TryHackMe — Pickle Rick
4 min readJul 15, 2023
NMAP Scan
$ sudo nmap -sS -sV -sC 10.10.105.39
Starting Nmap 7.93 ( https://nmap.org ) at 2023-07-15 10:28 EDT
Nmap scan report for 10.10.105.39
Host is up (0.28s latency).
Not shown: 985 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.6 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 e001ffb907e9e56866f10575ebdf7f02 (RSA)
| 256 db9c9d11705446db33fc6aeae3b8f857 (ECDSA)
|_ 256 e3fe1dd3371403debf08ecfe9227f525 (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Rick is sup4r cool
|_http-server-header: Apache/2.4.18 (Ubuntu)
1001/tcp filtered webpush
1112/tcp filtered msql
1199/tcp filtered dmidi
1259/tcp filtered opennl-voice
1594/tcp filtered sixtrak
2121/tcp filtered ccproxy-ftp
2160/tcp filtered apc-2160
3369/tcp filtered satvid-datalnk
3546/tcp filtered unknown
5298/tcp filtered presence
6002/tcp filtered X11:2
9110/tcp filtered unknown
49155/tcp filtered unknown
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 19.41 secondsDetermine what framework is being used
$ whatweb http://10.10.105.39
http://10.10.105.39 [200 OK] Apache[2.4.18],
Bootstrap, Country[RESERVED][ZZ],
HTML5, HTTPServer[Ubuntu Linux][Apache/2.4.18 (Ubuntu)],
IP[10.10.105.39], JQuery, Script, Title[Rick is sup4r cool]Subdirectory Busting
$ gobuster dir -u http://$IP -w /usr/share/wordlists/dirb/common.txt -b 403,404
===============================================================
Gobuster v3.5
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.105.39
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes: 403,404
[+] User Agent: gobuster/3.5
[+] Timeout: 10s
===============================================================
2023/07/15 10:34:40 Starting gobuster in directory enumeration mode
===============================================================
/assets (Status: 301) [Size: 313] [--> http://10.10.105.39/assets/]
/index.html (Status: 200) [Size: 1062]
/robots.txt (Status: 200) [Size: 17]
Progress: 4614 / 4615 (99.98%)
===============================================================
2023/07/15 10:36:46 Finished
===============================================================Visit each directories for clues:
- assets/
- index.html
- index.html source code reveals an interesting comment about the username
- robots.txt
Vulnerability Scanning using Nikto
$ nikto -h http://10.10.105.39
- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP: 10.10.105.39
+ Target Hostname: 10.10.105.39
+ Target Port: 80
+ Start Time: 2023-07-15 10:03:57 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.4.18 (Ubuntu)
+ /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ /: Server may leak inodes via ETags, header found with file /, inode: 426, size: 5818ccf125686, mtime: gzip. See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1418
+ Apache/2.4.18 appears to be outdated (current is at least Apache/2.4.54). Apache 2.2.34 is the EOL for the 2.x branch.
+ /login.php: Cookie PHPSESSID created without the httponly flag. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies
+ OPTIONS: Allowed HTTP Methods: GET, HEAD, POST, OPTIONS .
+ /icons/README: Apache default file found. See: https://www.vntweb.co.uk/apache-restricting-access-to-iconsreadme/Visiting /login.php
Login using the username found on the source code and the robots.txt content as password. Admittedly this feels like a cheat :)
After a successful login, you should be able to see the portal.php page.
Other pages seem to have been allowed only to Rick.
Let’s use the Command Panel and execute linux commands:
- ls -al
What is the first ingredient that Rick needs?
- less Sup3rS3cretPickl3Ingred.txt
Let’s try combining commands.
- cd /; ls -al
The folders home/ and root/ are interesting, let’s visit them.
- cd /home; ls -la
Change directory to rick/
- cd /home/rick; ls -la
What is the second ingredient in Rick’s potion?
- cd /home/rick; less “second ingredients”
Let’s check sudo privileges
- sudo -l
It seems we can execute sudo. Let’s try to list the root/ directory.
What is the last and final ingredient?
