4 KiB
TryHackMe-Wonderland
NMAP
Nmap scan report for 10.10.84.199
Host is up (0.16s latency).
Not shown: 65533 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 8e:ee:fb:96:ce:ad:70:dd:05:a9:3b:0d:b0:71:b8:63 (RSA)
| 256 7a:92:79:44:16:4f:20:43:50:a9:a8:47:e2:c2:be:84 (ECDSA)
|_ 256 00:0b:80:44:e6:3d:4b:69:47:92:2c:55:14:7e:2a:c9 (ED25519)
80/tcp open http Golang net/http server (Go-IPFS json-rpc or InfluxDB API)
|_http-title: Follow the white rabbit.
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
PORT 80
Okay so I didn't find anything through looking at the source and at the web page so we have to use directory brute force using gobuster
Directory Brute Force
gobuster dir -u http://10.10.84.199/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
Didn't find on the poem
page either but that /r
page is interesting
So it's telling us to keep going , and as we remeber from the first page we saw there was heading Follow the Rabbit
so let's give it a shot by actually typing rabbit with each letter as a sperate page.
Now by looking at the source we can find a username and password
So the only two services that are ruuning are http and ssh , there isn't any login page we found so this may be the credentials for ssh
alice:HowDothTheLittleCrocodileImproveHisShiningTail
And we are logged in awesome!
I couldn't find anything expect for walrus something .py which has list of poems in it , I'll get back to it but first let's transfer linpeas
so we can automate our enumartion and it does for it
So throguh linpeas I found that perl has capabilites meaning that it could run as root with any user like having a SUID but only problem is that only user root
and hatter
can execute it
But now we know what we would need to get root but as for now in order to get to rabbit
user we have to use /home/alice/walrus_and_the_carpenter.py
and do something in it
Now this python file is using random.py
so what we can do is a create a file with the name of random.py
having this in it
In rabbit
's directory we see a teaparty
binary
When running it
It will give us an error so we have to transfer it to our local machine and analyze it maybe with ghidra
By analyzing it we can see that whole thing is statically printed but we see something intersting about two functions
setuid(0x3eb);
setgid(0x3eb);
Set User ID and Set Group ID functions which is taking 0x3eb
as parameter which is in hex and we convert this into decimal it will be 1003
which is the uid and gid of user hatter
We can also see that it's using date
command which is a binary so what we can do is create date
binary
#!/bin/bash
/bin/bash
give it permission to execute and then add path to this in $PATH variable
We find a passowrd in hatter
's home directory
We can now execute perl as we were not able to execute it as we were not in hatter
's group
Now as I already figured the way to get root so
Privilege Escalation
Now that we are root we can grab the user and root flag !!!