Introduction
The Pickle Rick room on TryHackMe is a fun, beginner-friendly challenge inspired by the Rick and Morty series. The goal is to exploit a web server to find three ingredients that Rick needs to transform back into a human from a pickle. This guide will walk you through each step to complete the room.
Step 1: Let's deploy the Machine
Navigate to the Pickle Rick room on TryHackMe.
Click on "Start Machine" to start the virtual machine. Then start your AttackBox Kali machine to connect to our victim's machine.
Once everything is correctly loaded up, we can jump to our next step.
Step 2: Exploring the Web Application
Let's open Firefox browser and in the URL bar let's input the victim machine ip.
http://10.10.8.74 (YOUR_VICTIM_IP)
The browser should display the index page you see here:
Ok, just a standard web landing page, no big deal here on first sight. Let's try open the source code inspector on Firefox.
You can either do (F12) on your keyboard or, another method that is cool to know, just put in the url bar before the ip, the keyword "view-source:", like that:
view-source:http://10.10.8.74 (YOUR_VICTIM_IP)
Head section first! Make sure you go thru first the head section of the html page. You can find some important references to hidden paths where files like stylesheets or javascript rules can be.
A couple of nice interesting things i've noticed, there are actually css and js files in the /assets/ folder.
Then let's dig further the body section, and YES!, we spot a potential Username for a login form. Good, Notes taken, username: R1ckRul3s
Now i want to see what's inside the folder we spot a couple of minutes ago. In the URL bar let's add to the ip the folder assets
http://10.10.8.74(YOUR_VICTIM_IP)/assets/
Sometimes in folder like this you can find subfolders, or even txt files from developers with other information hidden. Not in this case! Here's my assumption, not worth lookin' in those css and js files, they don't have any kind of hidden path in it and either if we click "Parent Directory", we will ended up on the previous Pickle Rick landing page...
Let's open a terminal window and we will perform other kind of analysis with GoBuster
gobuster dir -u http://10.10.8.74(YOUR_VICTIM_IP) -w /usr/share/wordlists/rockyou.txt
For LAZINESS i ended up using the rockyou.txt - but you can use better lists in the /usr/share/wordlists/dirbuster folder path
After running gobuster for a bit, we spot the login form! Also a file called robot.txt appeared and an html file called index.html
We can go ahead and visit each one of the result by simply adapting the string in the url bar like we did for the assets folder, by adding at the end the name of the file that gobuster had found, as follow
http://10.10.8.74(YOUR_VICTIM_IP)/index.html
http://10.10.8.74(YOUR_VICTIM_IP)/robots.txt
http://10.10.8.74(YOUR_VICTIM_IP)/login.php
SPOILER ALERT: the
index.htmlis our landing page!
Next step is to visit the .txt file, and that 1-line-1-string could be either a password or GodKnowsWhat...
But let's assume it's THE password for the username we found in the previous shows...
So now we can complete the login form with:
- username: R1ckRul3s
- password: Wubbalubbadubdub
NICE!
Heeeeeey! We've managed to get inside the Application. While the main page showed us a simple Command Panel with an Execute button, there are many section to visit on the Navbar on top.
Let's analyze those items one-by-one by switching first to the source code inspector. Given the previous scenario, we can expect some information maybe hidden in comments.
Noticed this comment, could be something encoded in base64, screenshot that for later, but not the kind of information i was looking for
SPOILER ALERT HERE: weird, this string actually is garbage, tried to decode from base64 online, ended up nothing. We can try with Burpsuite Smart Decode functionality btw, like i said, we will put aside for now...
Close the source inspector for now, i want to try something different. Let's see what response we get from this command panel. whoami?
AH, REALLY? You can digest this? You will give us information about the user who's running the application, in our case is www-data = default user, so i assume now there's no problem in showing what's in this folder. Also keep that ubuntu in mind because we will come back later, there's actually a parent folder called ubuntu. Let's try listing files and directories.
ls -l
We got a buch of .txt files which can contain almost 99,99% the answers that we were looking for. First i'll give a look to the Sup3rS3cretPickl3Ingred.txt file, by using cat like in a normal Kali terminal window.
cat Sup3rS3cretPickl3Ingred.txt
Ah crap!....this command is blocked....are there any similar commands that we know for sure will spit up in clear text infos from this file?
Actually Yes! There are plenty there but i was lucky enough with strings (filename.txt)
strings Sup3rS3cretPickl3Ingred.txt
This is our first answer: mr. meeseek hair. Copy and paste in TryHackMe and let's move to the next item.
Step 3: Clue leading us to the second ingredient
As we performed strings command for the first answer, let's do it for the clue.txt files and see what we get.
strings clue.txt
Now we need a little mind map here about where we are. As i mentioned previously we were in a ubuntu folder but where is this located in the system? Let's try cd .. or cd /home/
Weird part 2: none of those commands worked, no output at all, so we need to find a
cdreplacement likels /home/or similar
ls /home
That worked! So now we know the existance of the ubuntu folder and another folder called rick. I'm going inside that and list the crap out of it.
ls -l /home/rick
What kind of file is that? Since cat doesn't work we're forced to use again strings. We need a little bit of reverse engineering here, there's a space character in the name, so we need to put at least a backslash terminator between the two words or try other methods.
strings /home/rick/second\ ingredient
Get the second answer here: 1 jerry tear. Up to the next and final answer, this time we will focus on Privilege Escalations.
Editor Shadownet0110 here: I've mentioned the Navbar previously in this article. Yes, i've analyzed and not screenshotting it, if you're interested you can have a deep dive in but, most of the sections contains nothing special.
Step 4: Privs Escalation
The task is simple, from the command panel we need to input something that will grant access to the /root/ folder. I should say sudo plus the ls command we've discovered that does the moving for us.
sudo ls -a /root/
Strange, that time we need a forward slash also at the end of the root word, while back then on the home folder it won't display anything so you have to leave it open "/home"
Nice run! We managed to score the third and last ingredient. Just grab the 3rd.txt file via strings command but don't forget sudo!
sudo strings /root/3rd.txt
Challenge SORTED! Third ingredient is a fleeb juice!
Conclusion
Completing the Pickle Rick room on TryHackMe is a great way to practice web exploitation and command injection techniques. By following this guide, you should be able to find all three ingredients and successfully transform Rick back into a human.
Feel free to share your thoughts and experiences in the comments below. Happy hacking!