Back to Writeups

Pickle Rick Walkthrough

Web Exploitation Challenge

Published: September 20, 2025 Difficulty: Easy

Pickle Rick is a Rick and Morty themed challenge on TryHackMe that focuses on web exploitation techniques including reconnaissance, command injection, and privilege escalation. Help Rick find the three secret ingredients to turn himself back into a human!

Reconnaissance Phase

Initial Port Scanning

Objective: Discover open services and ports on the target machine.

Start with a comprehensive port scan to identify running services:

nmap -sC -sV -oN initial_scan.txt <TARGET_IP>

The scan reveals:

  • Port 22 (SSH): OpenSSH service running
  • Port 80 (HTTP): Apache web server

Key Learnings:

Always start with reconnaissance to understand the attack surface. SSH and HTTP services suggest potential web application vulnerabilities and possible remote access opportunities.

Web Application Analysis

Objective: Examine the web application for initial clues and vulnerabilities.

Navigate to the target IP address in your browser to view the main page. You'll see a Rick and Morty themed website.

Source Code Analysis:

Right-click on the page and select "View Page Source" or "Inspect Element". In the HTML source code, you'll discover a hidden comment:

<!-- Note to self, remember username! Username: R1ckRul3s -->
Username Found: R1ckRul3s

Key Learnings:

HTML source code often contains developer comments, hidden fields, or metadata that can reveal sensitive information. Always inspect the source code during web application testing.

Robots.txt Discovery

Objective: Check for additional information in the robots.txt file.

Navigate to http://<TARGET_IP>/robots.txt to check for any disallowed directories or sensitive information.

The robots.txt file contains:

Wubbalubbadubdub
Potential Password: Wubbalubbadubdub

Key Learnings:

The robots.txt file is often used to hide directories from search engines but can reveal interesting paths and information to attackers. This appears to be a password or key phrase.

Directory Enumeration

Objective: Discover hidden directories and files using automated tools.

Use Gobuster to enumerate directories and files:

gobuster dir -u http://<TARGET_IP> -w /opt/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt

Alternative using a different wordlist:

gobuster dir -u http://<TARGET_IP> -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

Key discoveries include:

  • /login.php - Login page
  • /assets/ - Static resources
  • /portal.php - Potential admin portal

Key Learnings:

Directory enumeration helps discover hidden functionality that might not be linked from the main page. The login.php file suggests we can use our discovered credentials.

Web Exploitation

Authentication Bypass

Objective: Access the admin portal using discovered credentials.

Navigate to http://<TARGET_IP>/login.php and attempt to log in using:

  • Username: R1ckRul3s
  • Password: Wubbalubbadubdub

Before logging in, inspect the page source again. You may notice what appears to be an encoded string:

Vm1wR1UxTnRWa2RUV0d4VFlrZFNjRlV3V2t0alJsWnlWbXQwVkUxV1duaFZNakExVkcxS1NHVkliRmhoTVhCb1ZsWmFWMVpWTVVWaGVqQT0==

This appears to be Base64 encoded, but upon decoding reveals itself to be a red herring (honeypot).

After successful login, you'll be redirected to a command panel at portal.php.

Key Learnings:

Not all discovered information is useful - some may be intentional misdirection. Focus on what actually leads to system access.

Command Injection

Command Panel Exploitation

Objective: Execute system commands through the web interface to find the first ingredient.

The portal.php page provides a command input field. Test basic Linux commands:

Directory Listing:

ls

This reveals several files:

  • Sup3rS3cretPickl3Ingred.txt
  • assets/
  • clue.txt
  • denied.php
  • index.html
  • login.php
  • portal.php
  • robots.txt

First Ingredient Discovery:

Navigate directly to the file: http://<TARGET_IP>/Sup3rS3cretPickl3Ingred.txt

🚩 First Ingredient: mr. meeseek hair

Key Learnings:

Command injection vulnerabilities allow attackers to execute arbitrary system commands. Always test with basic commands like ls, pwd, and whoami.

User Directory Exploration

Objective: Navigate to user directories to find the second ingredient.

Explore the home directory structure:

ls /home/

This reveals a user directory:

ls /home/rick/

You'll find a file named "second ingredients" (note the space in the filename).

Reading Restricted Files:

Attempting to use cat on the file results in a "command disabled" message, indicating certain commands are blacklisted.

cat /home/rick/'second ingredients'

Bypassing Command Restrictions:

Use alternative commands to read files:

less /home/rick/'second ingredients'

Alternative methods:

  • more /home/rick/'second ingredients'
  • head /home/rick/'second ingredients'
  • tail /home/rick/'second ingredients'
🚩 Second Ingredient: 1 jerry tear

Key Learnings:

When specific commands are blacklisted, try alternative commands with similar functionality. File names with spaces require proper quoting.

Privilege Escalation

Sudo Privilege Check

Objective: Determine available sudo privileges and access root-owned files.

Check what sudo privileges are available:

sudo -l

If the www-data user has sudo privileges (which is common in CTF environments), you can execute commands as root without a password.

Root Directory Exploration:

sudo ls /root

This reveals files in the root directory, including 3rd.txt.

Final Ingredient Retrieval:

sudo less /root/3rd.txt

Alternative methods:

  • sudo more /root/3rd.txt
  • sudo head /root/3rd.txt
  • sudo tail /root/3rd.txt
🚩 Third Ingredient: fleeb juice

Key Learnings:

Misconfigured sudo privileges are a common privilege escalation vector. Always check sudo -l to see what commands can be run as other users.

Additional Exploration Techniques

Objective: Learn alternative methods for system exploration and file access.

System Information Gathering:

whoami
id
uname -a
ps aux

Alternative File Reading Methods:

If standard commands are blocked, try these alternatives:

  • strings filename - Extract readable strings
  • hexdump -C filename - Hex dump with ASCII
  • od -c filename - Octal dump with characters
  • base64 filename - Base64 encode (then decode elsewhere)

Command Alternatives:

  • Instead of cat: use less, more, head, tail
  • Instead of ls: use dir, find . -maxdepth 1
  • Instead of whoami: use id

Key Learnings:

Command injection defenses often use blacklists rather than whitelists. Learning multiple ways to accomplish the same task helps bypass security filters.

Challenge Summary

Complete Solution Path

Attack Chain Overview:

  1. Reconnaissance: Port scanning revealed web application on port 80
  2. Information Disclosure: HTML source code revealed username
  3. Password Discovery: robots.txt contained the password
  4. Authentication: Valid credentials provided access to admin panel
  5. Command Injection: Web portal allowed arbitrary command execution
  6. Privilege Escalation: Sudo privileges enabled root file access

Three Secret Ingredients:

1. mr. meeseek hair
2. 1 jerry tear
3. fleeb juice

Technical Skills Demonstrated:

  • Network reconnaissance and port scanning
  • Web application source code analysis
  • Directory and file enumeration
  • Command injection exploitation
  • Command filter bypass techniques
  • Privilege escalation via sudo misconfiguration
  • Alternative file reading methods

Real-World Applications:

This challenge demonstrates common web application vulnerabilities:

  • Information Disclosure: Sensitive data in HTML comments
  • Weak Authentication: Credentials exposed in accessible files
  • Command Injection: Insufficient input validation
  • Privilege Escalation: Overprivileged service accounts

Mitigation Strategies:

  • Remove sensitive comments from production code
  • Implement proper input validation and sanitization
  • Use parameterized queries and avoid direct command execution
  • Follow principle of least privilege for service accounts
  • Regular security testing and code reviews