Mirrors/CTF-Writeups
2
0
Fork 0
mirror of https://github.com/AbdullahRizwan101/CTF-Writeups synced 2024-09-20 14:21:55 +00:00
Code Issues Projects Releases Packages Wiki Activity
CTF-Writeups/TryHackMe/Wonderland.md
AbdullahRizwan101 4a8aa5c157
Add files via upload
2020-11-29 22:49:19 +05:00

4 KiB
Raw Blame History

TryHackMe-Wonderland

NMAP

Nmap scan report for 10.10.84.199
Host is up (0.16s latency).
Not shown: 65533 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 8e:ee:fb:96:ce:ad:70:dd:05:a9:3b:0d:b0:71:b8:63 (RSA)
|   256 7a:92:79:44:16:4f:20:43:50:a9:a8:47:e2:c2:be:84 (ECDSA)
|_  256 00:0b:80:44:e6:3d:4b:69:47:92:2c:55:14:7e:2a:c9 (ED25519)
80/tcp open  http    Golang net/http server (Go-IPFS json-rpc or InfluxDB API)
|_http-title: Follow the white rabbit.
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

PORT 80

Okay so I didn't find anything through looking at the source and at the web page so we have to use directory brute force using gobuster

Directory Brute Force

gobuster dir -u http://10.10.84.199/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

Didn't find on the poem page either but that /r page is interesting

So it's telling us to keep going , and as we remeber from the first page we saw there was heading Follow the Rabbit so let's give it a shot by actually typing rabbit with each letter as a sperate page.

Now by looking at the source we can find a username and password

So the only two services that are ruuning are http and ssh , there isn't any login page we found so this may be the credentials for ssh

alice:HowDothTheLittleCrocodileImproveHisShiningTail

And we are logged in awesome!

I couldn't find anything expect for walrus something .py which has list of poems in it , I'll get back to it but first let's transfer linpeas so we can automate our enumartion and it does for it

So throguh linpeas I found that perl has capabilites meaning that it could run as root with any user like having a SUID but only problem is that only user root and hatter can execute it

But now we know what we would need to get root but as for now in order to get to rabbit user we have to use /home/alice/walrus_and_the_carpenter.py and do something in it

Now this python file is using random.py so what we can do is a create a file with the name of random.py having this in it

In rabbit's directory we see a teaparty binary

When running it

It will give us an error so we have to transfer it to our local machine and analyze it maybe with ghidra

By analyzing it we can see that whole thing is statically printed but we see something intersting about two functions

setuid(0x3eb);
setgid(0x3eb);

Set User ID and Set Group ID functions which is taking 0x3eb as parameter which is in hex and we convert this into decimal it will be 1003 which is the uid and gid of user hatter

We can also see that it's using date command which is a binary so what we can do is create date binary

#!/bin/bash
/bin/bash

give it permission to execute and then add path to this in $PATH variable

We find a passowrd in hatter's home directory

We can now execute perl as we were not able to execute it as we were not in hatter's group

Now as I already figured the way to get root so

Privilege Escalation

Now that we are root we can grab the user and root flag !!!