TryHackMe Wonderland Writeup

TryHackMe Wonderland Writeup

Start the machine

I started by booting up my parrot OS machine on VirtualBox, connected via OpenVPN to the TryHackMe network. After I checked if I was connected I started the Wonderland machine. After the machine IP was available I checked with a Ping if the machine was reachable in the network

Ping 10.10.145.137

Recon

As usual, I try to gather initial information with Nmap.

nmap -sC -sV 10.10.145.137

After the scan was finished I saw that there were two open ports. The first port 22 for an SSH connection and the second port 80 for HTTP.

Without any credentials, the open SSH port is, for now, uninteresting to us. So I decided to follow the white rabbit and gave the http site a visit. I was mildly underwhelmed, to say the least. There was nothing on that page but a picture of the white rabbit and some static text. I checked the source code, but nothing. I tried the usual robots.txt, but nothing was there either. The last straw to catch up with the white rabbit was to find some useful directories with Gobuster.

gobuster dir -u 10.10.145.137 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

After some time I got this from my gobuster scan.

I checked the img/ directory, and inside I found 3 pictures 2 .jpg's and 1 .png. The poem/ directory gave me a poem about the Jabberwocky. The r/ directory just told me "Keep Going" in plain text.

I inspected the source of all directories for something interesting. But there was nothing to find. Some time ago I did a CTF on https://picoctf.org/. This CTF was about hiding files/text in other files like pictures. I used Steghide to extract/hide information from the sources picoCTF gave me. Since I had no other clue than that I gave it a shot. In a simple example, you're using this command:

steghide extract -sf [filename]

The first picture "alice_door.jpg" seems to be empty, assuming there's no password to protect the hidden information. The second picture is the same as allice_door.jpg but as .png. Since Steghide can, as far as I know, only handle .jpg files so I didn't bother to spend time with it. In the third picture "white_rabbit.jpg", on the other hand, I was able to extract hint.txt.

Keep Going and follow the rabbit, these are quite confusing hints. I spend quite some time thinking and staring at the screens. Much more than I like to admit. At one point I completely discarded the hint.txt and focused on the Keep Going in /r/. Why not take it literally? I once again run Gobuster. But this time against '10.10.145.137/r'.

gobuster dir -u 10.10.145.137/r -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

Inside /r/ I found another directory /a/.

Visiting '10.10.145.137/r/a' told me to Keep going as well.

Keep Going, follow the rab... follow the r a b b i t... I immediately tried '10.10.145.137/r/a/b'. And got rewarded with another Keep going. At this point, It was clear what to do.

Thats it? Open the door and enter? I inspected the source code of the page and hidden in the code I found a string that could be credentials for a user alice.

Initial Foothold

Since there's no login or something similar on the machine and the only other port open was for SSH I used the found credentials to log in via SSH.

ssh@alice 10.10.145.137

I entered the password and was granted access as the user Alice.

I found the root.txt in Alice /home. I was expecting the root flag in /root. I tried to open it but, of course, had no luck. Alice did not have the permission to open root.txt. I used the hint TryHackMe provided to the user flag. It said, "Everything is upside down here". After my ¨follow the rabbit¨ experience I took that hint literally.

cat /root/user.txt

In /root, I found the user flag. I investigated the machine. There were a couple of wonderland-themed users present. Rabbit (of course the rabbit again), Hatter, Alice and TryHackMe. I didn't had permission to view any of them. In Alice's home.

Privelege Escalation

In addition to the root.txt, there was a Python file. Running the file gave me 10 prompts.

I inspected the code of the Python file. There was a poem stored as a string, and a for-loop splitting the poem into lines and randomly choosing 10 lines and printing them on screen.

The code uses the Python random packet which was imported in the first line of the code. I could use the import for a method called path hijacking to escalate my privileges. Python stores installed packets in its directory, but if you choose to write your version of that packet and store it in the same directory as your Python script. Python will choose the version "closer" to its call. But first I had to check if the file is owned by another (more privileged) user. The command 'sudo -l' is showing me that.

So Alice can run the file as rabbit with:

/usr/bin/python3.6 /home/alice/walrus_and_the_carpenter.py

I wrote a 2 line Python script that spawns a shell.

To run it as the user rabbit and get a shell as Rabbit I used the following command.

sudo -u rabbit /usr/bin/python3.6 /home/alice/walrus_and_the_carpenter.py

After executing it, I was logged in as Rabbit.

I searched rabbits /home, there was only one file called teaParty.

Running teaParty as a shell script told me that the Mad Hatter would be here soon. More Interestingly it said 'Segmentation fault (core dumped)'. And 'ls -la' told me the tea party was owned by Root!

I chose to investigate the teaParty further. With a simple Python server on the Wonderland machine, I used 'wget' to download that file to my machine. With the 'string' command I investigated the teaParty file. There was one line that caught my interest.

The variable 'date' is not in an absolute PATH. So like with the Python 'random' package, I used this to hijack date. It was as simple as creating a file called 'date' in the same folder as the teaParty file.

!#/bin/bash
/bin/bash

Then I exported '$PATH' to Rabbit.

export PATH/home/rabbit:$PATH

Now I run the teaParty file again, and we're logged in as Hatter? I was hoping we get root but I made a mistake in the previous step. I was assuming that only because teaParty was owned by Root, I will be granted root access when using it.

Getting Root

In Hatters home, I found a 'password.txt' file. I tried to ssh directly as Hatter. With the password provided by the Hatter, I now have a more stable SSH connection to the Wonderland machine. Since there was nothing more to find in Hatter's home, I was out of ideas to get root access by hand. So I started a simple Python server on my machine and used 'wget' to download 'linpeas' to the wonderland machine. While scrolling through the 'linpeas' report I came across these lines:

I searched on https://gtfobins.github.io/ for 'capabilities' and was given a possible backdoor for root access.

I modified the last command a little bit so it is pointing to the right directory.

/usr/bin/perl -e 'use POSIX qw(setuid); POSIX::setuid(0); exec "/bin/sh";'

After executing the command I was granted root access, and finally was able to cat the root flag in Alice's home and finish the machine.