Wonderland CTF THM

21st January 2022
| No Comments

Introduction

Welcome to another TryHackMe write-up. Today we will be going through a medium-difficulty room called “Wonderland” that is based around Linux privilege escalation techniques.

Let’s get into it!

Link to the Wonderland room: https://tryhackme.com/room/wonderland

Port Scans

Let’s begin by scanning the machine with nmap and see what we can find.

22/SSH - OpenSSH 7.6p1

80/HTTP - Golang net

Excellent! Let’s check out the website!

Website

We are greeted with a very simple home page which follows the “Alice in Wonderland” theme of the box.

There’s nothing interesting in the source code either so let’s use gobuster to do some directory brute-forcing.

gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://TARGET_IP/

And gobuster shows us some interesting directories. The /img directory is standard for websites. It’s where a website’s images are typically stored. The /poem and /r directories certainly pique my interest. The poem directory just contains a very long poem (who would’ve guessed!) called “Jabberwocky” which is basically nonesense. Let’s take a look at what’s in the /r directory.

gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://TARGET_IP/r/

Oh… Let’s keep going…

gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://TARGET_IP/r/a/

Down the rabbit hole we go…

gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://TARGET_IP/r/a/b/

If we carry on, eventually we’ll find that the word it spells out is rabbit.

Let’s head over to the r/a/b/b/i/t/ directory.

http://TARGET_IP/r/a/b/b/i/t/

And we have a page with nothing all that interesting. If we take a look at the source code of the page, we’ll find some credentials.

Another way of getting these credentials is by using the curl command like so:

curl -v http://TARGET_IP/r/a/b/b/i/t/

This may be easier to read.

Excellent! Now that we have what seems to be Alice‘s password, let’s see if we can SSH into the machine as the Alice user.

And we’re in! Here comes the fun part!

Alice

Let’s begin by taking a look at what’s in Alice‘s home directory.

ls -la

So we have root.txt here and a python script… If root.txt is here, what’s in the /root folder? That may be a clue regarding the location of the user.txt flag 😉

Ok, let’s now take a look at the python script.

It imports the random module, and uses it to select ten random lines from a poem.

Checking what the Alice user can run as sudo may clue us as to who we’re going to be escalating our privileges to first.

sudo -l

That’s interesting! We can run that python script in our home directory as the rabbit user. But all the script does is select ten random lines from a poem. There’s no way for us to execute any code as the rabbit user… Or is there??

So it uses the random module to select random lines in the poem string.

A module is just a python file with functions that can be referenced. So when the import random line is executed, the script goes and looks for that random.py file. We can find out where it’s looking for this random.py file.

python3.6 -c 'import sys; print(sys.path)'

Oh dear… It’s looking in our current directory first ([”])

So if we were to make a random.py file in this directory, the python script would reference that file since it’s the first place it checks…

Let’s make a random.py file in this directory with the following code to spawn a shell:

import pty
pty.spawn("/bin/bash")

And now we run the python script as sudo.

sudo -u rabbit python3.6 /home/alice/walrus_and_the_carpenter.py

And we get a shell as the rabbit user!

Rabbit

Let’s start off by taking a look at what’s in the rabbit user’s home directory.

We have a binary in here called teaParty. If we want to take a look at it in depth, we’ll have to use a debugging tool (in this case, I’ll be using radare2). Let’s move this binary to our local host.

First, let’s set up a temporary http server on this machine.

python3.6 -m http.server

This will serve the current directory on the default port of 8000.

And we can use wget to retrieve the binary.

wget TARGET_IP:8000/teaParty

We can double-check that it’s on our local host.

ls -la

But it’s not an executable now so let’s change that.

chmod +x teaParty

There we go! Now we’re ready to look under the hood of this binary!

Rabbit: Reverse Engineering

Let’s open up this binary in radare2 in debugger mode.

r2 -d ./teaParty

Let’s get radare2 to analyse it.

aa

Now let’s print out the list of the binary’s functions.

afl

Let’s take a look at the sym.main function.

pdf @main

And we get this monstrosity… It’s called assembly code :’)

As we look through the assembly code, we can see that setuid and setgid are set to 1003. This could be an indication as to who we are going to escalate our privileges to next.

Let’s take a look at /etc/passwd and see who has an id of 1003.

cat /etc/passwd | grep 1003

It’s the Mad Hatter!

Going back to the assembly code, we see some comments which show the code being executed.

Note how the echo command has an absolute path whereas the date command does not. This is an insecure reference to a file and can be exploited.

If a program is being referenced without an absolute path, it has to check the PATH environment variable in order to find the location of the binary. However, we can change that variable.

Let’s prepend the current directory to the PATH environment variable.

export PATH=/home/rabbit:$PATH

And now we’ll create a file called date in our current directory. This will be the file that is referenced when the date command is executed.

vim date

#!/bin/bash
/bin/bash

Now when date is executed, it will spawn a shell. Since the uid and gid are set to that of the hatter user, when the date program is executed in the teaParty binary, it will spawn a shell as the hatter user.

Let’s make our newly-created file executable.

chmod +x date

And now let’s execute the teaParty program.

./teaParty

And where the date program should have been executed, we get a command prompt for the hatter user. Awesome!!

Hatter

Checking the hatter user’s directory, we see a text file containing a password.

Using that password to view sudo -l doesn’t work.

Let’s see what files belong to the hatter user.

find / -xdev -user hatter 2>/dev/null

Note: The -xdev flag shows mounted directories but doesn’t list what’s in them.

Nothing that we haven’t seen in their home directory.

Let’s see what the hatter‘s group owns.

Hold up! Why on earth do they own perl??

It doesn’t have an SUID bit or anything obvious…

But we can check its capabilities with the getcap command.

File capabilities aim to provide more control over root permissions. It’s sort of an improvement on SUID binaries since they can usually be exploited (of course that depends on the program with the SUID bit).

The main idea is that file capabilities are just individual fragments of root privileges (I believe there are about 40 file capabilities). They prevent or at least reduce the need to switch to the root user when executing a program.

Going back to our example, we see that we can run perl with the cap_setuid+ep capability. This means we can run it with a uid of 0 (which is root). This is essentially the same thing as running the program as root…

Let’s check GTFO bins for a payload.

This is exactly what we’re looking for!

Let’s copy and paste it in.

perl -e 'use POSIX qw(setuid); POSIX::setuid(0); exec "/bin/sh";'

Permission denied… Let’s check our id and verify we are who we think we are.

id

We have the uid of the hatter user which is correct but our gid is still that of the rabbit user…

OH! That reminds me of the credentials from earlier (password.txt in the hatter user’s home directory)! Maybe we can use them to SSH in as the hatter user.

ssh hatter@TARGET_IP

And it works!!

Let’s just double-check our id again.

And now we paste in that payload from GTFO bins… And get a root shell!

And just a gentle reminder that now you can grab the root.txt file from the very start in Alice’s home directory. 🙂

Conclusion

I had so much fun doing this room! I learnt so much and got some hands-on practice too which was awesome. I need to do CTFs more regularly. I learn so much from them, especially when they are just above my skill level as it will expand my comfort zone.

Anyways, I hope this was of some help and an enjoyable read. Until next time! 🙂

Pentesting