THM: Wonderland

THM: Wonderland

Fall down the rabbit hole and enter wonderland.

·

5 min read

Introduction

Wonderland is rated as a medium difficulty CTF-Style box created by NinjaJc01. Without giving too much away too soon, key points to this room include web enumeration, lateral movement, and privilege escalation due to misconfigured access controls. The challenge link can be found here:: tryhackme.com/room/wonderland
So without further ado, lets get into it.

Enumeration

Nmap shows us just two services, SSH and a webserver on port 80. So we start by enumerating the webserver.

001.png

We find a landing page but not much else. Even the page source code is very sparse. So to gobuster we go..

002.png

I ran multiple gobuster scans with a number of different wordlists but all I ever got back was these four links.

003.png

/img contains a few image files including one we haven't seen yet..
/poem had a full length poem
/r had what appeared to be a deadend but was actually a hint and the beginning of the right kind of rabbit hole

004.png

Initial Compromise

So we keep "gobusting" all the way to /r/a/b/b/i/t and when viewing the source we find some hidden creds.
NOTE: Since originally solving this room I've started using feroxbuster which will automatically do recursive scans so I wouldn't have needed to keep restarting scans to look inside newly found directories like with gobuster

005-2.png

Using these creds we're able to log in to the target through ssh

We find two files, “root.txt” and “walrus_and_the_carpenter.py” We can do anything with root.txt yet but we can read the other file

006.png

Lateral Movement

I initially threw linpeas and a few other enumeration scripts on this box but none of them came back with anything..
Then i went back to basics and tried sudo -l and found something that definitely stood out
We can run python3 as well as the python file in our home folder as the user ‘rabbit’

007.png

When we look inside the python file we see a long poem and a for loop that pulls out a random line from the poem, 10 lines each run.
The important part for us is the fact that it imports another module named random. Remember when you import a python module you're really just loading another python file with its own set of functions that you can then call.
We can hijack the path for this import by creating our own random.py and placing it in the same directory since it'll search the current directory before looking through PATH for the file

008.png

009.png

So we make a quick, new random.py with a function named choice. In this case, our custom choice function will pop a new reverse shell for us.

010.png

011.png

Now that these files are in the same folder when random.choice() is called it'll actually call our reverse shell instead.
Setup a netcat listener on the atk machine and then run the following command.
NOTE: Make sure you use the absolute paths otherwise it won't work

012.png

Here we are, logged in as rabbit now.

013.png

More Lateral Movement (Custom binary enumeration & exploitation)

Once we're in as Rabbit we find an ELF file in their home directory with setuid and setgid bits set.

014.png

I tried running the binary a few times but it would throw a segmentation fault no matter if i entered something large, small, or nothing at all.
I exfiltrated this file out to my ATK machine since I couldn't find strings on the VTM machine.
Running strings against the file I find that it's calling a few bash commands but only one of them uses the absolute path.
"/bin/echo" and “date” are both called but date has a relative path. So we can build a new file called “date” and then add it to the $PATH env variable.

015.png

This is it. That's all that's in a file called "date" in the Victim's /tmp/path directory. But it's plenty enough to get us a shell. 016.png

This is our next escalation. The last important part is to set permissions to 777 and to add it to the PATH variable.

017.png

So once it hits “&& date” it'll call our version of “date” and just spawn an interactive bash shell as whomever the program is running as, in this case ‘hatter’

Privilege Escalation to root

We go check out hatter's home directory and find a file with a password in it. I used to know this one too..but you can google for the riddle when you find it.

018-2.png

After looking around for a little bit I don't see anything else obvious and hatter isn't allowed to use sudo so i run the linpeas/linenum scripts again. I'm reminded of something i saw while running linpeas as alice but wasn't able to run at the time. These two perl interpreters have the capability to set an alternate uid

019.png

Looks like we can actually run them this time too!

020.png

Quick trip to gtfobins gives us a nice little one-liner and we have root!

021.png

Conclusion

This was a great CTF exercise that really rewards a pentester that enumerates and re-enumerates as their access level changes. This room illustrates a number of escalation techniques including python module hijacking, binary path hijacking, and binaries with overly permissive capabilities (looking at you GTFObins).
In terms of possible remediation steps, the GTFObins binaries should be something that can be monitored to ensure that SUID/SGID bits aren't set unless absolutely necessary. Additionally, the other two escalation paths could be resolved by secure code reviews to remove that possibility of malicious hijacking.