hacktricks/ctf-write-ups/try-hack-me/pickle-rick.md

# Pickle Rick

![](../../.gitbook/assets/picklerick.gif)

This machine was categorised as easy and it was pretty easy.

## Enumeration

I started **enumerating the machine using my tool** [**Legion**](https://github.com/carlospolop/legion):

![](<../../.gitbook/assets/image (79) (2).png>)

In as you can see 2 ports are open: 80 (**HTTP**) and 22 (**SSH**)

So, I launched legion to enumerate the HTTP service:

![](<../../.gitbook/assets/image (234).png>)

Note that in the image you can see that `robots.txt` contains the string `Wubbalubbadubdub`

After some seconds I reviewed what `disearch` has already discovered :

![](<../../.gitbook/assets/image (235).png>)

![](<../../.gitbook/assets/image (236).png>)

And as you may see in the last image a **login** page was discovered.

Checking the source code of the root page, a username is discovered: `R1ckRul3s`

![](<../../.gitbook/assets/image (237).png>)

Therefore, you can login on the login page using the credentials `R1ckRul3s:Wubbalubbadubdub`

## User

Using those credentials you will access a portal where you can execute commands:

![](<../../.gitbook/assets/image (241).png>)

Some commands like cat aren't allowed but you can read the first ingredient (flag) using for example grep:

![](<../../.gitbook/assets/image (242).png>)

Then I used:

![](<../../.gitbook/assets/image (243).png>)

To obtain a reverse shell:

![](<../../.gitbook/assets/image (239).png>)

The **second ingredient** can be found in `/home/rick`

![](<../../.gitbook/assets/image (240).png>)

## Root

The user **www-data can execute anything as sudo**:

![](<../../.gitbook/assets/image (238).png>)
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 17:43:14 +02:00			`# Pickle Rick`

			`![](../../.gitbook/assets/picklerick.gif)`

			`This machine was categorised as easy and it was pretty easy.`

			`## Enumeration`

GitBook: [#2876] save 2021-11-30 17:46:07 +01:00			`I started enumerating the machine using my tool [Legion](https://github.com/carlospolop/legion):`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 17:43:14 +02:00
GitBook: [#3128] No subject 2022-04-27 14:34:57 +02:00			`![](<../../.gitbook/assets/image (79) (2).png>)`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 17:43:14 +02:00
GitBook: [#2777] gitbookissooooo slow I cannot write 2021-10-18 13:21:18 +02:00			`In as you can see 2 ports are open: 80 (HTTP) and 22 (SSH)`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 17:43:14 +02:00
			`So, I launched legion to enumerate the HTTP service:`

GitBook: [#2777] gitbookissooooo slow I cannot write 2021-10-18 13:21:18 +02:00			`![](<../../.gitbook/assets/image (234).png>)`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 17:43:14 +02:00
			Note that in the image you can see that `robots.txt` contains the string `Wubbalubbadubdub`

GitBook: [#2876] save 2021-11-30 17:46:07 +01:00			After some seconds I reviewed what `disearch` has already discovered :
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 17:43:14 +02:00
GitBook: [#2777] gitbookissooooo slow I cannot write 2021-10-18 13:21:18 +02:00			`![](<../../.gitbook/assets/image (235).png>)`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 17:43:14 +02:00
GitBook: [#2777] gitbookissooooo slow I cannot write 2021-10-18 13:21:18 +02:00			`![](<../../.gitbook/assets/image (236).png>)`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 17:43:14 +02:00
GitBook: [#2876] save 2021-11-30 17:46:07 +01:00			`And as you may see in the last image a login page was discovered.`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 17:43:14 +02:00
			Checking the source code of the root page, a username is discovered: `R1ckRul3s`

GitBook: [#2777] gitbookissooooo slow I cannot write 2021-10-18 13:21:18 +02:00			`![](<../../.gitbook/assets/image (237).png>)`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 17:43:14 +02:00
			Therefore, you can login on the login page using the credentials `R1ckRul3s:Wubbalubbadubdub`

			`## User`

			`Using those credentials you will access a portal where you can execute commands:`

GitBook: [#2777] gitbookissooooo slow I cannot write 2021-10-18 13:21:18 +02:00			`![](<../../.gitbook/assets/image (241).png>)`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 17:43:14 +02:00
GitBook: [#2777] gitbookissooooo slow I cannot write 2021-10-18 13:21:18 +02:00			`Some commands like cat aren't allowed but you can read the first ingredient (flag) using for example grep:`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 17:43:14 +02:00
GitBook: [#2777] gitbookissooooo slow I cannot write 2021-10-18 13:21:18 +02:00			`![](<../../.gitbook/assets/image (242).png>)`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 17:43:14 +02:00
			`Then I used:`

GitBook: [#2777] gitbookissooooo slow I cannot write 2021-10-18 13:21:18 +02:00			`![](<../../.gitbook/assets/image (243).png>)`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 17:43:14 +02:00
			`To obtain a reverse shell:`

GitBook: [#2777] gitbookissooooo slow I cannot write 2021-10-18 13:21:18 +02:00			`![](<../../.gitbook/assets/image (239).png>)`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 17:43:14 +02:00
			The second ingredient can be found in `/home/rick`

GitBook: [#2777] gitbookissooooo slow I cannot write 2021-10-18 13:21:18 +02:00			`![](<../../.gitbook/assets/image (240).png>)`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 17:43:14 +02:00
			`## Root`

			`The user www-data can execute anything as sudo:`

GitBook: [#2777] gitbookissooooo slow I cannot write 2021-10-18 13:21:18 +02:00			`![](<../../.gitbook/assets/image (238).png>)`