- Name: Pickle Rick
- Profile: tryhackme.com
- Difficulty: Easy
- Description: A Rick and Morty CTF. Help turn Rick back into a human!
Install tools used in this WU on BlackArch Linux:
$ sudo pacman -S nmap ffuf ruby-ctf-party
Port scan with nmap:
# Nmap 7.91 scan initiated Tue Mar 9 19:36:57 2021 as: nmap -sSVC -p- -v -oA nmap_scan 10.10.8.120
If we look at the source code of the home page of the web app, we can see a HTML comment leaking a username:
Let's find some pages:
$ ffuf -u http://10.10.8.120/FUZZ -c -w /usr/share/seclists/Discovery/Web-Content/raft-medium-files-lowercase.txt -fc 403
robots.txt contains a troll message,
portal.php redirects to
probably because we are not authenticated.
Ok now it's super dumb and not realistic at all but the word
robots.txt was not a troll but the actual password of
So here no vulnerability to identify or brute-force to do with hydra.
Once authenticated there are a bunch of pages were we can see the following message:
Only the REAL rick can view this page..
So we don't have the proper profile to see those pages, but we can access
/portal.php that contains a form entitled
Command Panel were we can
directly write a system command to be executed (ultra realistic again).
Let's try some basic commands:
But when we try to read the suspicious file with
we obtain the following message
Command disabled to make it hard for future PICKLEEEE RICCCKKKK.
(ultra realistic again) and the source code is containing the following comment (ultra realistic again):
<!-- Vm1wR1UxTnRWa2RUV0d4VFlrZFNjRlV3V2t0alJsWnlWbXQwVkUxV1duaFZNakExVkcxS1NHVkliRmhoTVhCb1ZsWmFWMVpWTVVWaGVqQT0== -->
It's a nested base64 string (base64 string containing a base64 string etc.) but with
incorrect padding so we to remove or add some which make it unhandy to pipe
base64 command on the terminal so I rather used ctf-party
to decode the string. Here is the toxic message I got:
You know what? Another toxic unrealistic step! It's a shame we don't know the author of the box to shame it.
Let's get back to
Sup3rS3cretPickl3Ingred.txt where the command
forbidden. We can do
tee < Sup3rS3cretPickl3Ingred.txt instead:
mr. meeseek hair
It seems to be the first ingredient.
Note: Of course if you don't know the restricted shell escape trick we
could just request http://10.10.8.120/Sup3rS3cretPickl3Ingred.txt via HTTP as it
is on the the web server root folder.
tee < portal.php shows the forbidden commands were:
$cmds = array("cat", "head", "more", "tail", "nano", "vim", "vi");
Same as for the 1st ingredient.
$ ls -lhA /home
1 jerry tear
We can run anything as root without a password:
$ sudo -l
We can use
tee with sudo because of teh redirection operator so let's use another
shell escape technique: Quotes / Concatenation on the binary name. We can also
sue PHP, etc.
$ sudo php -r "echo file_get_contents('/root/3rd.txt');"