Hello Readers! Today Today's walk through the Pickle Rick CTF machine from Tryhackme. This box is very easy but tricky . This box is also design where we can get the root flag without privilege escalation too.
Let’s Do It
First thing first, let's start the machine and get the proper valid IP address, So need wait once IP is allocated.
Ping the machine to make sure the connectivity.
Now everything is working, Let's check for the nmap scan.
As I found HTTP so I have to check for nmap vunls script to get more details from remote host system.
Now I have the nmap result and observe that only 2 ports are open. As we all have basic check methodology, I will be checking the HTTP port first.
This look very interesting, Meanwhile let me check the view source also if something is there.
Here I found Username: - R1ckRul3s
Also I have found robots.txt and login.php. Let me check that also.
There is a login.php page also available and asking for credential to get in web portal.
As I found in page robots.txt it will look like like I got the password string also Wubbalubbadubdub. Now I have both username and password now I can try to check for the login.php
After login I enter details like Username and Password, then click on the Login button.
Once I logged in I landed on the portal.php page which is having Command Panel.
Here as per nmap result the system is running on some kind of Linux flavor Operating System.
So, I checked few random commands.
ls -al
Yes ! the Linux command is working here so as we get familiar with it and then I able to know that cat command is not working, less command is working.
Yes Got It. less command is working as reading files from system.
So, I started to get the flags. First, I check the local directory by listing command.
Now it is very much clear that I have the .txt file which looks interesting, let me check the content.
less Sup3rS3cretPickl3Ingred.txt
Let's check the current user details so we can get idea from this to collect the other pending flags value.
Now I will try to check different directories and in /home/ to get more flags.
Now check the rick directory contents.
less /home/rick/second\ ingredients
or
less /home/rick/'second ingredients'
Now I have to search for the final flag. After searching for some time, I don’t get anything,
ls -al /root
Not Found anything here,
I think it has permission issue.
So I tried to check the permission as this is working like a bash terminal only.
sudo -l
WOW! I can able to get the information that user www-data can run any command as sudo without password so, I enumerate inside the root folder and got the final flag.
sudo less /root/3rd.txt
Finally, I got the Badge after inserting all 3 flags.
BOOM!
Thanks for reading and I hope you liked this blog.
Happy Learning!!!