TryHackMe! Room: Wonderland CTF - walkthrough

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

and once more we are back it's try hack me it's a medium difficulty room it's called wonderland and fall down the rabbit hole and enter wonderland so this is a old cartoon it would seem like so let's go ahead and [Music] check it out it's um [Laughter] all right we get 28 points if we uh get the flag in enrolled so anyways we need to basically just find a way in so i'm going to do whatever you're best doing just pasting the ip address in the browser opening a terminal type in map run our typical scans and that's not the ip no 10 10 197 dot 184 i'm gonna do a full port scan for this particular case and i'm going to start up a go buster scan directory u 10 10 197 184 and i'm gonna do it on wordless user share um wireless.com so whenever we got our nmap scan returning something to us we're gonna maybe try and see what's going on on all right so we have an initial website of a very beautiful for the rye rabbit so you know this is an intentional vulnerable room so they might left some keys for us to find well not the right keys but you know initial you know clues and stuff it doesn't look like we have much to go on right here just you know go back to the scan so basically it's not finding anything let's try with normal pn so no ping no host discovery and let's do a scan for the most commonly used 2000 ports and see what we find so it's gonna start a map and there we go 22 standard ssh and golang no idea what that is we could do stuff like you know go to explore db and say golang i don't think it's a thing yeah this micro what no it's not that so this is just another web server so basically we're gonna do now is to start the google scan i'm gonna use the common um directory because it's very common i'm gonna quickly browse through it all you see how it goes up to 50 pretty fast we find stuff like index and index html and we also found a dash r let's just go ahead and you know off rabbit how funny keep going would you tell me please which way i ought to go from here we should be not be going down any sort of hole but i'm just thinking why not in this particular example let's do it http let's go ahead and follow the rabbit r let's run it again and now we have dash a i see this picture uh yeah nothing there let's all right let's just put the dash a there how far we're gonna go b yeah i think we can try one more time i guess it's you know sometimes these follow the whatever can lead us to a hole which is basically called b again yeah so how far did they go how far did they go no one really knows i guess we can try you know one more time and we can continue probably for quite a while just following the rabbit maybe we find something dash i you know which is the best thing we have so far it's very interesting so what i'm thinking is that this is just another hole we could probably continue to take our way down for in this amount of time i want to go back to the very first scan with it and we need to get the dash images you know i think we should definitely try to go to dash emg and here we have an alistar image another door image and we have a right rabbit image now since this room is called right rabbit i'm gonna take this image here i'm gonna create a okay make there rabbit go into rabbit if i can spell it would be really good mamma mia download the image now we have the image we can start into strings on this because this is what we have to go on and basically just scroll all the way this is a horrible thing to do we yeah it's just another image we can probably do something like stick hide extract and do that on the white rabbit image in the passphrase we don't have one extracted data hint the text all right then so cat hint follow the rap bit um that's a very good hint i would say so in this particular example i would say that didn't we just r a b b i t yeah so we kind of enumerated what they wanted us to follow let's go ahead and do the source and it looks like we have a hidden element with some password let's copy that save it you know having how do the little rabbit crocodile improve its shining tail it looks like we have a password here and a username for ssh let's go and try it let's go ahead and clear this clear set ssh that is at 10 10 197 97 at 4. that true yes and the password would be for alice this is the string let's see we in so we have initial footstep now we are that was kind of easy okay anyways i'm gonna say okay so we have a we have a root flag here which is unreadable and writable by root so that's not gonna be then we have the walrus and the carpenter here which is readable by us let's go ahead and cut that out and it contains a python script [Laughter] it's uh okay let's run it so let's just do it come on oh python yeah um so python 3 so it's gonna you know output different lines i don't think that's a joke but i don't know yet we can try and do a cat out of bash history it seems like it's gonna be empty because they're directing everything to nothing so who cares we can try the other batch files you know bash log out see what's inside it seems like yeah nothing like that we can also try to cut out the dot profile and uh yeah just initial let's go to the home folder to see if we have our initial flag we have alice and am i alice ms hatter rabbit try hack me okay we have no permissions at all so we are kind of stuck to this alice folder and let's do a super dash l to see if we can oh mama mia i never remember that password if we can execute anything basically so the rapid user can execute this command here and maybe it's yeah so it seems like we're going to do something with the python library we could also try and do a as i have a cheat sheet right here [Music] nope not the right one didn't i have this somewhere where did i save it um um yeah i don't know let's go ahead and [Music] okay so yeah it's it's pretty clear i'm i'm quite confident i was about to go to look for suid files you know files that are except where they're uh it can be misused to get higher privilege so but i'm pretty sure we're gonna you know misuse this in some way so um it seems like we can do like pseudo dash you wrap it and then call all of this whoops just a bit too fast we could do that that's a really good thing um but since this is not exactly what we're gonna do we need to do more than this okay we probably need to let's go inside this walrus so basically it's importing random and random okay so if i no not safe that will work yeah so if i go can i touch a random pie file can i nano into that can i save it can i do stuff like import os and then do stuff like os system bin bash oops can i do that and then basically execute the script so now we're ready okay so i don't remember the last one we win um [Music] so basically when you have um it was a case of a you know calling calling the command tail like that but instead of having like been whatever you know the path for that the full absolute path it was just a relative path of tail so i could create my own command and and basically change the path very well in this particular case it's almost the same we had a um let me see if i can i'm i'm rabbit right now so i cannot do that but we could um yeah so the the import of random if that file is in the same library as the file we're calling it in it will try and import it locally so i'm just creating that and what's inside of that file is basically just um an import of operating system to spawn menu shell and since this is rapid i'm calling it with rabbit well basically then it's rabbit's shell that's spawning which is a shell with the privileges of rabbits so let's go ahead and do cd slash home go to rabbit and tea party okay so we have some some very interesting file here it's a situation here we can use that let's just go ahead and go to at least one more time yeah that's the one and let's convince the try hacking now we can try actually what can i do the password i have no idea what the possible rabbit is so i'm stuck with that for now it is at least let's go to cd home grab it okay let's have a look at this yeah it's also emptied so we can of course all try to output the profile so i think again to be honest this is another case of me all right this is another case where you know let me just see can i read this um yeah so root can everything [Music] we can do um let's just what really happens if i execute that go to the tea party segmentation fault okay very interesting i would really like to read tea party and let's just cut it out so let's see if we can see what this does since strings is not installed i'm not able to rerun um it's very small binary seems like the mad hatter will be here soon echo pin echo and dates so okay so this is a this is a absolute path so that's not use we're gonna use that but this is date command is being executed so it can be so if i go ahead and touch date that sh for example and then i nano into date and can i save this oh wow i can save that and then do with the uh um [Music] what is the syntax is it bin bash and then do stuff like bin bash spawn another shell and basically echo out the path variable one more time okay and what i'm gonna do now is it's basically say that it's all need to check this library here for the dates the data sets file line right here is just change modded to 7 7. so anyone can execute it basically not gonna be left out in the wild right so if i do if i do stuff like um let me just see so if i do stuff like export my path just as a syntax here and path is equal to slash home slash rabbit colon dollar path and then echo path again now we can see that i'm also check tap it all all right it's a good thing we can just you know add it like that so echo rabbit path now it's also checking this particular folder let's go ahead and see if we let me just do this on the clear screen so clear ls let's execute tea party and i don't know who am i no that's not gonna work segmentation fault um so if i run this script it's basically let's just nano into a date oh it's not yeah it should not be an sh file um i don't forgot that let's also let's just make it execute yeah so let's see one more time yeah if it's totally so let's do tea party again all right we had a okay um so this is just the same thing again we just cut this out so we we have this binary file called tea party and basically i'm looking for binaries being called and i saw the state just standing out there right there if they did a full path and like bin date if that's located there then basically i could not have done this so i didn't really have to look through anything else because it looks like jimbo jumble and more jimbo jumble and stuff but that was a vulnerability a relative call i can execute this file this date binary file to my own i just wrote right there and i did not change the no the path if i can write at all it's really difficult to write a path there you go so i check for that file in rapid which is just where i'm at right now let's go ahead and do can i get my flag soon oh it's header now i need to go and turn some header passwords i don't know i don't know i don't know what that is you know is it 30 is that it's on a flag is is that a password for header is it i don't know let me just i'm just gonna i'm just gonna do this so ssh header at 10 10 10 10 197 that's 184 i'm gonna paste it in so now we're locked in this header we have a higher privilege shell we even have the password let's do a do we have a flag at all nothing okay suit this l so a headache what had i can let's see what had i can do had i may not run sudo on wonderland i'm wondering where is i use the text file can i just locate that where is it oh here we go i have no idea why i didn't try this before so we found a user flag we didn't the hints yeah everything is upside down so i i really had to dig it out you know i i've it was standard it sort of was named like user the text and anyways we need to get root let's do ct home we have anything in and header i can ask you python i can okay so let's do quit let's go to gtfo bins and say i want to find all my suid files so let's go ahead and execute that command see what you find um doesn't look too promising okay oh we have what we have um yeah yeah we had pseudo but i'm quite confident this is not i want a binary so it's going to be you know i'm going to scroll down and look for it it's not going to be there pretty sure right yeah and we have mount ping su is also one of them but i'm pretty sure that it's not gonna be that we have no super capabilities i haven't seen this before what is that and basically just you know enumerate your way through no match just try different routes and see what you find basically sometimes it's just a you know just a way yeah it doesn't he we have something with hc um we can try that we still had a yeah so not really not really the right one can also do this commands pin bash and then basically call that and we still had not really anything we also tried this pseudo one but i'm pretty sure we have no yeah so that's not really gonna work so we need to find an alternative route what else can we find let's see if getting any hints asking your approach what is the flag in root i have python installed let's go ahead and see if we can do anything with python basically it's just another shell this is what we did to escalate our reverse upload file file down far right delivery yes but python didn't have didn't have it set so that's a pretty pretty good chance that we cannot do not give us anything basically i can try and do anything basically it's i have no pseudorites so even with capabilities i'm going to do sudo again it's not really going to work so that is not the way for us so i think it's a typical time to boot up where i had her um let's just exit this all the way exit exit exit exit exit exit clear oop too much let's go ahead and wrassle in peace i need my land where are you there you go so python three simple i'm gonna start a python python three simple web server no that's the one let me just you know go ahead and get this to my cheat sheet because sometimes i do need it so let's go ahead and yeah go away and i didn't really do that what i did was this web server 9000 and let's go ahead and do let's do oops as wget 10 11 0 2 1 9 000 slash linps.sh and downloading that fail connect 11 0. um what's oh i got it seven then piece go ahead and run it so i'm running the end piece it's a beautiful exploitation um framework you can download we're gonna call it script and we're going to pay attention for the red and yellow which is 95 privilege escalation so let's go ahead and scroll down and see the results this is so at the moment one of our better chances to find something is this a virtual machine it's really good i'm just scrolling through all this pretty quickly writable yeah more writable stuff and let's go ahead and see if we can find more interesting stuff off of that nothing basically we're going to look for oh we have something here we have a pearl script let's save this this is probably our ticket away so let's go ahead and put it in and 500 capabilities let's just quickly see if we find more because we've 95 percent privilege escalation vector so let's go ahead and go search for stuff like your abilities pearl explore whatever it's gonna find anyways [Music] using capabilities give me something that i can execute um so let's go ahead and look in the i think i have this hex tricks website i found some time ago let me just see if didn't they didn't they say exactly where to look um no yeah we know that it doesn't matter um okay let's what was the name again capabilities did they give the path they did not give us a path let's go ahead and do capabilities can i search for that come on um you have something good pearl here it doesn't look like it let's see inducing capabilities oh mommy let me have some exploit or something malicious shoes now it's only um yeah so we need to instead of this do the pearl executable to take all this i think no it's it's python to pearl version i don't know pearl that much i think pearl's a crap language there we go it's out [Music] i see no pearl so if i do let me just see one more time i'm pretty confident that i also had python didn't i but a python didn't have the um yeah it wasn't it wasn't the wasn't set to be all crazy and stuff so yeah not permitted um they're not gonna go that road we do have pearl so what we're gonna do now is say i want to take this and say as pearl can i do that what cool ancestors said as pearl whatever [Applause] no i would see that it's not really holding the key for us so let's go ahead and try let's try this pearl keeper billy she's privileged there we go okay so we have something here that's the lion uh where is root frank i'm rude oh wow where's full flag where's the roof leg the roof flag where was that twinkle twinkle i've yeah you know what i'm about to say come on there we have it so we found the real flag we successfully rooted this machine was a lot of you know rabbit holes to go down a lot of interesting you know without land piece i'm pretty sure we'd be pretty stuck you know at some point i might try pearl but if we knew we had pearl here capabilities is induced binary capability is set or is executed by another binary where the cube is certain can be used the backdoor is maintained all right then so we it's the way it is sometimes you just spend a lot of time um finding the binary finding the file you know understanding what you're gonna do anyways we did it we we're so happy that's a good way good wait in the evening i hope you like this video if you do so please consider subscribing to my channel leave a comment below like the video i've started to do some shorts so you should youtube shorts so watch them and give me some feedback to the questions i ask so bye [Music]

Info

Channel: Security in mind

Views: 1,758

Rating: undefined out of 5

Keywords: capture the flag, capture the flag full movie, wonderland ctf, capture the flag game, capture the flag hacking, tryhackme wonderland, linkedin e learning, udemy wordpress, codecademy, udacity, sans institute, linkedin learning

Id: M03JtrKmGyw

Channel Id: undefined

Length: 41min 15sec (2475 seconds)

Published: Sun Jan 16 2022