Open in app

Sign in

Write

Sign in

TryHackMe — “Wonderland”

Bibek Thapa Magar
5 min readMay 8, 2021

Start the machine

Task 1: Capture the flags

Obtain the flag in user.txt :

Since We have an IP, let’s load it into the url and see what it returns

It does not give us any clue, so try nmap scan: nmap -sC -sV -A 10.10.76.59

It also doesnot give us any clue, so time to run dirbuster

so from dirbuster we came across this directory.

So, loading it into the browser , we get:

I don’t see anything on the image, so view the source of this page now,

This could be useful: “alice:HowDothTheLittleCrocodileImproveHisShiningTail”

This seems like the ID and password of something…
Let’s Try to use it as the username and password for ssh

Voila !! It worked At first try it said permission denied then I used the same password again and it worked. Now We have the SSH session

Now there are two files there,

root.txt and walrus_and_the_carpenter.py

the root.txt needs root permission to read so… let’s run the .py file

python is not installed, but python3 is installed there in the machine so use python3 to run the file

I got stuck here and looking at the hint,

It says everything is upside down. after a lot of thinking, since root.txt is in the user account I thought that user.txt file is in the root account so : cat /root/user.txt .

so

Flag: thm{“Curiouser and curiouser!”}

Now, Checking the Sudo permissions, It looks like we can run the python file as “rabbit”

The python file has import random and since we can run the file with sudo permission as rabbit, We can use Python Hijacking here.

If we create a file named “random.py” in our current working directory that executes /bin/bash, Our python file should be loaded instead of the “real” random module, and in turn give us a shell as the rabbit user.

In this random.py python file we include the bin/bash

import os

os.system(“/bin/bash”)

Now, if we run the file as rabbit, we will get the bash shell as “rabbit”

Now, navigate to the rabbit user’s home folder and there We can see a binary file named “teaparty” . It seems to have setuid and set gid bits set.

Now, Again it seems difficult. looking into the file, It seems that if we successfully execute the file then We may get the user account of hatter. We find that it calls date without specifying the path. This means we can hijack the path and take over the date binary.

Now, lets export the PATH

Now create a file named date in /tmp such that it runs a bash shell. after creating the file also change its permission such that it is executable

Now Execute the teaparty file, so after execution, it will change the user to hatter.

Now go into the home directory of hatter.

and We see a file named passwords.txt so maybe it can give us some clue.

Now let’s try to ssh into hatter as well using the password : WhyIsARavenLikeAWritingDesk?

Now, final step is to escalate to root privilege.

Doing some basic enumeration using linPEAS, the hatter group is the owner /usr/bin/perl so I went to GTFO bins and searched for perl and got this result so executing the command, we get root shell

usr/bin/perl -e ‘use POSIX qw(setuid); POSIX::setuid(0); exec “/bin/sh”;’

NOw, We can read the root.txt file in alice directory.

Finally,

flag: thm{Twinkle, twinkle, little bat! How I wonder what you’re at!}

CONGRATULATIONS!!!

--

--

Bibek Thapa Magar

Written by Bibek Thapa Magar

24 Followers

I’m an electronics and Communication Engineer/ Cybersecurity Enthusiast/ Musician / Photographer / Video Editor

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams