn't reveal anything. Let's check in on that nmap scan. 37-4.png 37-5.png

Two open ports here, and one is ssh. But trying to ssh in with the username we found ends up being a dead end since it doesn't ask for a password and is only looking for a key.

Let's try checking /robots.txt next, since there is a possibility of discovering something useful. 37-6.png

In robots.txt we have a possible password? Let's mark that down for later. But still no login page in sight.

We'll just have to enumerate harder. This time we'll check directories with GoBuster. gobuster dir -u 10.10.230.16 -w /usr/share/wordlists/dirb/big.txt (The path to your wordlists may vary.) 37-7.png

GoBuster enumeration shows us there's not much but the /assets we already found and pages we can't access.

Which is odd, because we still don't have a place to log in.

On a whim, we can try login.php. 37-8.png

Luckily, that got us a login screen, but things aren't always so straightforward. If we use ‘dirbuster’, we can get a more thorough logging of directories and .php pages. If you have dirbuster installed on your system, using it is as simple as entering dirbuster in the console and then filling in the blanks in the gui. 37-9.png

The login.php is there in the dirbuster results, as expected. We also spy a portal.php page, but navigating there directly redirects us to the login page.

Now to log in. As it turns out R1ckRul3s:Wubbalubbadubdub are the credentials we needed after all. 37-10.png

This is the screen we're greeted with after logging in, the previous portal.php page. Entering ls in the command panel field gets us some items. 37-11.png

Cool, we have remote access built right in!

For now though, since this is a new page, let's check the source code here. In the source of portal.php we have an interesting bit of text that looks suspiciously like base64. 37-12.png

It is base64. And decoding it eight (!) times gives us this. 37-13.png

A rabbit hole we fell right in to. Back to that command panel.

We see a Sup3rS3cretPickl3Ingred.txt, but trying to cat it directly gets us a notification that cat is disabled. 37-14.png

This is one spot where I got stuck thinking way too hard. But it we step back and take a breath... The ls shows us the files in the main directory. Of the webpages. That we have been navigating to. index.html, login.php, portal.php, robots.txt... If we could navigate to those in the nav bar, why not the ingredient file?

We try, and we're rewarded with the first ingredient. 37-15.png

Question 2: What is the second ingredient Rick needs?

Now that we're in the system and have the first ingredient in hand, we should try poking around with ls to get a sense of the environment. Use those ../ to navigate up and come back down~ In /home, we find two users, /rick and /ubuntu. ls ../../../home/rick gets us the second ingredient, but how do we access it? 37-16.png

Trying ls ../../../home/rick/"second ingredients" just gets us this. 37-17.png

While googling different ways to display content besides cat in Linux, I stumbled upon tac. It reads files line by line backwards. cat may be blocked, but tac, it turns out, is not. tac ../../../home/rick/second ingredients gets us the second ingredient. 37-18.png

Question 3: What is the third ingredient Rick needs?

Now for the last ingredient. After the users, the next place we might want to look is /root. sudo ls -a ../../../root gives us access where a normal ls doesn't. (How did I know to look there? I didn't, I was just poking around and /root seemed like a good idea.) (It's also good to note that if we wanted a local shell to possibly bypass the locked commands, .ssh may contain an id_rsa key which we might be able to use to get in the system that way. But that's not the route I took this time~) 37-19.png

There it is, the last ingredient. But it's in root, and we're not root. But that's okay, because all we have to do is prepend a sudo to our tac and we have our final ingredient. sudo tac ../../../root/3rd.txt 37-20.png

Rick is saved once again~

We've Got Fun And Games

So. My first unguided CTF. I'll be honest. In the moment, there were times in those hours I spent on this box when I was frustrated. But in then end I got where I needed to go without "cheating" by looking up write-up. That isn't to say that write-ups are evil and you should never use them, no! But as someone that wants to do this professionally, there aren't going to be write-ups for every system I encounter out there. For vulns and exploits, maybe, but if I can't sit down and pwn a box without someone having already done it before me, I can't expect to make a living out of this, can I.

But I did it, I made it through, and it really drove home that this is something I can do. I'm not just faking it, I'm not just spitting out answers I read moments ago with nothing really sticking.

This room showed me, I can do this.

And you can too.

I want to thank everyone at TryHackMe for all the amazing work they do to keep this platform running to help people like me. (And a special shout out to Bee, I'll get to one of your rooms one of these days~)

Well, that's all for now, see you in the next bit~

#CTF #TryHackMe #RickandMorty #infosec #ethical-hacking

hackingSecurity