Room URL: https://tryhackme.com/room/wonderland
Before you read
If you haven’t tried this box yet, I’d highly recommend try it yourself first. This box is quite fun :)
Fall down the rabbit hole and enter wonderland.
First thing, no doubt, we gotta know which ports are open on this box. This is how we do it:
nmap -sC -sV <your box ip>
An ssh and a HTTP server.
First thing I would do is always to poke around the HTTP server if there is one. Not to say that we don’t have any credentials for ssh at the moment.
Besides opening the website in a browser, what we can also do now is to have a look at what directories the website has. This is how I do this:
gobuster dir -u http://<your box ip> -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
You can of course choose another wordlist to run.
Now you can leave gobuster running in the background while you work on your browser.
Meet White Rabbit
Put your box IP address into your browser, this is what we see:
Not quite informative looked this way. We shall check the page source.
So Mr. Rabbit here is a .jpg image. When seeing .jpg I’d always give it a try with
In case you wonder the passphrase I entered: Nothing. Empty passphrase. Under this empty passphrase hides a file hint.txt, which says
follow the r a b b i t
It seems simply repeating the title on the frontpage. But what does it mean?
Meanwhile, gobuster has found something interesting. We left it running in background, still remember?
The “/img” directory we’ve already seen. The “/r” directory is especially curious. Let’s try type it into URL and see where we go.
It asks me to “keep going”. I think I have got a theory about the previous hint…
r a b b i t, huh?
Here’s what I got:
“Would you tell me, please, which way I ought to go from here?”
“That depends a good deal on where you want to get to,” said the Cat.
“I don’t much care where–” said Alice.
“Then it doesn’t matter which way you go,” said the Cat.
Now we’ve exhausted clues we got. What now?
Well, page sources are always worth a shot. Let’s check the source of
It’s a hidden paragraph! Such colon separated format could be a username-password pair, i.e. a login credential.
Would it be a credential we can use to login to SSH? (Yes. Turns out it is.)
Woowee! We are in the Wonderland now!
Knock at White Ribbit’s home
Curiouser and curiouser!
Let’s first look at the home directory.
root.txt is here. Well, since we can’t do anything to it, let’s leave it alone for now.
And, other users’ home directories are only accessible by themselves. Not cool, not cool.
Second thing caught my eyes is
walrus_and_the_carpenter.py. We better check what in it.
P.S.: The code below is shortened for readability. You can read the complete poem here
import random poem = """The sun was shining on the sea, Shining with all his might: He did his very best to make The billows smooth and bright — And this was odd, because it was The middle of the night. The moon was shining sulkily, Because she thought the sun Had got no business to be there After the day was done — "It’s very rude of him," she said, "To come and spoil the fun!" ...... "I weep for you," the Walrus said. "I deeply sympathize." With sobs and tears he sorted out Those of the largest size. Holding his pocket handkerchief Before his streaming eyes. "O Oysters," said the Carpenter. "You’ve had a pleasant run! Shall we be trotting home again?" But answer came there none — And that was scarcely odd, because They’d eaten every one.""" for i in range(10): line = random.choice(poem.split("\n")) print("The line was:\t", line)
Although it is very long, the things it does are quite simple. The core is the last few lines: If you run this script, it simply print 10 random lines from this poem to stdout.
One thing I would always try in priviledge escalation is
sudo. We shall first check what command we can run with sudo:
Interesting! The Python script here in our home directory, we can run it as another user.
That is to say, if we can edit the script, we can run arbitary command as this user. In this case, as
walrus_and_the_carpenter.py is only writable by root. Now what?
I was stuck here for a night. And something came to my mind the next morning. It was an interesting thought and thus very satisfying.
I don’t wanna spoil the fun. If you are fairly farmiliar with Python you should be able to figure it out by yourself. So in case you wanna try it, I’ll put some paddings below :)
Funny that the syntax for importing a system package and importing another .py file from project are the same. What if we create a
random.py in the home directory (surely we have priviledge to do this)? Will the interpreter import the system one, or this one we just made?
To confirm that, I did a bit research and found this article talking about Python library hijacking. The important part is the directories and their priority that Python searches for the package to import:
- Directory of the script being executed
Which means if we create our own version of
random.py in the home directory, it will be imported instead of the genuine
So this is the
random.py I created:
import pty pty.spawn('/bin/bash')
And let’s run
walrus_and_the_carpenter.py once more (as
Voila! We now have a rabbit shell!
The tea party
Now we can see what’s in rabbit’s home directory.
Ah! Sticky bits. I like it.
In case you don’t know what it is, a sticky bit is basically some permission on a executable file in Linux that allows whoever runs this file to do something as another user (SUID) or another group (SGID).
Combined with PATH variable exploitation, sticky bits can be used to execute arbitary command as another user. So let’s see if there’s anything we can take advantage of within this tea party.
Here, we use
strings command to extract printable strings from a binary file.
So we can easily infer that this part in the red brackets generated the messages shown in the previous image.
Most interesing thing among them is the line in the red rectangle. This shows that somewhere inside this program, it runs a command in shell. And it used the
date command without specifying an absolute path.
We can create a executable file called
/tmp directory, and prepend
/tmp to the beginning of
PATH variable. The payload inside the
/tmp/date file is the commands we want to execute as the user which is set in the
teaParty progrom with the SUID permission. We can then execute whatever we want as that user by running
So first thing, let’s check which user’s priviledge we are about to get by setting the payload as
Now we’ve got Mr. Hatter’s priviledge, let’s see what’s under hatter’s home directory.
/tmp/date as following:
#!/bin/sh echo ls -la /home/hatter echo
And do the trick again:
Inside the password.txt file is the password of hatter. Now we have a full shell as hatter by SSH into the box.
As we found nothing doable inside hatter’s home directory, now it’s time to do some local enumeration. The enumeration script I used is LinEnum.sh.
By reading the report carefully, I found this interesting:
perl interpreter executable has the
setuid capability. And we now, as hatter, has the permission to run it. This means we can get anyone’s priviledge in this box as hatter.
I’m not quite familiar with perl, but I found this amazing guide.
Hooray! Now loot the flags!