1. Enumeration and Initial Foothold (Alice)
As always we start of with an Nmap scan to see what ports are open and which services are running on the machine.
Just SSH and HTTP? Lets go and check out the web application.
The home page doesn’t reveal any hints or useful information (or does it?). At the time I thought not so I decided to run a directory brute-force scan against the web application and I also downloaded the image on the home page, to see if there was anything hidden in the file.
The Wfuzz scan shows two interesting directories, ‘r’ and ‘poem’, although poem actually turns out to be useless.
Using steghide I managed to extract a hint from the downloaded image, which actually aligns with the Wfuzz results and the message on the home page.
It became clear to me then what this hint meant, but just to confirm I ran another Wfuzz scan but this time on the ‘/r/’ directory, from which we get another directory ‘a’.
These hints are essentially telling us to spell out rabbit, with each letter being a different directory, so in the end we get ‘/r/a/b/b/i/t/’.
Visiting the resulting page shows us we are on the right track, but shows no immediate useful information? If we check the page-source out however we find some credentials for Alice.
So I go to grab the user flag, but only root.txt is in Alice’s home directory and we can’t open it of course. The hint for user.txt in the ‘Wonderland’ room reads:
“Everything is upside down here”
This had me stumped for a long time, longer than I care to admit, but it eventually clicked that user.txt was in the root directory.
As we can see above, there is a Python script in Alice’s home directory which outputs 10 random lines from the ‘Walrus and the Carpenter’ poem. After some basic enumeration, I found that Alice can run the Python script with the privileges of the ‘Rabbit’ user.
It took me a while to figure out how to escalate to rabbit from here, because path hijacking is not something I’ve come across practically yet. So after some research online I found two articles in particular that helped me understand how I could exploit the extra permissions on this script, these were by :
As I understand it, Python has a prioritised list of search paths for its libraries/packages and the current directory is often given the highest priority, in the case of custom imports. As the Python script in Alice’s home directory imports the ‘random’ library, and we have permissions to run it as ‘Rabbit’, if we create a Python script called ‘random.py’ this will be called first instead of the actual random package and run our reverse shell code as Rabbit.
In Rabbit’s home directory we find an executable file with an SUID bit set. Running the executable we get given the first line (i.e. Probably by…) after which it hangs until we press enter. We then get some extra text along with a Segmentation fault, so maybe this is a buffer overflow??
Copying this file back over to my local machine and analyzing it with both strings and radare2, I found that the ‘Segmentation Fault’ error message is output regardless of the input, so this put me off the idea of a buffer overflow. I then noticed the relative call to ‘date’, which led me to think this was another path hijacking exploit.
To do this, we first need to create a new file in the /tmp directory called ‘date’, which contains our reverse shell bash code. We then change the permissions to 755 meaning everyone has read and execute permissions on this file, and finally manipulate the executable path for date from /usr/bin to /tmp.
Let’s go back to the ./teaParty executable and see now if this executes our reverse shell code, instead of outputting the date/time. With a netcat listener open on our local machine we get a connection, on to root!
Thankfully in Hatter’s home directory we have a password.txt file which contains Hatter’s password, so we don’t need to go through the whole privilege escalation process again and can SSH into the box.
Once I ran LinPeas (A Linux Enumeration Script) the privilege escalation path stuck out for me right away. Although there are no SUID binaries we can exploit, we can exploit Hatter’s capabilities on the Perl binary.
To learn more about Linux capabilities and how they can be abused, I recommend checking out these two articles:
Essentially, Hatter has the capability on the perl binary to run the ‘setuid’ command, which means we can change Hatter’s UID to root and run bash.
Therefore, running the following command will give us root privileges:
perl -e 'use POSIX (setuid); POSIX::setuid(0); exec "/bin/bash";'
To break it down:
perl -eallows us to execute perl code.
use POSIX (setuid);imports the required module.
POSIX::setuid(0);sets the UID to 0, which is root.
exec "/bin/bash";executes bash as root.
Wonderland is probably one of the most difficult rooms I’ve completed on TryHackMe so far but definitely my favourite. All of the privilege escalation paths were methods I hadn’t abused before so I feel like i’ve learnt a lot from this room. I would highly recommend TryHackMe to anyone looking to learn about and/or practice their cyber security and penetration testing skills with a hands-on approach.
- TryHackMe Profile: https://tryhackme.com/p/JDR0x7CC
Keep an eye out for my future write-ups!