Wonderland
This is my write-up for the TryHackMe machine called Wonderland located at: https://tryhackme.com/room/wonderland.
I started off by running an nmap scan:
sudo nmap -sV -sC -O -n -oA nmapscan 10.10.91.174
There seems to be 2 ports open. Following port 80 leads me to the following:
There does not seem to be a robots.txt file on the system:
I then ran feroxbuster on the IP address:
feroxbuster -u http://10.10.91.174 -x pdf,js,html,php,txt,json,docx -w /usr/share/wordlists/dirb/common.txt -t 30
I noticed that there was a pattern here:
I looked at the man page for feroxbuster and found that a recursion depth of 0 is infinite. Although it seems like the word from each directory would form rabbit, I still wanted to make sure. This was my updated command:
feroxbuster -u http://10.10.91.174 -x pdf,js,html,php,txt,json,docx -w /usr/share/wordlists/dirb/common.txt -t 30 -d 0
This led to a page:
I viewed the source code of this page and found the following:
This seems to be maybe an SSH account. It was:
There were two files, and both were owned by root:
Running sudo -l
, I saw the following:
It seems that I can run sudo, but as rabbit:
I have to find a way to switch over to rabbit, using this access. I was thinking I can maybe over-write the file and change the content of the file itself. I then found this write-up https://github.com/Slowdeb/Tryhackme/blob/main/Wonderland.md that mentioned that I had missed the user.txt in the root directory. Sure enough, I had:
However, I was still stuck as to how I would escalate my privileges. I had tried modifying the python script and modifying the python3.6 file on the system, and was not able to do either. The same previous walkthrough led me to this post: https://medium.com/analytics-vidhya/python-library-hijacking-on-linux-with-examples-a31e6a9860c8. This was about Python library hijacking. In the python code, there is only one import:
The same write-up ended up making a local file called random.py and entered the following into it:
#!/usr/bin/python3.6
import pty
pty.spawn("/bin/bash")
I then realized that the original python code might be referencing locally AND THEN referencing the alternate location (/usr/lib/python3.6/random.py).
We are now the user rabbit. I look in the home directory of rabbit and find an executable called teaParty. I ran the code, and it seems to have the sleep command incorporated in it:
I wanted to know what the code did, so I copied the code from rabbit's directory into the /tmp directory. I then used FileZilla with alice's login and downloaded the file to my local system. I then used strings to see what was in the file:
I had to go back to the previous write-up again. I learned that the date command is not using the absolute path. As the author did, I entered the following into a file called date:
#!/bin/bash
/bin/bash
I made and edited the file in alice's home directory. I then copied it over to the /tmp folder, where I then used my access to rabbits account to grab it from there. I also had to update the PATH to then make the SUID binary read from the date file we had made. Here are the commands I had run after I moved the date file to rabbits home folder:
chmod +x date #to make date executable
export PATH=/home/rabbit/:$PATH #to make the system recognize the path we have access to
./teaParty #run the binary
I then had access to hatter:
There is a password file in hatter's home directory:
The password was for the hatter user. I then ran find / -type f -perm -04000 -ls 2>/dev/null
to see what executables I had access to. I saw the following, where one had stuck out to me:
There was a major vulnerability in pkexec that allows you to get root. I used the code from https://github.com/ly4k/PwnKit/blob/main/PwnKit.sh to download the exploit on my own machine. I then used FileZilla to transfer that exploit to the hatter home directory. From there, I was able to make it executable and get root:
I was then able to get the root.txt file as well:
Lessons Learned: I learned a couple of main things while working on the box. The first error I made was not understanding that if root.txt was in a users home directory, that user.txt might have been in the root directory. The first thing I had learned was Python imports and how they check locally for the import before looking in the library folder. Another item I learned was about SUID binary exploiting by manipulating the PATH variable.