Wonderland
Room Link: https://tryhackme.com/room/wonderland
Initial Scan
Kali
nmap -A $VICTIM
Scan all ports
Kali
TCP/80 - HTTP
Kali
I can see I'm on the right track on the browser
Kali
Kali
After a few letters I was able to just guess the word it's spelling out
TCP/22 - SSH
Kali
Lateral Movement - Abusing Library path
Victim
Using the first command we can see the path it follows, we can see the first thing it will try is the current directory so we can make a random.py script of our own and put anything we want in it.
Victim
Victim
Victim
Lateral Movement - Abusing Paths
Kali(receiving)
Victim(sending)
Ghidra
I opened the file in Ghidra and can see that the program is running the date command which we see outputted when we run the script. But note that the date command isn't using the full path so if we add somewhere else in our path we can run our own date command instead.
I added tmp to my path
Victim(rabbit)
I'm not the hatter
Victim(rabbit)
Privilege Escalation
Victim(hatter)
We can just follow what's under capabilities but only the last command as CAP_SETID is already set for perl.
Exploit: https://gtfobins.github.io/gtfobins/perl/
Last updated