Wonderland

LogoWonderlandTryHackMe

  1. Started with running a TCP scan on the target via NMAP

Starting Nmap 7.95 ( https://nmap.org ) at 2025-10-30 17:11 IST
Nmap scan report for 10.201.119.38
Host is up (0.22s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 8e:ee:fb:96:ce:ad:70:dd:05:a9:3b:0d:b0:71:b8:63 (RSA)
|   256 7a:92:79:44:16:4f:20:43:50:a9:a8:47:e2:c2:be:84 (ECDSA)
|_  256 00:0b:80:44:e6:3d:4b:69:47:92:2c:55:14:7e:2a:c9 (ED25519)
80/tcp open  http    Golang net/http server (Go-IPFS json-rpc or InfluxDB API)
|_http-title: Follow the white rabbit.
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 18.39 seconds

  1. Visiting the address showed the following webpage

  1. Next, I ran a directory scan via Gobuster on the target and found the following subdirectories.

/img
/r

  1. /img had the following three image files

  1. I visited the /r subdirectory and got the following.

  1. Next, I again ran a directory scan inside the /r subdirectory and found a /a subdirectory.

  1. I repeated the same step and found a /b subdirectory inside /a . This seemed like a pattern to me which spelled rabbit .

  1. As I was checking the subdirectories, I made sure to look at the page source simultaneously. In the /r/a/b/b/i/t subdirectory I found what seemed like a password.

  1. I loggged into the target via SSH using the credentials given and successfully got initial foothold as the user alice

  1. I checked the user directory and found two files as follows

root.txt
walrus_and_the_carpenter.py

  1. I checked the root.txt file but reading it required root permissions.

  2. Next I ran the Python script and got the following output.

  1. My next obvious step was to view it's source code.

  1. Here the script was using the random module in Python to output random lines. This gave me an idea. I could create a separate script named random.py in the same directory as this script and add custom code to it to get an elevated shell.

  2. Hence, I created a random.py file in the same directory as walrus_and_the_carpenter.py and added the following code into it.

import os
os.system("/bin/bash")

  1. I had to give executable permissions to the file using chmod +x random.py .

  2. Next, I had to look for user permissions to escalate my privileges. There were three other users on the device named hatter and rabbit.

  3. I ran sudo -l and used the same password as I had obtained for the user alice and viewed the sudo permissions I had.

  5. I could run the Python script as rabbit user. Hence I ran the following command and elevated to rabbit user.

sudo -u rabbit /usr/bin/python3.6 /home/alice/walrus_and_the_carpenter.py

  1. I viewed the user directory and found the following binary

  1. I ran it and obtained the following output

  1. To understand the file better, I used strings to read the contents. I had to move the file onto the attacker machine first to do so.

  1. Here in the line that begins with /bin/echo , date is being executed without it's full root path being mentioned, hence I thought of using the same approach as before to execute custom code to elevate privileges.

  2. I created a file named date and entered the following code inside.

#!/bin/bash
/bin/bash

  1. Next, I had to add the working directory to the PATH.

  1. Next, I ran the binary as follows.

  1. As it can be seen, I successfully elevated to the hatter user by overriding the system PATH.

  2. I checked the /home/hatter directory and found a password.txt file with the following contents

WhyIsARavenLikeAWritingDesk?

  1. To get a proper interactive shell I logged in to the target as hatter via SSH using the given password.

  2. Next, I tried to manually enumerate to get root access but found nothing. The last option was to use LinEnum to automatically enumerate for vulnerabilities.

  3. After the scan I found a capabilities attack vector as follows.

  1. The perl binary seemed interesting hence I went to GTFObins like always to look for possible methods to abuse perl and get a root shell.

Logoperl | GTFOBinsgtfobins.github.io
perl -e 'use POSIX qw(setuid); POSIX::setuid(0); exec "/bin/sh";'

  1. I used the above command on the target.

  1. As you can see, I successfully elevated my privileges to the root user. Now obtaining the flags was the only thing that remained.

  2. I obtained the root.txt flag from /home/alice directory and the user.txt flag from the /root directory.

That was it for this room. See you in the next one.

PreviousUltraTechNextIndustrial Intrusion CTF

Last updated