Pickle Rick TryHackMe

5 min readApr 29, 2020

Hello guys back again with another walkthrough this time am going to be solving Pickle Rick a vulnerable machine from Tryhackme. The theme of the box is based upon the animation Rick and Morty and this can be important during later stages of exploiting the box in cases like bruteforce attacks because we might use a targeted wordlist on Rick and Morty. The machine is a beginner box and i recommend for people trying to understand bypassing command injection blacklist or filter. The box is relatively easy for anyone who is a begginer in penetration testing or cybersecurity only for the bypassing filter that could be relatively hard for anyone who doesn’t have a prior experience but a little google search would help. Without much say let us jump in

First of we’ll begin with a nmap scan

And we get 2 ports are open. Since http has a bigger attack surface i’ll start by enumerating it

Opening the webpage using mozilla we get a standard wepage

Before doing any further enumeration i always take a look at the sourcecode sometimes developers leaves comments behind that might be helpful in exploiting the box (Just press ctr+u) it will open a window with the sourcecode in another tab

And we get some comment left by the developer

We have a username but we don’t know where to use so i decided to perform directory bruteforcing on the website using gobuster

We get a few more directories and files including robots.txt. Taking a look at robots.txt we get gibberish

I decided to continue enumerating the webpage. Navigating to Login.php gives us a login page

Whenever i see a login page the things come in my mind are:

The website might be vulnerable to sql injection hence Use sql injection/nosql injection to dump credential from the database OR use sql injection to get remote code excution
Bruteforce the login page using hydra or Zap
Bypass the login page using common sql injection bypass techinques
Some credentials have been left somewhere in the box and we have to find them and use those credential to log into the website
It’s a rabbit hole meant to slow you down or take you off the right path

I tried bruteforce but it didn’t work also tried sql injection but it didn’t work the only option left was that credentials had to have been left womewhere or if not then this wasn’t the right path to exploit the box

Luckily we already had a username

Username: R1ckRul3s

Now all we had to do was get a password. There was some gibberish in robots.txt

Wubbalubbadubdub

I tried to use as password and voila the login was successful

We get a command panel that looks like we can type commands and it executes them

ls command gives us the drectory listing in that current working directory

I tried to cat Sup3rS3cretPickl3Ingred.txt and

I decided to send the request to burpsuite and take a look at it there it makes the process more simpler

Since there are blacklisted words there are evasion techniques that i will show you how to use to bypass the filter

By using a string in the middle of a command

example if you are using cat command instead of writting

cat write c“a”t

2. Using a backticks

3. Using a double quote

4. Using backslash (\)

Whenever using backslash and you are not escaping a special character it has no effect

Now that we are able to read files on the webserver i decided to read the contents of portal.php and login.php since sometimes database credentials are left behind and we can use them to log into the box using secure shell (ssh)