“I Turned Myself into a Pickle, Morty!”: Pickle Rick CTF Room with MITRE ATT&CK Mapping

3 min readNov 2, 2024

Hello world!
Shotgun here, diving into another TryHackMe CTF room, and this time, we’re tackling the Pickle Rick box. Inspired by one of the most iconic Rick and Morty episodes. By mapping each step of the journey to the MITRE ATT&CK framework, we’ll track the tactics and techniques used to turn Pickle Rick back into regular Rick.

Getting Started: Setting Up the Lab

With my TryHackMe VPN fired up and the CTF instance launched, my IP was 10.10.200.228 — time to dive into the first phase.

Phase 1: Scanning the Terrain

First up, I needed a start my basic recon, which called for network discovery to find open ports and potential points of entry. I launched an nmap scan to locate available services:

sudo nmap -sV -A -p- 10.10.200.228

Mapped TTPs:

Tactic: Discovery
Technique: Network Service Scanning (T1046)

The scan revealed an open HTTP port hosting a web server and an SSH port — both possible entry points.

Phase 2: Digging for Clues

After finding the web server, I inspected its HTML source code. Inside, I stumbled upon a clue — a comment revealing the username:

Username: R1ckRul3s

Mapped TTPs:

Tactic: Initial Access
Technique: Exploit Public-Facing Application (T1190)

With the username “R1ckRul3s,” I now had the first piece of the login puzzle.

Phase 3: Directory Brute Forcing

To find additional hidden directories, I ran wfuzz, a directory brute-forcing tool, using a large word list to uncover files or pages the web server might be hiding:

wfuzz -w /opt/wfuzz/wordlist/big.txt -u http://10.10.200.228/ -hc 404

This returned two new paths of interest: robots.txt and portal.php.

Mapped TTPs:

Tactic: Discovery
Technique: Brute Force: Web Directory Bruteforcing (T1110.002)

Phase 4: Gathering Credentials

Navigating to robots.txt, I found a password:

Password: WubbaLubbaDubDub

Mapped TTPs:

Tactic: Collection
Technique: Data from Local System (T1005)

With both the username (R1ckRul3s) and password (WubbaLubbaDubDub) secured, I was ready to access the portal.

Phase 5: Logging into the Web Portal

Logging into portal.php granted access to a web-shell —ideal for further actions like attempting to establish a reverse shell.

Mapped TTPs:

Tactic: Persistence
Technique: External Remote Services (T1133)

Phase 6: Obtaining a Reverse Shell

Since the panel allowed command execution, I set up a netcat listener on my local machine:

nc -lvnp 4444

After initiating a reverse shell from the portal’s command panel, I had interactive shell and access to the machine.

Mapped TTPs:

Tactic: Command and Control
Technique: Application Layer Protocol: Web Protocols (T1071.001)

Phase 7: Exploring the File System

With my shell access, I began searching the file system to locate the three secret ingredients needed to restore Pickle Rick. These were scattered across various directories and contained Rick’s “secret potion ingredients” required to complete the CTF.

Mapped TTPs:

Tactic: Collection
Technique: Data from Local System (T1005)

Phase 8: Extracting the Flags

Once all ingredients (flags) were collected, I exfiltrated the data back to my system through the established shell connection. Each ingredient was a flag to submit within TryHackMe’s platform.

Mapped TTPs:

Tactic: Exfiltration
Technique: Exfiltration Over Command and Control Channel (T1041)

MITRE ATT&CK Table Recap

Final Thoughts

This challenge was a exciting dive into web-based enumeration, file discovery, and using credentials to escalate access — perfect for any CTF enthusiast! Here’s a quick recap of the key steps: