Pickle Rick CTF from tryhackme.com

  1. Let start off by scanning via nmap:
  • the result shows that port 80 (HTTP) and 22 (ssh)
  • since this is a web server exploit challenge we can start or focus via port 80
  • checking the Page Source shows the below Username which we can use later.
  • examined each directory:
  • /robots.txt. Hmmm, it's interesting, looks like a password???
  • /assets. Bunch of images that can be examined as well.
  • /portal.ph. It redirected me to /login.php. Now I can try the Username I saw — R1ckRul3s and the password could be Wubbalubbadubdub
  • login successful. And now I’m log in. We can tell it’s an RCE exploit.
  • Let us execute simple list command (ls -lha)
  • then we can cat or less these files. One stand out is Sup3rS3cretPickl3Ingred
  • this definitely one of the ingredients (flag). 1 Point.
  • then I created a script which is available online and uploaded to the target system, made it executable to establish a reverse shell to easily look around the system.
  • executed the command and gained access.
  • with my reverse shell I have the ability to look around the system. I found the second ingredients from /home/rick directory as shown below.
  • looks like use www-data have sudo privilege:
  • I’ve also checked the other user's home directory /home/ubuntu. Less the hidden file .bash_history and found the 3rd ingredients. SOLVED!!

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store