Stop me or skip ahead if you’ve heard this one before, but one of the biggest problems w/ Tryhackme, other than the suspected fraud, is they don’t provide proper descriptions for the CTFs. For example, the “description” for the Wgel CTF is “can you exfiltrate the root flag?” This is equivalent to describing a video game as, “can you win?” They now have ratings related to difficulty, but it’s not enough to go on: especially if you are looking to practice particular skills, tools, or against a specific attack surface. THM’s search feature is particularly dumb: “CTF” returns 101 results while “CTFs” only returns 22. So for all these reasons and more, I’m going to curate CTF lists and add slightly more comprehensive, far more useful descriptions beginning with a list of the Top 10 TryHackMe CTFs for Beginners!
🔗 https://tryhackme.com/room/picklerick
It’s a themed CTF based on Rick and Morty, and the stated goal is simple: help turn Rick back into a human by ransacking his PC and finding text files which contain the names of potion ingredients. Under the hood, this is a web-focused beginner CTF that teaches enumeration, inspection, and restricted command execution.
Initial Enumeration
As always, the first step is basic network reconnaissance. After connecting to the TryHackMe VPN and launching the machine, let’s run an Nmap scan against the target.
PORT STATE SERVICE
- 22/tcp open ssh
- 80/tcp open http
This already tells us a lot. SSH is exposed, but attempting to log in with user Rick reveals that we need cryptographic keys. HTTP is open, which immediately makes the web server the primary attack surface. So once again we go from port scanning to directory scanning.
Ever wonder why that in so many CTFs, the web interface is the first way in? The answer is simple: web pages are designed to invite interaction. Unlike a private PC, which is built around the idea of keeping all but a few authorized users out, a web server is meant to be publicly accessible. It must accept user input, process requests, and respond dynamically, often from anonymous sources. That openness, which is necessary for the web to function, also makes web applications one of the most common and forgiving entry points for attackers.
Web Enumeration and Directory Busting
Next, let’s run a directory brute-force scan to see what content was exposed on the web server.
Notable results:
/index.html → accessible
/robots.txt → accessible
/assets/ → redirected and browsable
Several .ht* files → forbidden (403)Seeing .htaccess, .htpasswd, and .hta return 403 responses is normal. Apache is telling us those files exist but are protected. That’s useful information, but not immediately exploitable.
At this point, the standout result is robots.txt, because it’s accessible and can contain interesting information. See my write-up on a Simple CTF for more information on robots.txt.
robots.txt and Theme-Based Guessing
Requesting /robots.txt returned a single string:
Wubbalubbadubdub
This is a Rick and Morty catchphrase, which strongly suggests that the theme itself matters. Beginner CTFs often reward you for leaning into the theme instead of brute forcing blindly.
Not being overly familiar with the series, I’m going to ask AI to build a list of “high-value” Rick and Morty words: character names, locations, catchphrases, and recurring terms. It returned the following:
rick
morty
pickle
picklerick
portal
portalgun
dimension
c137
schwifty
wubbalubbadubdub
plumbus
meeseeks
mrmeeseeks
meeseeksbox
gazorpazorp
citadel
council
councilofricks
birdperson
squanchy
beth
summer
jerry
evilrick
evilmorty
cron
cronenberg
garage
lab
science
I nano’d a file called ricksList.txt and pasted in the relevant words. Then I ran gobuster against it but nothing came up. I think this is a great, targeted technique but I haven’t had much luck with it any of the (admittedly few) CTFs I’ve done.
Inspecting the Webpage Source
When directory brute forcing stalls, the next logical step is manual inspection. Looking at the source of index.html reveals a hidden username:
Username: R1ckRul3s
On my first go of it, the hidden username wasn’t immediately visible in the browser and required copying the html content into a text editor to make sense of it. This reinforces an important beginner lesson: inspect everything, and when that fails: re-inspect everything.
With a username identified and a Rick-themed phrase already found in robots.txt, credentials are starting to come together.
Login and Web Command Execution
Further poking around reveals a login.php page. It may not have shown up in Gobuster due to filtering or response size, but manual exploration caught it.
Important: Heuristics aren’t everything and automation isn’t infallible. Sometimes what’s necessary is a bit of human intuition and manual poking and prodding.
Using the username we found and one of the themed phrases, we can successfully log in.
Once logged in, we are presented with a web-based command execution interface. This is a classic CTF mechanic: a restricted shell running behind a web form.
Immediately, it becomes clear that not all commands are allowed.
cat is blocked but we can use less.
ls appears to be aliased as a command that sends us straight home.
Some commands only work when called with full paths or via sudo
This is intentional. The room is teaching you that restricted shells can still be abused if you experiment with alternate tools.
Finding the Flags
First flag
Although ls is an alias for a command that sends us straight home, there are useful things here at home. Using ls reveals Sup3rS3cretPickl3Ingred.txt. We can’t use cat, but since it’s a .txt file and we know the path, we can just visit it in our browser at targetIP:Sup3rS3cretPickl3Ingred.txt. There we get the first flag: mr. meeseek hair.
Second Flag
Also in home, clue.txt which tells us to poke around the file system some more. We can assume there’s a rick directory. Remember, cd‘ing directories one by one and ls‘ing each time (my typical modus operandi) won’t get us far from home. We have to ls full paths like so:
sudo ls -la /home/rick
This is a subtle but important Linux lesson: restrictions often apply to commands, not (just) permissions. We saw something similar with Vim in the previous CTF. Our efforts reveal “second ingredients.” Turns out less, which we do have permission to run, doesn’t work because the file is encoded as ASCII. We have to use strings, remembering to once again specify the full path.
sudo strings "/home/rick/second ingredients"
Third Flag
Root is usually of interest.
sudo ls -la /root
Here we see 3rd.txt, which is why it wouldn’t come up in a search for “ingredients.” Reading it reveals the third ingredient, 1 jerry tear, which I was nearly able to brute guess in the THM room’s answer field.
Pickle Rick is a solid early CTF. It’s forgiving, humorous, and deliberately structured to nudge you toward the right ideas without spelling them out. If you’re new to TryHackMe or trying to build confidence before harder rooms, this one earns its place on the lit of Top 10 TryHackMe CTFs for Beginners. Join us in the https:tiny.url/csmmDiscord Friday Nights 8PM EST and help us tackle more CTFs! Or, check out the Livestreaming Schedule on the homepage and follow along during our live walkthroughs!