This is my write up for TryHackMe's WonderLand Room
Enumeration
Nmap scan shows that both HTTP and SSH are running.
Opening the webpage, we see the following:
Running dirb, we see that there's nested directories in this site.
From the first page, let's try following the rabbit. From the above, we note that the path may be http://<IP of wonderland>/r/a/b/b/i/t/.
Trying out this hunch:
Follow the white rabbit indeed!
Looking at the source, we see a user's credentials:
Exploitation
Checking Alice's privileges, we see the following:
This means she can run a python script as another user. We just need to know how to exploit it.
Checking the source code, we see it imports random.
And at the end, it calls a function:
We can then write our own python module as follows:
We then run sudo as rabbit:
Privilege Escalation 1:
Going to rabbit's home directory, we see an executable file whose SUID is set:
Let's inspect the file further.
Looking at the strings, we see that it calls /bin/echo and date.
Note that date has no set path. So we can use path manipulation here.
A good tutorial on path manipulation can be found in hackingarticles.in
Running teaParty, we now become another user:
We even see his password:
Privilege Escalation 2:
Running linpeas, we see that perl has some interesting capabilities.
From GTFOBINS, we find that perl can be used for privilege elevation.
Also, on a side note, we see that user.txt is readable by anyone.
So any user (even alice), could have read the file.
No comments:
Post a Comment