Pickle Rick: Super easy
Pickle Rick is easy category room based on web server exploits. We need to get 3 flags to complete this room.
Lets fire the machine up and browse to the IP.
Since it is web server based challenge, I started by looking into source code. We can easily see username there in comments. Meanwhile, I started the dirbuster with medium word-list.
And by habit, I looked for robots.txt. And see what I found, some alphabetic-gibberish. Might me password.
But I don’t know from where can I login. I checked the dirbuster. It has found login.php.
Go to login.php and login using username and password found. Voila! I am in. Redirected to a portal.php with an input box “command”. Tried using “ls” and it is same as expected, an command interface where we enter command and we will be provided results in response.
We found our 1st ingredient, Try to use cat command but whoops, command is disabled.
I can try to generate reverse shell form here but that will be extra effort and will be beating the “easy” category of challenge. I can think of an alternative command which can do the work for me “strings”. Lets try that.
It is working. Hardest part is done. Looking into clue file tells us to look into system files for another ingredients. If you are familiar with CTFs, you know where to look for, user and root. Use “ls /home/rick” and we can see 2nd ingredient. Strings the file, and we found our 2nd ingredient.
For third ingredient, I tried to use “ls root”. but got nothing. Might be due to access denied. To confirm, I used “ls -als /” command. Seems like this is the case.
I tried “sudo -l” to see my options. And to my surprise, I can do anything without providing password.
Now the game is over, use “sudo ls root” and we can see 3rd.txt. Strings that, submit flag and enjoy the day.
