Welcome to the second part of the box, Wonderland

Recall how we escalated our privileges by abusing a vulnerability in Python’s import function.

We got a shell as the user rabbit and now we’re going to see whether there’s anything that can help us to either pivot to another user or get to the root user.

Let’s see what we can work with.

There appears to be a binary that is owned by root but has the SUID bit set. This means that the user rabbit can run this binary as if they were the root user. Awesome!

Let’s try running the binary and see what it does

The binary runs and then a prompt appears. I tried keying in the command id but got the error ‘Segmentation fault. So let’s try printing the binary’s content to the terminal. There might be some hint on what the binary needs.

I used nano to view its contents and here is what I discovered

A lot of it is encrypted but there’s some cleartext which I have highlighted above.

At some point during the binary’s execution, the echo binary is invoked to print ‘Probably by’, the && sign means that some commands have been chained together and our command is the date command which the ‘echo’ commands prints to the screen.

How about we check the PATH variable to see the path that Bash follows to locate the date command?

We could edit the $PATH variable to include the current directory so that when our binary executes, the date command will be searched for from the current directory before looking in other directories.

Now we create a file called date and populate it with the information “/bin/bash” so that when it is executed, we should get a shell as the user hatter.

Now we have an executable called date. Now we need to edit our $PATH variable so that our date executable can be executed and not the actual date command.

Now we can start running the binary we found in this user’s home directory and see whether our trick works.

Niiice!! Now we have a shell as the user hatter.

Let’s switch to hatter’s home directory and see what information there is.

We have a file called password.txt. My first thought was that this was the root user’s password.

I tried switching into the root user’s account using the password but I got an ‘authentication failure’ error. So this is the user hatter’s password.

Let’s log out and ssh back into this machine again but as the user Hatter.

Since there are no files in this user’s account, it’s time for some automated scanning of privilege escalation vectors.

There are several tools but we are going to leverage linpeas, which is the most common one.

I’m going to copy it from my machine to the target’s machine.

After running linpeas.sh, I had some findings, this is the one that stood out most of all of them because of its shading. We know that if a finding is shaded yellow and red, it is 95% a privilege escalation vector.

It seems like the Perl utility has capabilities set. We know that capabilities can be set on a binary(Perl in our case) to make admin-level kernel calls during execution. Therefore if there’s a misconfiguration, we could abuse the binary with the capabilities to get a shell as the root user. For a more detailed explanation of what capabilities are and how they are set and used, read this blog and this other one.

Now that you have a better understanding of Linux capabilities, let’s head over to gtfo bins and see what we can leverage to achieve our goal.

I found a payload that I could use here.

Upon using it, I got the root shell. Sweet!

If you recall correctly, this box is ‘upside down’ which means that the root flag is in the user Alice’s home directory.

And voila! We got the root flag and successfully pwned this box! Stay on the lookout for the sequel and happy hacking everyone!!