search

Wonderland

Room Link: https://tryhackme.com/room/wonderlandarrow-up-right

hashtag
Initial Scan

Kali

nmap -A $VICTIM

hashtag
Scan all ports

Kali

hashtag
TCP/80 - HTTP

Kali

I can see I'm on the right track on the browser

Kali

Kali

After a few letters I was able to just guess the word it's spelling out

hashtag
TCP/22 - SSH

Kali

hashtag
Lateral Movement - Abusing Library path

Victim

Using the first command we can see the path it follows, we can see the first thing it will try is the current directory so we can make a random.py script of our own and put anything we want in it.

Victim

Victim

Victim

hashtag
Lateral Movement - Abusing Paths

Kali(receiving)

Victim(sending)

hashtag
Ghidra

I opened the file in Ghidra and can see that the program is running the date command which we see outputted when we run the script. But note that the date command isn't using the full path so if we add somewhere else in our path we can run our own date command instead.

I added tmp to my path

Victim(rabbit)

I'm not the hatter

Victim(rabbit)

hashtag
Privilege Escalation

Victim(hatter)

We can just follow what's under capabilities but only the last command as CAP_SETID is already set for perl.

Exploit: https://gtfobins.github.io/gtfobins/perl/arrow-up-right

PreviousBoiler CTFNextBlog

Last updated