TryHackMe|PickleRick WriteUp\Walkthrough (English)

PickleRick

Room Link: https://tryhackme.com/r/room/picklerick
===========================================================

• sudo nmap -vv IP we have 2 open ports 80 and 22. gobuster dir -w /usr/share/dirb/wordlists/common.txt -u http://10.10.60.226 -r  from this scan we have 2 directories /robots.txt and /assets. /assets is just the pictures and codes used in the website, there is nothing hidden in these pictures. In /robots.txt we have an interesting string.

• In the home page it mentioned something about a password that it forgot, and in its source code, we have a username.

So there must be a login page but we didn’t find it by the first scan of gobuster. Therefore I will start a new scan adding extra extensions gobuster dir -w /usr/share/dirb/wordlists/common.txt -u http://10.10.60.226 -r -x .php,.xml,.html. we got /denied.php, /login.php, /portal.php. Go to /login.php and login in with the credentials R1ckRul3s:*************.

• Now you are in a page with a command panel. id to know your user which showed to be www-data. ls you have many files, “Sup3rS3cretPickl3Ingred.txt” and “clue.txt” looks interesting. If you try to use cat it will not accept it because the command is disabled. So, view the file using less Sup3rS3cretPickl3Ingred.txt and you will get the first ingredient ✨.

• View the clue.txt the same way you have a hint that tells you to search the file system more. ls /home you have a user called rick, view the contents of its home directory ls /home/rick you have a file called “second ingredients” view it less /home/rick/”second ingredients” and you have the second ingredient ✨.
• For the final ingredient, it is probably in the root’s home directory. See what commands you can run as sudo, use sudo -l, it shows that you can run all commands using sudo. sudo ls /root you have 3rd.txt file, view its contents using sudo less /root/3rd.txt and thus you obtained the 3^rd ingredient ✨.