Wonderland

Room Info

https://tryhackme.com/room/wonderland

Fall down the rabbit hole and enter wonderland.

Enter Wonderland and capture the flags.

This isn't a writeup and more so a personal report of what I have discovered and learned doing this challenge.

The beginning was quite easy for me, up to the point of getting SSH access. Because it is an Alice in Wonderland themed challenge this means I will end up following a lot of 'rabbit wholes' in order to reach the objective.

Enumeration

NMAP only found 2 open ports

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 8e:ee:fb:96:ce:ad:70:dd:05:a9:3b:0d:b0:71:b8:63 (RSA)
|   256 7a:92:79:44:16:4f:20:43:50:a9:a8:47:e2:c2:be:84 (ECDSA)
|_  256 00:0b:80:44:e6:3d:4b:69:47:92:2c:55:14:7e:2a:c9 (ED25519)
80/tcp open  http    Golang net/http server (Go-IPFS json-rpc or InfluxDB API)
|_http-title: Follow the white rabbit.
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Accessing the webpage only says Follow the White Rabbit. This means to start doing enumeration on the web server.

After finishing with gobuster I discovered http://$target/r/a/b/b/i/t/ directory, this was the first rabbit whole to follow.

After snooping around the web page I discovered the SSH credentials for alice.

Privilege escalation (horizontal)

Logging in I can see the root.txt flag and a python script. I cannot read the root.txt flag and it also made me wonder, if the root flag is here, then where is the user flag? I simply navigated to /root and tried to list it, however no luck since I had no privileges to list that directory.

But then I decided to just do cat user.txt since usually after getting in a box, you can read the user flag. And to my surprise it was there and it gave me the user flag.

Doing sudo -l I can see that I can run python3.6 and the python script in alice's home directory as the user rabbit. Now here is where I got stuck for hours trying to see how I can switch shell to rabbit. After much searching online I decided to look up on the solution for this challenge.

I learned that if python imports a module, you can create a "new" module named as the same one that it gets imported in the script.

For example

python import random
string = """
a
b
c
d
e
"""
print(random.choice(poem.split("\n")))

This will import the random module from the python library. However if I create a new python script name random.py it will import the newly created script and execute the code in that script.

This means I can create a python script named random.py and simply add

# random.py
import os
os.system("/bin/bash")

And to execute the script I run sudo -u rabbit and it will import this script execute the code in random.py and will spawn me a shell as rabbit.

Going to /home/rabbit there is an ELF file that when executed tells me to wait for the Mad Hatter.

There was no strings on the remote machine, so I just did cat file and it gave me some text that I can read.

This is another thing that I learned and that is that if you run programs without their absolute path an example

/bin/bash

You can hijack that program with editing your PATH.

Simply make a simple program file that you wish to hijack add

#!/bin/bash
/bin/bash

Make it an executable chmod +x program and export the directory where the program is located. In my situation

export PATH=/tmp:$PATH

And just execute the binary.

Privilege escalation (vertical)

This will spawn me a shell as hatter.

Navigating to /home/hatter I found out the password for the user and can SSH into the machine to get a more better stable shell.

After this I see that I cannot run any programs with sudo so I did LinEnum on the machine to see what I can exploit to escalate my privileges.

LinEnum leaves a little + indicating that there is a possible exploit. I noticed that there were files with POSIX capabilities.

Searching online I found out the exploit on https://gtfobins.github.io/ and quickly went to work on exploiting that file.

Even though it was a simple exploit, I managed to get root and read the root flag.

Final thoughts

Wonderland was quite challenging for me as a beginner. I learned a lot from this challenge and decided to do this simple "report" so that I can remember easily what I've learned and to keep this as a 'note' if I ever stumble upon something similar to remind myself.