Wonderland

Wonderland is a medium level box on TryHackMe with Alice in Wonderland theme. There were several Privilege escalation Methodologies in play, overall it was a rather interesting box.

Enumeration

Ran nmap scan with the result below, the scan returned with two open ports, SSH 22 and HTTP 80, Nikto didn't return anything juicy.

Webpage as seen below says something about following the white rabbit, nothing more. No robots.txt either...

...Further enumeration I guess, this time with Dirbuster. found some sub-directory with a path forming the word rabbit.

On the last page we found the ssh login detail for Alice after looking at the page source.

User Enumeration

Once on the SSH shell, I tried looking at Alice's files however, she does not have the user.txt file but rather the root.txt which we can't view of course. she also has another file ( a python file called walrus_and_the_carpenter.py) and while running the "sudo -l" command, we notice that This file is the only thing Alice can run with root privilege as user rabbit.

Played around with the code but it only displays random lines of Alice in wonderland poems...of course, random.

The python file imports the random module, when you import a module in python, the interpreter searches the specified "sys.path" for the required module, if the file is not in the first directory, it searches the second one, and the next until it finds the directory containing the imported module. In our case however, as seen below, the first path is ' ' which means our present directory.

The implication of this is that we can create a ramdom.py file in our current directory, this file would contain a simple bash shell and when we run the walrus_and_the_carpenter.py it imports our fake random.py file rather than the original one.

I created the file in the directory and ran the file as rabbit, once done I gained was able to login into rabbit shell.

Again, rabbit doesn't have the user flag, however it does have a file teaParty owned by root with the SUID set.

The file has SUID set which you can read more about here. it also calls the date command.

Since it's owned by root run a command, we can create a rogue date, add it to path so the command calls date from out path before it gets to /bin/date.

As seen below, the fake date command has a bash shell as content, I made the file executable and added my present directory to path.

Running the teaParty file, Our fake date file executed as well giving me access to hatter shell.

I did sudo -l but hatter does not have sudo permission at all.

With further enumeration, I found the system was vulnerable to Capability privilege escalation exploit.

From GTFOBin, I found a working perl Cap. exploit. Once ran, you can see the UID change and the rest as they say...