TryHackMe — Wonderland Walkthrough

3 min readAug 30, 2023


This is a short guide for Wonderland machine.

Get the IP address of the machine and perform the nmap scan.

Nmap Scan Result

Port 80 is opened.

Perform Directory Brute force

Perform further directory brute force on /r directory

End up with /r/a/b/b/i/t directory

View source code

Source Code

Connect using ssh with username and password

Running command “sudo -l”

looking into

Owned by root and only got read permission by user - alice
python file imports random library

Hijacking Python Library for privilege escalation

create a new file “” and insert the following code

import os 

Now run the as user rabbit

Got shell as user rabbit

Looking into rabbit home directory, we find an ELF file named teaParty

Downloaded the file “teaParty” into local machine and decompiled using Ghidra.

uid is set to 1003 (0x3eb) which belongs to user hatter and date command is executed without and absolute path

Time to hijack date.

Create a file name “date” and insert the following code. Also make the file executable.

bash -i

Now add the /home/rabbit (where date file is created) to PATH

export PATH=/home/rabbit:$PATH

Run the file ./teaParty

Now we are hatter

Hatter home directory contains the password.txt file

We can use this password to login as hatter using ssh

As there is nothing more interesting to explore, let’s run

Running, found perl with capabilities

looking at the gtfobins,

perl capabilities

Running the command we are root now.

Now you can find user and root flag.

User Flag
Root Flag

Thank you for reading.

Twitter: Vengenace0x0




Penetration Tester | Trader/ Investor | Cyber Security Enthusiast | Bibliophile