Discovering Wonderland: A TryHackMe Adventure in Cybersecurity
Written on
Introduction to Wonderland
In this room based on Alice in Wonderland, our mission is to locate two concealed flags.
Reconnaissance
To identify the services available on the target, I initiated a port scan.
Port Scanning with RustScan
I utilized RustScan to execute the following command:
sudo rustscan -a 10.10.95.75 --ulimit 5000 -- -sS -Pn -sV -O -T4 -oN rustscan.txt
- -a: Specifies the IP address.
- --ulimit: Controls the number of simultaneous connections.
- -sS: Conducts a stealth scan using a partial TCP handshake.
- -Pn: Skips the ping scan, treating all ports as open.
- -sV: Identifies service versions.
- -O: Detects the operating system.
- -T4: Sets the scan to aggressive timing for faster results.
- -oN: Outputs the results as text.
The scan revealed that ports 22 and 80 are accessible on the target.
Open Ports
- Port 22 (SSH): OpenSSH 7.6p1
- Port 80 (HTTP): Golang HTTP Server
The OS detection component indicates that the target is likely running Ubuntu Linux.
Enumeration
Exploring Port 22 (SSH)
The SSH version on the target has no known vulnerabilities, making a dictionary attack unnecessary.
Exploring Port 80 (HTTP)
Accessing port 80 presents a page instructing us to “Follow the White Rabbit.”
I examined the source code but found no hidden information. Additionally, there was no robots.txt file present.
Since I couldn’t locate anything of value, I proceeded to brute-force the URL for concealed directories.
gobuster dir --url http://10.10.95.75:80/ -w /usr/share/wordlists/dirb/common.txt | tee gobuster.txt
- dir: Brute-forces directory paths.
- --url: Points to the target URL.
- -w: Specifies the wordlist for brute-forcing.
The hidden directory /r was discovered.
Further Exploration in Directory /r
Upon discovering the directory, the page encouraged us to “Keep Going,” leading me to perform another brute-force search within the /r directory.
gobuster dir --url http://10.10.95.75:80/r/ -w /usr/share/wordlists/dirb/common.txt | tee gobuster2.txt
This revealed the directory /a, which also prompted the message to “Keep Going.” Based on the previous hints, I anticipated that the next logical route would be /rabbit.
Final Steps to Access Wonderland
The ultimate page prompted us to “Open the door and enter wonderland.” Upon checking the page's source code, I uncovered hidden credentials which were likely intended for SSH access.
- Username: alice
- Password: HowDothTheLittleCrocodileImproveHisShiningTail
Gaining Initial Access
Using the credentials, I successfully logged into the target system as Alice.
Upon inspection of the /home directory, I found three additional user accounts, confirmed by a message on the page that provided the SSH credentials.
ls -lah /home/
Within Alice's home directory, I discovered root.txt and walrus_and_the_carpenter.py.
The root.txt file was inaccessible since it was owned by root.
Privilege Escalation
Analyzing the Python Script
The Python script contains the lyrics to "The Walrus and the Carpenter" and utilizes the random module to randomly select lines from the poem.
I checked the sudo privileges for Alice.
sudo -l
Alice's configuration permits her to run the command /usr/bin/python3.6 /home/alice/walrus_and_the_carpenter.py as the user Rabbit. This means that executing the script will grant her the privileges of the Rabbit user.
Crafting a Malicious Module
To exploit this, I created a custom random.py file that spawns a shell, placing it in the same directory as the script:
nano random.py
# Code to Spawn Shell import pty pty.spawn("/bin/bash")
To execute the script with the necessary privileges, I ran:
sudo -u rabbit /usr/bin/python3.6 /home/alice/walrus_and_the_carpenter.py
Gaining Access as Rabbit
Once logged in as Rabbit, I inspected the home directory, where I found a binary named teaParty with the SUID bit set.
However, upon executing the program, it crashed with a “Segmentation Fault” error.
Analyzing the Binary
To analyze the binary, I downloaded it to my system, as the target machine lacked the necessary utilities.
Setting up an HTTP server via Python, I downloaded the file:
python3 -m http.server 9000
Using curl, I retrieved the binary.
curl -LO http://10.10.95.75:9000/teaParty
Upon inspection with the strings command, I discovered it utilized the echo and date commands.
Decompiling the Binary
Utilizing a decompiler, I confirmed that the “Segmentation Fault” was merely a printed string, not an actual error.
The binary uses setuid() and setgid() functions to change its permission context during execution.
Crafting the Exploit
To exploit the teaParty binary, I created a custom date file in Rabbit's home directory.
nano date
#!/bin/bash /bin/bash
Setting the execute permission on this file and modifying the $PATH variable allowed the custom date binary to execute when teaParty was called.
Achieving Root Access
This led to a new shell with root privileges.
Upon reviewing the /home/hatter directory, I found a file named password.txt, which contained the SSH password for Hatter.
- Password: WhyIsARavenLikeAWritingDesk?
I logged in to Hatter's account, ultimately leading me to root access.
Finding the Flags
The root flag was located in Alice's home directory, while the user flag was in the /root directory, a reversal of the usual locations.
# Root Flag thm{Twinkle, twinkle, little bat! How I wonder what you’re at!}
# User Flag thm{"Curiouser and curiouser!"}
Miscellaneous Discoveries
I later realized that the Rabbit image on the website contained hidden information via steganography.
Utilizing steghide, I extracted the hidden data from the image, revealing the clue: “follow the rabbit.”
This hint was not essential, as I had already completed the room through other means.
If you appreciated this article, consider applauding, commenting, sharing, or following my work on various platforms. Your support is greatly appreciated!