This is my write-up for the TryHackMe machine called Wonderland located at: https://tryhackme.com/room/wonderland.

I started off by running an nmap scan:

sudo nmap -sV -sC -O -n -oA nmapscan 10.10.91.174

There seems to be 2 ports open. Following port 80 leads me to the following:

There does not seem to be a robots.txt file on the system:

I then ran feroxbuster on the IP address:

feroxbuster -u http://10.10.91.174 -x pdf,js,html,php,txt,json,docx -w /usr/share/wordlists/dirb/common.txt -t 30

I noticed that there was a pattern here:

I looked at the man page for feroxbuster and found that a recursion depth of 0 is infinite. Although it seems like the word from each directory would form rabbit, I still wanted to make sure. This was my updated command:

feroxbuster -u http://10.10.91.174 -x pdf,js,html,php,txt,json,docx -w /usr/share/wordlists/dirb/common.txt -t 30 -d 0

This led to a page:

I viewed the source code of this page and found the following:

This seems to be maybe an SSH account. It was:

There were two files, and both were owned by root:

Running sudo -l, I saw the following:

It seems that I can run sudo, but as rabbit:

I have to find a way to switch over to rabbit, using this access. I was thinking I can maybe over-write the file and change the content of the file itself. I then found this write-up https://github.com/Slowdeb/Tryhackme/blob/main/Wonderland.md that mentioned that I had missed the user.txt in the root directory. Sure enough, I had:

However, I was still stuck as to how I would escalate my privileges. I had tried modifying the python script and modifying the python3.6 file on the system, and was not able to do either. The same previous walkthrough led me to this post: https://medium.com/analytics-vidhya/python-library-hijacking-on-linux-with-examples-a31e6a9860c8. This was about Python library hijacking. In the python code, there is only one import:

The same write-up ended up making a local file called random.py and entered the following into it:

#!/usr/bin/python3.6

import pty
pty.spawn("/bin/bash")

I then realized that the original python code might be referencing locally AND THEN referencing the alternate location (/usr/lib/python3.6/random.py).

We are now the user rabbit. I look in the home directory of rabbit and find an executable called teaParty. I ran the code, and it seems to have the sleep command incorporated in it:

I wanted to know what the code did, so I copied the code from rabbit's directory into the /tmp directory. I then used FileZilla with alice's login and downloaded the file to my local system. I then used strings to see what was in the file:

I had to go back to the previous write-up again. I learned that the date command is not using the absolute path. As the author did, I entered the following into a file called date:

#!/bin/bash

/bin/bash

I made and edited the file in alice's home directory. I then copied it over to the /tmp folder, where I then used my access to rabbits account to grab it from there. I also had to update the PATH to then make the SUID binary read from the date file we had made. Here are the commands I had run after I moved the date file to rabbits home folder:

chmod +x date #to make date executable

export PATH=/home/rabbit/:$PATH #to make the system recognize the path we have access to

./teaParty #run the binary

I then had access to hatter:

There is a password file in hatter's home directory:

The password was for the hatter user. I then ran find / -type f -perm -04000 -ls 2>/dev/null to see what executables I had access to. I saw the following, where one had stuck out to me:

There was a major vulnerability in pkexec that allows you to get root. I used the code from https://github.com/ly4k/PwnKit/blob/main/PwnKit.sh to download the exploit on my own machine. I then used FileZilla to transfer that exploit to the hatter home directory. From there, I was able to make it executable and get root:

I was then able to get the root.txt file as well:

Lessons Learned: I learned a couple of main things while working on the box. The first error I made was not understanding that if root.txt was in a users home directory, that user.txt might have been in the root directory. The first thing I had learned was Python imports and how they check locally for the import before looking in the library folder. Another item I learned was about SUID binary exploiting by manipulating the PATH variable.