Pickle Rick | TryHackMe Writeups
About Machine
Pickle Rickel is the beginner-level machine on TryHackMe. By enumerating the machine, one can discover the username and password. Upon logging in, the command injection becomes apparent. Leveraging command injection facilitates machine enumeration. Employing this method, a reverse shell can be established to obtain a shell, enabling further machine enumeration. However, for the sake of familiarity, I will utilize the complete command injection process to successfully solve the machine.
Nmap Scan
nmap -sC -sV 10.10.39.29
From the Nmap scan results, Ports 22(ssh) and 80(http) are open.
Enumeration
Upon accessing Port 80, a webpage presents details on logging into the computer and discovering the final three confidential ingredients.
Username: R1ckRul3s
Upon accessing the source page, the Username is evident in the commented section of the source code.
dirsearch -u http://10.10.39.29/
Following directory fuzzing, we’ve identified two intriguing directories. Let’s proceed to explore them…
Within the robots.txt file, there is text that should be observed at this moment.
Accessing login.php leads to the appearance of a login page. Since we’ve already identified the username and speculated that the password might be in the text of robots.txt, let’s proceed with the attempt.
We’ve achieved a successful login using the provided credentials. It seems to resemble a command panel, indicating a potential vulnerability to command injection. Let’s investigate further…
id
Upon executing the “id” command, an output is generated. By examining this output, we can ascertain the ability to execute commands as the user “www-data.” Let’s delve deeper into the investigation to identify the components involved.
pwd; ls -la
We’re currently located in the /var/www/html directory. Within this directory, we’ll come across two files: Sup3rS3cretPickl3Ingred.txt and portal.php. Let’s proceed to read them…
cat Sup3rS3cretPickl3Ingred.txt
When attempting to read a file using the “cat” command, an error is encountered. In such cases, an alternative approach is to utilize the “tac” command or explore other alternative commands available in the Unix system for file reading.
tac Sup3rS3cretPickl3Ingred.txt
we can get our first ingredient inside the Sup3rS3cretPickl3Ingred.txt file.
ls -l /home/
Upon inspecting the home directory, I identified two users: Rick and Ubuntu. However, the home directory for the Ubuntu user appears to be empty. Let’s enumerate the contents of Rick’s home directory.
ls -l /home/rick
We can find the second ingredient inside the “rick” home directory. Let’s read it.
tac /home/rick/"second ingredients"
sudo -l
Upon inspecting the sudo privileges, it becomes evident that the www-data user can execute sudo commands without requiring a password.
sudo ls -l /root
Upon reaching the root directory, the 3rd.txt file, containing the final ingredient, can be located.
sudo tac /root/3rd.txt
We got all three ingredients and solved the machine.
