In this blog post, I'll share my experience tackling the "Pickle Rick" challenge on TryHackMe, a fun and educational CTF (Capture The Flag) exercise inspired by the "Rick and Morty" series. The primary objective is to exploit a web server to find three secret ingredients that will help Rick turn back into a human from a pickle. This challenge focuses on web application vulnerabilities, particularly weak credentials and improper file permissions.
The key vulnerabilities exploited in this challenge include:
Weak Credentials: The use of easily guessable usernames and passwords allowed unauthorized access to the web application's admin panel.
Information Disclosure: Sensitive information, such as usernames and passwords, was exposed in publicly accessible files, facilitating unauthorized access.
Improper File Permissions: Accessible files containing sensitive information were not properly secured, allowing unauthorized users to read their contents.
These vulnerabilities exist due to poor security practices, such as inadequate password policies and improper handling of sensitive information, which can lead to unauthorized system access in real-world scenarios.
I began by deploying the Fowsniff machine and identifying its IP address. Using Nmap, I scanned for open ports and services:
nmap -sC -sV -oN nmap_scan.txt <target_ip>
The scan revealed the following open ports:
Port 22 (SSH): OpenSSH 7.2p2
Port 80 (HTTP): Apache httpd 2.4.18
With HTTP service running on port 80, I navigated to the web server in my browser and was greeted with a page featuring Rick asking for help to find three secret ingredients.
Inspecting the page's source code, I discovered a commented line revealing a potential username:
<!--
Note to self, remember username!
Username: R1ckRul3s
-->
Next, I used Gobuster to discover hidden directories and files:
gobuster dir -u http://<target_ip>/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -o gobuster.txt
The scan revealed the presence of /robots.txt and /login.php. Accessing /robots.txt displayed the following message: Wubbalubbadubdub
I inferred that "Wubbalubbadubdub" might be the password corresponding to the previously found username.
Navigating to /login.php, I encountered a login page. Using the credentials R1ckRul3s and Wubbalubbadubdub, I successfully logged in and was presented with a command panel that allowed me to execute commands on the server.
Using the command panel, I executed ls to list the files in the current directory:
Sup3rS3cretPickl3Ingred.txt
assets
clue.txt
denied.php
index.html
login.php
portal.php
robots.txt
Attempting to read Sup3rS3cretPickl3Ingred.txt using cat resulted in an error, indicating insufficient permissions. Next, I read the contents of clue.txt: Look around the file system for the other ingredient.
Following this hint, I navigated to /home/rick and listed its contents: second ingredients
I attempted to read the second ingredients file: 1 jerry tear
For the final ingredient, I checked the /root directory and found 3rd.txt. Reading 3rd.txt: fleeb juice