This is a short guide for Wonderland machine.
Get the IP address of the machine and perform the nmap scan.
Port 80 is opened.
Perform Directory Brute force
Perform further directory brute force on /r directory
End up with /r/a/b/b/i/t directory
View source code
Connect using ssh with username and password
Running command “sudo -l”
looking into walrus_and_the_carpenter.py
Hijacking Python Library for privilege escalation
create a new file “random.py” and insert the following code
Now run the walrus_and_the_carpenter.py as user rabbit
Looking into rabbit home directory, we find an ELF file named teaParty
Downloaded the file “teaParty” into local machine and decompiled using Ghidra.
Time to hijack date.
Create a file name “date” and insert the following code. Also make the file executable.
Now add the /home/rabbit (where date file is created) to PATH
Run the file ./teaParty
Now we are hatter
Hatter home directory contains the password.txt file
We can use this password to login as hatter using ssh
As there is nothing more interesting to explore, let’s run linpeas.sh
Running linpeas.sh, found perl with capabilities
looking at the gtfobins,
Running the command we are root now.
Now you can find user and root flag.
Thank you for reading.