I've never really been a big Alice in Wonderland fan. I don't hate it, but it's not my favorite piece of literature. That aside, I really enjoyed this CTF (except the last part, but we'll get to that later). Get ready to fall into some holes, because we are about to hack Wonderland. 🐰
Okay, first things first. When we start our machine and we navigate to the given IP in our browser, we are given the following objective: "Follow the White Rabbit". Inspecting the page source, we can see that there are no hidden values for us to see, so we need to move on to our enumeration.
Next, run a gobuster scan so we can see if there are any directories which are hidden. There are a few - but the most important one is the /r directory.
gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -u <your machine IP> -t 50
When we go to the /r directory in our browser, it tells us to keep going. Let's run another gobuster scan.
gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -u <your machine IP>/r -t 50
Note that you can skip doing the manual enumeration for each directory by running a normal gobuster scan with a -R flag at the end. We can see that there is a /r/a directory. You can probably guess where this is going (the next one will be /b/b/i/t).
Let's follow the white rabbit to the end by going to the /r/a/b/b/i/t directory! When we inspect the page source, we can see that we have found Alice's username and password for a potential ssh login.
Okay, remember when I said we'd get back to our root.txt and a walrus_and_the_carpenter.py files? Well, cd back into the /home/alice directory and let's analyse these files again. We do not have permission to read the contents of the
root.txt file, and the
walrus_and_the_carpenter.py imports the random module in python which returns a random poem.
//contents of walrus_and_the_carpenter.py (I forgot to take a screenshot) import random poem = """The sun was shining on the sea, Shining with all his might: He did his very best to make ............................ ............................ And that was scarcely odd, because Theyd eaten every one.""" for i in range(10): line = random.choice(poem.split("\n")) print("The line was:\t", line)
We can see that Alice can run the
/usr/bin/python3.6 walrus_and_the_carpenter.py command (as one single string) to escalate her privilege to Rabbit. Now, we can exploit that random module that is imported above via Python Library Hijacking. We will do this by creating a
random.py file in our current
/home/alice directory, adding contents into it via nano and then running our command.
Carefully follow the steps below:
With nano opened, insert the following script and save:
import os os.system("/bin/bash")
- Finally, we can commence with our privilege escalation from user Alice to User Rabbit via the following command:
sudo -u rabbit /usr/bin/python3.6 /home/alice/walrus_and_the_carpenter.py
Fortunately, we can escalate our privilege from Rabbit to root by spawning root privilege via the Echo Command hack (we will do this by modifying our date file in our /tmp direcotory).
Carefully enter the commands as sequenced below:
echo "/bin/bash" > date
chmod 777 date
Unfortunately, Hatter does not have any sudo capabilities (try this by running
sudo -l). Now this is where my struggle started. I used GTFObins to find a list of binaries that we can exploit to escalate our environments' capabilities so that we can run sudo as Hatter. We will do so via perl.
In your terminal run the command below. I kept on getting permission denied, so I had to restart my OPENVPN connection, and then I got in! Unfortunately, I was so tired by then, that I forgot to take screenshots. I guess you can say I fell into a deep hole. 😒
perl -e 'use POSIX qw(setuid); POSIX::setuid(0); exec "/bin/sh";'
Things got pretty messy there at the end, so I apologize for that. I guess this write-up is as upside down as the lab itself. 🙃
I hope that this was easy enough for you to follow, and until next time, happy hacking! 😁
See more on my GitHub.