Hey guys, it’s Anil Celik, a.k.a. 0xpr0N3rd on TryHackMe. In this write-up, I would like to share the walkthrough of the room named Wonderland, which was recently released on TryHackMe.
Let’s start with nmap scan:
From the result of our initial scan, we can see that ports 22 and 80 are open. Let’s start enumerating port 80 first:
When we access to web server, we are being welcomed with the page shown in above. Since there’s nothing much in here, we can inspect the page source next but there is no valuable information in there either:
Next step, we can do a gobuster scan to discover hidden directories in this web server:
In our result, we can see that there are two hidden directories named “/img” and “/r”. Let’s go to “/img” first:
When we go to this directory, we see there are 3 image files in here. Before going to other directory, let’s download those images to see whether some hidden information exists in those images:
When we inspect theses images, we see that there is an hidden text file named hint.txt inside the file named white_rabbit_1.jpg. Let’s extract this file and try to see its content:
When we open the hint.txt file, we see the message “follow the rabbit” :)
What we should remember in here is that when we were doing a directory scan, we have seen that the hidden directory other than the one named “/img” was named “/r”; when we combine this info with the hint we just got from hint.txt, we can understand that there is another hidden directory such as: “/r/a/b/b/i/t”
Seems like our thought wasn’t wrong. Let’s inspect this page’s source also:
This time, we found something. We can use these credentials for SSH connection for the user named alice:
We have successfully connected to SSH. Let’s continue with enumeration. First, let’s see how many users we have under the “/home” directory:
As we can see we have total 4 users; namely, alice, hatter, rabbit and tryhackme. Now we can continue with the user named alice and inspect the files located under their homre directory so that maybe we can capture user flag:
Unfortunately, the user flag is not in here but weirdly the root flag is located in here but we are not privileged to see it’s content. Let’s go ahead and inspect what’s inside the file named “walrus_and_the_carpenter.py”:
When we view file’s content, we can see that the module named random is imported in this Python script and there are some poetry lines defined under poem. At the end of the file, there is also a for loop to print 10 lines from this poetry randomly:
When we go back and inspect file permissions, we can see that we are not privileged to execute this file. Since we are not privileged to do much, we can check our sudo rights for our current user:
From this output, it can ve obtained that the alice user is privileged to execute sudo command for the user rabbit with the Python file which we recently seen. Then, let’s go ahead and try to execute this command:
We executed the file but nothing much happened. What we can do in here is doing Python Library Hijacking, which we could have thought at the first time when we see this file. With this technique, we can manipulate the module named random and execute the file again in order to get a shell from user named rabbit. The reason why we are able to do is lies under Python’s basics. What I mean is when we execute a Python file, the modules imported inside that Python file are being check inside the current working directory first. If those modules does not exist under the current working directory, Python looks for it’s own modules. From here, we can see that we need to create another file named random to manipulate this Python file’s execution flow by adding a shell command inside it:
As we can see, we have successfully completed the library hijacking process and got a shell from the user named rabbit. Before going any further with rabbit, let’s look for the user flag again:
Unfortunately, the user flag is not in here either but when we check the hint that is given to us in room’s page, we can see the message in below:
The message tells us that the everything is upside down here. After a little bit of thinking, we can figure out that the user flag is actuallt under the root directory (SNEAK 100):
Now we got the user flag and we can continue on rabbit. First let’s inspect the file named teaParty, which also has a SUID bit set:
When we check the file type, we see it’s in ELF format, which means it’s an executable file. When we execute the file, we see the error message “Segmentation fault (core dumped)” regardless of whatever the input we give. At first I thought it might be a Buffer Overflow but then something else got my attention; the line saying “Probably by Mon, 08 Jun 2020 18:24:02 +0000”. What we can understand from here is that there is a variable in the file that pulls the current date data:
Yes, the variable date is in use. Now we can manipulate this variable to escalate our privileges. To do that, we can do Execution Flow Hijacking through PATH variable. Because; PATH variable is the variable that specifies directories holding the executable programs in UNIX systems. Also, since there is a SUID bit set file(teaParty), we can manipulate the PATH variable of this file and we can obtain a shell from the user which this file actually belongs to. In order to do that, we need to create another file named date in this directory:
After creating the file, let’s set the PATH variable for hijacking and execute the file again:
As we can see, we have successfully did the Execution Flow Hijacking and got our shell from the user named hatter. Next thing, let’s inspect what this user has under their home directory:
We see there is a file named password.txt, let’s see what is inside it:
Hmm, there is a password. I guess we can use this password to check sudo rights of hatter:
Unfortunately, hatter has no sudo command that he can run. At this point, we can upload linPEAS to the machine to see what we can do here in a larger scope:
At linPEAS output, we see something interesting:
When we check Capabilities section, we can see that we can escalate our privileges once more by using the capabilities defined for the perl binary. What this means is as following: The primary goal of capabilities in Linux is dividing user and program privileges at kernel level into little pieces to supply additional privileges to other programs.
The difference between SUID and Capability is as following: if a program has it’s SUID bit set, then a user can run that program with the privileges of that file’s owner. Capabilities are similar to SUID but they are used to improve security of Linux systems and they are meant to control thread privileges.
To make Capability concept to be understood thoroughly, we can give the following example: Let’s say that there exists a web server running at port 80 and we need additional root privileges to scan ports coming before port 1024. At this point, instead of giving full root privileges to low-privileged users, we can set capability binaries to perform desired action.
The logic of Capabilities is dividing root level processes into little pieces to give additional permissions to low privileged users, as we spoke in the previous example.
Now let’s get back to machine and exploit this capability to escalate our privileges. Firstly, we can search related capabilities for Perl on GTFOBins:
We see that we can use above command to escalate our privileges into root level because capabilities are dividing root level processes into little pieces and with this command, we are manipulating these little pieces which are coming from root to escalate our privileges:
Yes, we rooted the machine. Let’s grab user flag (remember it was under alice’s home directory):
We got the root flag.
That’s all folks, I hope you have learnt something from this write-up Also, many thanks to James for this cool box, I enjoyed it a lot!
Thank you for reading, see you on next write-ups!