How I Hacked Pickle Rick’s Server (Command Injection)

Author’s Note: This is a technical walkthrough of the TryHackMe “Pickle Rick” room. All activities were performed in a legal, educational environment. Don’t hack real servers unless you own them!

The Pickle Predicament

There I was, staring at a virtual machine with one mission: help a cartoon scientist-turned-pickle transform back into human form. This wasn’t a bizarre dream — it was the Pickle Rick CTF challenge on TryHackMe, and it taught me more about web security in two hours than I’d learned in weeks of theoretical study.

Rick Sanchez (the smartest being in the universe, apparently) had pickle-ified himself and needed three special ingredients for his transformation potion. My job? Break into his web server and find them. What followed was a masterclass in command injection, one of the most dangerous web vulnerabilities out there.

Step 1: The Digital Doorbell Ringing

First things first — I needed to see what I was working with. A quick nmap scan revealed the basics:

bash

nmap -sV MACHINE_IP

Findings:

• Port 22 (SSH): Closed (interesting — no easy remote access)
• Port 80 (HTTP): Apache web server running

Visiting the website showed a Rick and Morty-themed page with a hilarious image of Pickle Rick. But the real treasure was in the page source (right-click → View Source). Buried in HTML comments:

html

<!-- Note to self, remember username! -->
<!-- Username: R1ckRul3s -->

Security Lesson #1: Never leave credentials or hints in client-side code. Comments are visible to everyone!

Step 2: The Robots.txt Revelation

Every good hacker checks robots.txt—the file that tells search engines what to avoid. This one contained pure gold:

text

User-agent: *
Disallow: /portal.php
Wubbalubbadubdub

Two discoveries here:

1. A hidden page: /portal.php
2. What looked like a password: Wubbalubbadubdub

Security Lesson #2: Don’t hide sensitive pages in robots.txt. It’s basically a roadmap for attackers.

Step 3: The Portal and the Pattern

/portal.php was a login page. Using the username from the source code and the "password" from robots.txt:

• Username: R1ckRul3s
• Password: Wubbalubbadubdub

Success! I was in a command panel that supposedly let Rick execute commands on his server. But there was a catch — most commands were “disallowed.”

When I tried whoami:

text

Command disallowed.

When I tried ls:

text

Command disallowed.

This is where most beginners would stop. But here’s the secret: blacklists are almost always bypassable.

Step 4: The Command Injection Breakthrough

The command panel was clearly filtering certain words. But what if I used command separators?

bash

; whoami;

Boom!

text

www-data

I was executing commands as the web server user! This is classic command injection — when user input gets passed directly to a system shell without proper sanitization.

What the vulnerable code probably looked like:

php

// BAD CODE - DON'T DO THIS!
$command = $_POST['command_input'];
if(preg_match('/(cat|ls|whoami|etc)/i', $command)) {
    echo "Command disallowed.";
} else {
    system($command); // DANGER!
}

Security Lesson #3: Blacklisting is security theater. Use whitelisting instead.

Step 5: Hunting for Ingredients

Ingredient #1: Mr. Meeseeks Hair

With command execution unlocked, finding files was easy:

bash

; find / -name "*ingred*" 2>/dev/null;

This revealed Sup3rS3cretPickl3Ingred.txt. Reading it:

bash

; cat Sup3rS3cretPickl3Ingred.txt;

First ingredient: mr. meeseek hair ✓

Ingredient #2: 1 Jerry Tear

Further exploration found:

text

/home/rick/second ingredient

Yes, the filename literally had a space in it. Reading it required quotes:

bash

; cat "/home/rick/second ingredient";

Second ingredient: 1 jerry tear ✓

Step 6: The Privilege Escalation Plot Twist

Now for the grand finale. I needed the third ingredient, but it was probably in a protected location. Time to check my privileges:

bash

; sudo -l;

The output was shocking:

text

User www-data may run ALL commands as root WITHOUT password.

My jaw dropped. The web server user could run anything as root? This is like giving the janitor keys to the nuclear launch codes.

bash

; sudo cat /root/3rd.txt;

Final ingredient: fleeb juice ✓

Security Lesson #4: Never, ever give web server users sudo privileges. This violates the Principle of Least Privilege in the most dramatic way possible.

The Three Deadly Sins of Pickle Rick’s Server

1. Command Injection Vulnerability: Unsanitized user input passed directly to system()
2. Insecure Credential Storage: Passwords in robots.txt, usernames in HTML comments
3. Excessive Privileges: Web user with passwordless sudo ALL

Any one of these would be bad. Together, they created a perfect storm of insecurity.

How to Prevent This in Your Applications

1. For Command Execution:

php

// GOOD: Whitelisting approach
$allowed_commands = ['list', 'search', 'status'];
if(!in_array($user_input, $allowed_commands)) {
    die("Invalid command");
}

// BETTER: Use built-in functions instead of shell
exec(escapeshellcmd($cleaned_input), $output, $return_code);

2. For Credentials:

• Never store credentials in client-side code
• Use environment variables or secure credential managers
• Implement proper authentication (not hardcoded logins)

3. For Server Configuration:

• Run web servers as unprivileged users
• No passwordless sudo for service accounts
• Regular security audits and penetration testing

Why This CTF Matters

The Pickle Rick room isn’t just fun because of the theme (though that helps). It’s brilliant because it demonstrates:

• Real-world vulnerabilities in a safe environment
• The attacker mindset — thinking about bypasses and edge cases
• How small mistakes cascade into complete compromise
• The importance of defense in depth

In under an hour, I went from knowing nothing about a server to having complete root access. That’s terrifying — and exactly why understanding these vulnerabilities is crucial for developers and sysadmins alike.

Final Thoughts

As I submitted the final ingredient and saw Pickle Rick transform back (in my mind, at least), I realized something important: security isn’t about being perfect; it’s about being less vulnerable than the next target.

The room gets 5/5 stars from me for:

• ✅ Engaging, memorable theme
• ✅ Practical, hands-on learning
• ✅ Perfect difficulty for beginners
• ✅ Teaching real, relevant vulnerabilities

Whether you’re a developer wanting to write more secure code, an aspiring penetration tester, or just a Rick and Morty fan with a technical bent — go try this room. You’ll learn, you’ll laugh, and you’ll never look at a web form the same way again.

Now if you’ll excuse me, I need to go sanitize some user inputs. And maybe watch some Rick and Morty.

Wubba lubba dub dub! 🥒🔓

Want to try it yourself? Check out the Pickle Rick room on TryHackMe.

Have thoughts or questions about command injection? Drop them in the comments below!

#cybersecurity #infosec #hacking #CTF #tryhackme #picklerick #websecurity #commandinjection #ethicalhacking #pentesting #bugbounty #vulnerability #webappsecurity #owasptop10