Pickle Rick

May 18, 2025

Recon

Let’s start with a nmap scan

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35

nmap -A 10.65.190.76

Starting Nmap 7.80 ( https://nmap.org ) at 2025-12-07 09:50 GMT
mass_dns: warning: Unable to open /etc/resolv.conf. Try using --system-dns or specify valid servers with --dns-servers
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Nmap scan report for 10.65.190.76
Host is up (0.00038s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Rick is sup4r cool
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.80%E=4%D=12/7%OT=22%CT=1%CU=32220%PV=Y%DS=1%DC=T%G=Y%TM=69354E1
OS:7%P=x86_64-pc-linux-gnu)SEQ(SP=107%GCD=1%ISR=107%TI=Z%CI=Z%II=I%TS=A)OPS
OS:(O1=M2301ST11NW7%O2=M2301ST11NW7%O3=M2301NNT11NW7%O4=M2301ST11NW7%O5=M23
OS:01ST11NW7%O6=M2301ST11)WIN(W1=F4B3%W2=F4B3%W3=F4B3%W4=F4B3%W5=F4B3%W6=F4
OS:B3)ECN(R=Y%DF=Y%T=40%W=F507%O=M2301NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A
OS:=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%
OS:Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=
OS:A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=
OS:Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%
OS:T=40%CD=S)

Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 80/tcp)
HOP RTT     ADDRESS
1   0.43 ms 10.65.190.76

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 21.86 seconds

Here we notice a ssh port seems like our entry way

Let’s investigate the website

So here we need to get the password to ssh to computer to get the secrets let’s use the [[tryhackme/Web Hacking/06 - Content Discovery/index]] to discover more about the website

  1. found robots.txt

    1. I have found Wubbalubbadubdub this and after searching I have found this

  2. I have found a username inspecting the website

    1. Username: R1ckRul3s

  3. let’s use gobuster we got login.php

    1. let try tologin with R1ckRul3s:Wubbalubbadubdub and success

  4. We are represented with a command prompt

  5. let’s try ls

    1. Sup3rS3cretPickl3Ingred.txt
    2. we have found this but I have found that some commands are disabled so I tried less and it worked

  6. and I also have found a clue.txt

    1. Look around the file system for the other ingredient.

  7. So let’s follow this

    1. pwd got /var/www/html
    2. let’s traverse to get back with ls ../../..
    3. Nice it was a success let’s see home directory by ls ../../../home
    4. we got rick and ubuntu let’s dive in rick
    5. we have found second ingredients and that is our second flag

  8. let’s discover more to get the third flag

    1. let’s check our privilege
    2. I used sudo -l and got
      1. User www-data may run the following commands on ip-10-65-190-76: (ALL) NOPASSWD: ALL
    3. this means we can run any command in sudo
    4. let’s see root directory sudo ls -al /root
    5. I have found 3rd.txt
    6. use sudo less 3rd.txt and that’s it we got the third and final flag

Tags:

Categories: