TryHackMe Walkthrough— Wonderland

This is my write-up for the CTF room ‘Wonderland’ on TryHackMe, which involves two path hijacking exploits and exploiting setuid capabilities on a Perl binary to get a root shell.

1. Enumeration and Initial Foothold (Alice)

As always we start of with an Nmap scan to see what ports are open and which services are running on the machine.

1. Nmap Scan — Wonderland.

Just SSH and HTTP? Lets go and check out the web application.

2. Wonderland Web Application — Home Page.

The home page doesn’t reveal any hints or useful information (or does it?). At the time I thought not so I decided to run a directory brute-force scan against the web application and I also downloaded the image on the home page, to see if there was anything hidden in the file.

3. Wfuzz Scan (1).

The Wfuzz scan shows two interesting directories, ‘r’ and ‘poem’, although poem actually turns out to be useless.

Using steghide I managed to extract a hint from the downloaded image, which actually aligns with the Wfuzz results and the message on the home page.

4. Home Page Image — Hidden Hint.

It became clear to me then what this hint meant, but just to confirm I ran another Wfuzz scan but this time on the ‘/r/’ directory, from which we get another directory ‘a’.

5. Wfuzz Scan (2).

These hints are essentially telling us to spell out rabbit, with each letter being a different directory, so in the end we get ‘/r/a/b/b/i/t/’.

Visiting the resulting page shows us we are on the right track, but shows no immediate useful information? If we check the page-source out however we find some credentials for Alice.

6. Wonderland Web App — /r/a/b/b/i/t
7. Hidden SSH Credentials for Alice.
8. Initial Foothold and User Shell (Alice)

So I go to grab the user flag, but only root.txt is in Alice’s home directory and we can’t open it of course. The hint for user.txt in the ‘Wonderland’ room reads:

“Everything is upside down here”

This had me stumped for a long time, longer than I care to admit, but it eventually clicked that user.txt was in the root directory.

9. User.txt

2. Rabbit

As we can see above, there is a Python script in Alice’s home directory which outputs 10 random lines from the ‘Walrus and the Carpenter’ poem. After some basic enumeration, I found that Alice can run the Python script with the privileges of the ‘Rabbit’ user.

10. Alice’s Permissions on Walrus_and_the_Carpenter.py

It took me a while to figure out how to escalate to rabbit from here, because path hijacking is not something I’ve come across practically yet. So after some research online I found two articles in particular that helped me understand how I could exploit the extra permissions on this script, these were by :

As I understand it, Python has a prioritised list of search paths for its libraries/packages and the current directory is often given the highest priority, in the case of custom imports. As the Python script in Alice’s home directory imports the ‘random’ library, and we have permissions to run it as ‘Rabbit’, if we create a Python script called ‘random.py’ this will be called first instead of the actual random package and run our reverse shell code as Rabbit.

11. Original Python Script Calling ‘Random’ and Malicious ‘Random.py’ Contents.
12. Reverse Shell as ‘Rabbit’.

3. Hatter

In Rabbit’s home directory we find an executable file with an SUID bit set. Running the executable we get given the first line (i.e. Probably by…) after which it hangs until we press enter. We then get some extra text along with a Segmentation fault, so maybe this is a buffer overflow??

13. Normal Usage of ./teaParty

Copying this file back over to my local machine and analyzing it with both strings and radare2, I found that the ‘Segmentation Fault’ error message is output regardless of the input, so this put me off the idea of a buffer overflow. I then noticed the relative call to ‘date’, which led me to think this was another path hijacking exploit.

14. Dangerous ‘Date’ call in ./teaParty

To do this, we first need to create a new file in the /tmp directory called ‘date’, which contains our reverse shell bash code. We then change the permissions to 755 meaning everyone has read and execute permissions on this file, and finally manipulate the executable path for date from /usr/bin to /tmp.

15. ‘Date’ Path Hijacking Exploit.

Let’s go back to the ./teaParty executable and see now if this executes our reverse shell code, instead of outputting the date/time. With a netcat listener open on our local machine we get a connection, on to root!

16. Reverse Shell as ‘Hatter’.

4. Root

Thankfully in Hatter’s home directory we have a password.txt file which contains Hatter’s password, so we don’t need to go through the whole privilege escalation process again and can SSH into the box.

17. Password.txt — Contains Hatter’s SSH and Account Password.

Once I ran LinPeas (A Linux Enumeration Script) the privilege escalation path stuck out for me right away. Although there are no SUID binaries we can exploit, we can exploit Hatter’s capabilities on the Perl binary.

18. SUID files vs Capabilities

To learn more about Linux capabilities and how they can be abused, I recommend checking out these two articles:

Essentially, Hatter has the capability on the perl binary to run the ‘setuid’ command, which means we can change Hatter’s UID to root and run bash.

Therefore, running the following command will give us root privileges: perl -e 'use POSIX (setuid); POSIX::setuid(0); exec "/bin/bash";'

To break it down:

  • perl -e allows us to execute perl code.
  • use POSIX (setuid); imports the required module.
  • POSIX::setuid(0); sets the UID to 0, which is root.
  • exec "/bin/bash"; executes bash as root.
19. Root Shell and Root.txt

Summary

Wonderland is probably one of the most difficult rooms I’ve completed on TryHackMe so far but definitely my favourite. All of the privilege escalation paths were methods I hadn’t abused before so I feel like i’ve learnt a lot from this room. I would highly recommend TryHackMe to anyone looking to learn about and/or practice their cyber security and penetration testing skills with a hands-on approach.

Keep an eye out for my future write-ups!

--

--

--

MSc Cyber Security Student at Lancaster University. Mostly posting CTF writeups from HackTheBox, TryHackMe and VulnHub.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

System Design — UML Sequence Diagram

The Most Simplified Integration of Ansible and Terraform

Grafana up and running — What is Grafana?

How To Build Trust With Your Remote Software Development Team

Fastlane integration into iOS projects

UpDefiUp X Decentralized Club Ama Recap From the 5th of March

BANCA bi-weekly report 9.11.2018

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store

Jack Roberts

MSc Cyber Security Student at Lancaster University. Mostly posting CTF writeups from HackTheBox, TryHackMe and VulnHub.

More from Medium

Compromisso HackTheBox Ctf

Noter — HackTheBox [writeup]

TryHackMe — Jeff