RAMBO SEC

Return to Blog

Pickle Rick CTF (TryHackMe) – Beginner Friendly Writeup

CTF

2/22/20252 min read

Return to Blog

In this challenge, we explore a Rick and Morty-themed vulnerable server, aiming to help Rick find three potion ingredients. This beginner-friendly write-up explains each step and command clearly, making it suitable for those new to cybersecurity and penetration testing. You can find and attempt this CTF yourself at t TryHackMe's Pickle Rick room.

All steps in this challenge are performed directly within the browser using TryHackMe's built-in AttackBox. This means you won't have to install or configure any tools on your local system, making it simple and accessible for beginners.



Step 1: Reconnaissance and Enumeration

After deploying the virtual machine from TryHackMe, we begin with a quick Nmap scan to discover open services. Note: Your IP address will differ from the one used here, as each user receives their own unique environment when spawning the lab:

nmap 10.10.84.175

  • nmap is a network scanning tool used to discover active hosts and services.

We notice port 22 (SSH) and port 80 (HTTP) are open.

Step 2: Checking the Website

Visiting http://10.10.84.175, we are presented with instructions to log into Rick’s computer, but no password is provided.

Checking the web page source (Right-click > Inspect Element), we find the username:

Username: R1ckRul3s

Attempting SSH login with this username:

ssh R1ckRul3s@10.10.84.175

This gives a permission denied error, indicating a dead end for now. The server likely uses SSH keys rather than passwords for authentication. We'll pivot to exploring other potential entry points in the next steps.

Step 3: Web Directory Enumeration

Using a tool called dirb, we scan for hidden directories and files on the web server:

dirb http://10.10.84.175

  • dirb scans web servers for hidden directories or files based on a wordlist.

We find an interesting file: robots.txt. This file is commonly used by websites to instruct web crawlers (like search engines) which pages or files they should or should not index. Accessing it (http://10.10.84.175/robots.txt), we discover:

Wubbalubbadubdub

This appears to be a password, but it doesn't work for SSH, suggesting that SSH is likely a dead end in this challenge. Realizing this, I refocused my efforts on exploring the website further. Revisiting the documentation for the dirb command helped me refine my approach, leading me to the next step.

Further enumeration reveals a hidden login.php page:

dirb http://10.10.84.175 -r -X .txt,.bak,.php,.old

  • -r enables recursive scanning, meaning the tool searches not just the main directory, but also subdirectories for additional hidden content.

  • -X specifies file extensions to scan for. This option saved us by explicitly directing dirb to check for specific file types (like .php), uncovering the previously hidden login.php file that wasn't found during our initial enumeration.

Step 4: Logging into the Web Portal

We navigate to http://10.10.84.175/login.php and successfully log in using:

  • Username: R1ckRul3s

  • Password: Wubbalubbadubdub

Note: Be cautious with credentials; a single typo can cause failure, as happened initially here.

We now have a command prompt interface on the web portal.

Step 5: Finding the First Ingredient

The command prompt blocks certain commands (like cat). We use grep instead to read files:

grep . clue.txt

  • grep . selects every line (. matches all characters).

The file instructs us to look around the file system for other ingredients. Using:

grep . Sup3rS3cretPickl3Ingred.txt

We get our first flag:

mr. meeseek hair

Step 6: Privilege Escalation (Getting Sudo Permissions)

Checking available commands with elevated privileges:

sudo -l

  • sudo -l lists commands your user can execute as root.

We discover we can run commands with sudo privileges without needing a password.

Step 7: Finding the Remaining Ingredients

We leverage our sudo privileges to read restricted files:

sudo less /home/rick/"second ingredients" sudo less /root/3rd.txt

  • less views file contents page-by-page in the terminal.

This yields the final two ingredients and completes the challenge.

Conclusion

This CTF highlights the importance of basic web security knowledge, including tools like dirb, nmap, and fundamental Linux command-line usage.