{THM}Wonderland
Last updated
Last updated
Wonderland
Designed to test your enumeration, privilege escalation, and CTF skills. Will you get lost in Wonderland, or manage to leave with the flags?
Just normal port. Let see the web.
Just normal, let check source code. It may have something valuable.
Let download the image.
Start to check file and embedder. But nothing much, and I just try to extract this image without pass. VOILLAA.
From then hint, it show the path. At first I thought it rabbit, but it return nothing. Based on gobuster result, I see the result, /r/a/β¦ let presume. /r/a/b/b/i/t. And yeah.. we got the new page.
So this page not showing much. I proceed to source code.
Really interesting, find username:password.
With the username and password given, I try to login ssh. YUP!!. Valid credential and we in
Let check file in this
Notice that we found root.txt, but we not given permission to see root. Another file in python. Let execute to see what is.
It show only 10 of it. Looking at sudo we see that we can execute it as rabbit.
I take lot of time here to figure out how to done, then I looking back at source code python it show walrus_and_the_carptenter.py have import module name as random. Since alice can modified python code. Let put some payload on it.
Or
Then sudo it as rabbit and run the code as below.
We in as rabbit now. Let go to rabbit directory. Rabbit have one execute file. Let run it.
Buffer overflow????? Let trace it. In this case I use ltrace to see . (can download this file and do analysis in our machine) .
From result above, notice that date being called with relative path. Let put our payload in date.
Now we know date being called everytime ./teaParty running. Execute the ./teaParty will show
We in as hatter. Inside hatter, we found password.txt. It contain hatter password.
Next we login as hatter via ssh.
I do sudo -l, but hatter not given permission to do sudo. Find / perm -u=s -type f 2>/dev/null show nothing can be done. Then I do some other point to escalate root,
Getcap -r / 2>/dev/null
Or (faster method)
use linPEAS.
Since we know the entry point to run payload/exploit, l use GTFObin
perl -e 'use POSIX qw(setuid); POSIX::setuid(0); exec "/bin/sh";'
And we in just like that
We find root, but where is user txt. I do check on /root. User been there.
Capabilities work by breaking the actions normally reserved for root down into smaller portions. The use of capabilities is only beginning to drop into userland applications as most system utilities do not shed their root privileges. Letβs move ahead that how we can use this permission more into our task.
Limited userβs permission: As we know Giving away too many privileges by default will result in unauthorized changes of data, backdoors and circumventing access controls, just to name a few. So to overcome this situation we can simply use the capability to limited userβs permission.
Using a fine-grained set of privileges: Use of capability can be more clearly understood by another example. Suppose a web server normally runs at port 80 and we also know that we need root permissions to start listening on one of the lower ports (<1024). This web server daemon needs to be able to listen to port 80. Instead of giving this daemon all root permissions, we can set a capability on the related binary, like CAP_NET_BIND_SERVICE. With this specific capability, it can open up port 80 in a much easier
Capabilities Name
Description
CAP_AUDIT_CONTROL
Allow enable/disable kernel auditing
CAP_AUDIT_WRITEL
Write records to auditing logs
CAP_BLOCK_SUSPEND
Block system suspend
CAP_CHOWN
Allow user make change in arbitrary to file UID and GID
CAP_DAC_OVERRIDE
Bypass file read, write and execute permission checks
CAP_DAC_READ_SEARCH
Bypass limit to file and directory read/execute
CAP_FOWNER
Bypass permission check in operation where it normally need file system UID
CAP_KILL
Sending signal to process belonging to other
CAP_SETGID
Changing GID
CAP_SETUID
Changing UID
CAP_SETPCAP
Transferring and removal current set to any PID
CAP_IPC_LOCK
Lock Memory
CAT_MAC_ADMIN
Mac configuration or state changes
CAP_NET_RAW
Bind any address for transparent proxy
CAP_NET_BIND_SERVICE
Bind a socket to Internet domain privileged ports
Hacktrick notes.