TryHackMe — Wonderland Walkthrough

TryHackMe | Wonderland

This is a short guide for Wonderland machine.

Get the IP address of the machine and perform the nmap scan.

Nmap Scan Result

Port 80 is opened.

Perform Directory Brute force

Perform further directory brute force on /r directory

End up with /r/a/b/b/i/t directory

View source code

Source Code

Connect using ssh with username and password

Running command “sudo -l”

looking into walrus_and_the_carpenter.py

Owned by root and only got read permission by user - alice

python file imports random library

Hijacking Python Library for privilege escalation

create a new file “random.py” and insert the following code

import os 
os.system("/bin/bash")

Now run the walrus_and_the_carpenter.py as user rabbit

Got shell as user rabbit

Looking into rabbit home directory, we find an ELF file named teaParty

Downloaded the file “teaParty” into local machine and decompiled using Ghidra.

uid is set to 1003 (0x3eb) which belongs to user hatter and date command is executed without and absolute path

Time to hijack date.

Create a file name “date” and insert the following code. Also make the file executable.

#!/bin/bash
bash -i

Now add the /home/rabbit (where date file is created) to PATH

export PATH=/home/rabbit:$PATH

Run the file ./teaParty

Now we are hatter

Hatter home directory contains the password.txt file

We can use this password to login as hatter using ssh

As there is nothing more interesting to explore, let’s run linpeas.sh

Running linpeas.sh, found perl with capabilities

looking at the gtfobins,

perl capabilities

Running the command we are root now.

Now you can find user and root flag.

User Flag

Root Flag

Thank you for reading.

Twitter: Vengenace0x0