Tryhackme: Wonderland
Information about the Box
Name: Wonderland
Difficulty: Medium
Released: Fri 05 Jun 2020
Creator: NinjaJc01
URL: tryhackme.com/room/wonderland
Connection to the Machine
Hello, aspiring hackers!!
Before we start playing with this box, we need to make sure we can connect to it. We are going to leverage OpenVPN. Tryhackme has a detailed walkthrough of how to go about that. Ping it, if you get the magic 64 bytes, then you’re good to go, if not, try again.
Enumeration.
Let’s get our hands dirty, shall we? The first step of hacking (we’re doing it ethically FYI) is gathering information and enumerating. After getting the IP address of the machine, I’m going to start with nmap to do a port scan.
This basic nmap scan shows that there are 2 open ports. We can at least presume that there’s a website somewhere on this machine because of port 80.
Next, we are going to navigate to our web browser of choice. And sure enough, there is a site.
One important step is usually viewing the page source as this might reveal some useful comments left out by developers. You can do this by right-clicking and then selecting ‘view page source or using a command line utility called curl.
In this case, the code doesn't reveal much but there’s a link to the rabbit’s image.
I thought there might be some image steganography involved but let me just save you the trouble because after trying, there was a hint but the hint was :
Let’s do some further enumeration on the website. My first thought was to look for hidden directories. There are a bunch of tools but my tool of choice is gobuster.
If you don’t have it installed, follow this link and the instructions to start using it on your machine.
github.com/PentestBox/gobuster
Now that we have it installed, let’s find ourselves some directories.
From the scan results, we have a directory called /r/. Let’s add it to our URL and see what we get.
The message is to keep going. So my thought was to do further directory enumeration, and this is what I got
So within the /r/ directory, there’s another one called /a/. I’m going to save you the trouble because the message is the same and after you reach the b/directory, you pretty much see where it’s going. So we are just going to spell it all out.
You’ll end up with the URL/r/a/b/b/i/t.
Nice! This lands us on another page. Remember the golden rule, always view the page source, you never know what mistakes might have been left there.
Look closely, what do you see? Looks like credentials to me. Is it a coincidence that port 22 is open? So I went ahead and tried using the discovered credentials to log in to the machine and voila! The famous words “I’m in!!”😆.
We’re logged in as the user Alice.
Let’s do some digging and see what we’ll unearth.
Normally, the user flag is usually in the logged-in user’s home directory but in our case, the root flag’s file is the one in our home directory. So I decided to check out the hint. “Everything’s upside down here”. That’s the hint given by Tryhackme so what if the file is in the user’s root directory and not their home? Aah, there we go. We got the user flag. Time for privilege escalation.
Privileges mean what a certain user is allowed to do on a system. This includes read, write, or execute permissions. To get to users with higher privileges than the one we are currently logged in as we’ll have to do some enumeration to look for loopholes in the configurations that might allow us to escalate our privileges.
There are a bunch of cheat sheets on privilege escalation and of course, there are scripts like lines that can automate the process for us. I, however, like starting manually.
So first, I’ll try to see what commands the user Alice can run with Sudo privileges.
The result of running that command suggests that the user Alice can run a python file in her home directory as the user rabbit.
Let’s find out what this python file does. The user Alice has read permission on this file but can not write to it. (ls -l).
The file imports the random module in python and then reads through a poem that it splits randomly spitting out the split sentences in a new line.
Well at first I didn’t understand how this was going to help me but I knew that it wasn’t here just for the sake. I also knew that it was going to help me to pivot to the user rabbit who probably had more privileges than the user Alice.
After a lot of Googling, and reading some blog posts, I came across a vulnerability called python library hijacking. This vulnerability can be present when the user can’t write to a python file but can mess with the import function.
I know, I know it’s a lot to take in so let’s go back to how python looks for the modules to be imported. Just like everything, Python follows a certain path in which if it doesn’t find the command in all directories in its path, it throws an error.
python3 -c 'import sys; print(sys.path)'
We can see that python starts by looking for the module in the current directory( ‘ ‘) before looking in other directories. There it goes. This is our chance to hijack the library. How? You may ask. We will create a file called random.py, that way, when Python will start looking, it will import our file as the random module, ( you don’t have to specify the entire filename when importing one python file to another python file) and execute it to give us a shell as the user rabbit.
Let’s go ahead and create our file.
The next thing is just to run the file and wait for the magic to happen. Look out for the prompt. Has it changed?
This box has quite some things to do but we’ve come to the end of the first half. (pun intended) Look for part two and the sequel to this box!! Ciao peeps. Haven fun and remember the golden rule, ‘the quieter you are, the more you are able to hear’