🐰Wonderland

Writeup by FzF_StormZ

Wonderland challenge

Enumeration

First of all, we will launch a complet Nmap scan to try to discover possible services:

nmap -sT -sC -sV -Pn <IP victim> -v

As you can see, we have 2 open ports (22 and 80). The SSH port can be interesting if we find credentials to have a legit shell with the machine. But, for now, we will focus on the 80 port.

When I have a website during a challenge, i like to run 2 commands:

gobuster dir -u http://<IP victim> -x php,txt,html \
-w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-small.txt

nikto -host http://<IP victim>

With gobuster , we find the repository /r/ .If we continue recursively, we have:

http://<IP victim>/r/a/b/b/i/t/ . This seems a rabbit hole 😄

So, I continued to search around, but there was not possible paths than the first one. I analysed the multiple images but found nothing. Here we go again, I tried to analyse every page source of the different repository and at the last one, you have the credentials for the user alice :

Creds found !!: alice:HowDothTheLittleCrocodileImproveHisShiningTail

With this credentials, we can try to connect through SSH with the alice user.

BINGO !

Get the user Alice !

Lateral movement

Now, I will upload an automatique script to enumerate possible privilege escalation which are possible with the web user. I can also try to have the control to the think user which can have more privileges to reach the root user.

After running linpeas.sh, I have this crucial information:

But, if i want to exploit these capabilities to perform a privilege escalation, I need to be the hatter user.

So, we have some files in our home directory. A python script with the random module. And, when we execute the command sudo -l , we can see that we can run a specific command with the user rabbit .

The next step will be just to perform a Hijacking python module. I wrote my own random module to do a lateral movement on the user rabbit:

Now, we have a binary teaParty with SUID. This is the same technique with the Python module. WE can see inside the binary the call to the date command in relative path. So, we can create our own date command and change the PATH env variable. After execution, we are now the user harper .

Inside his home directory, we have this file:

This is useful to connect through ssh to the user harper to have the gid and groups for harper

If we continue without the SSH ...

Now, we can go back to the capabilities and just perform what we can find on GTFOBins:

We are now root !!!!!

I really enjoy this room to perfome Hijacking skill with Python and the PATH env variable!