 Hello, everyone. My name is John Hammond and welcome back from the YouTube videos to looking at some try hack me off the tales of looking glass. I want to showcase Wonderland, which was the original, I guess, series of Alice in Wonderland based in themed rooms. We have the IP address here and just another challenge room. So all it needs is user dot text and root dot text. We don't really have any guidance. I do, of course, have the flags already in here because I have reviewed this previously. So please forgive me for that. But I'll showcase how to get each of those little tidbits and we'll dive in. I'm going to go ahead and make an end map directory and I will end map the box to start us off as I always do. Let me go ahead and run with tack SC for default script tack SV for a new wording versions and on to save it as an end map format and I'll save it in that end map directory that I just created with the initial file name. And I'll let that go as I normally do I do like to just go ahead and poke to see if there is a web interface here or just isn't running a web server maybe on port 80. In this case it is it says follow the right rabbit curious you're in curious or cry Alice. She was so much surprised for the moment she forgot how to speak good English. Okay. Looking at the source code I'm going to check with control you on my keyboard. I see a main dot CSS. I do like to check these static files just in case they hide anything in there. There's anything kind of custom image. I guess we could download this and if we needed to run some secondography or do some other file tricks on that but let's actually start to enumerate that web service. I'll fire off Nikto and I'll also slap that into a Nikto dot log and let's do the same for go buster do a go buster tack you with the IP address. I'll specify the word list is my opt directory list medium which typically comes with the. Derbuster don't forget I need to specify that Der argument there to start off Derbuster I'll let that run and looks like our end map scan has finished. So I'll look at it looks like we have port 22 open for SSH simple as usual and regular standard Ubuntu Linux that we're working in and of course just our port 80 web server. The Golang net server HTTP was kind of interesting. You don't often see that but it says follow the white rabbit peculiar checking out our go buster results. I see an interesting entry already for slash are I'll take a look at what that is I'll go to slash are and it says keep going would you tell me please which way ought to go from here. If you wanted to you could slap this right back into go buster and it would find something new in that slash are directory. But I kind of picked up on the theme and that if we're following the white rabbit and our first letter is are maybe we'll find an a yep yep and B and you can see in the URL we're slowly spelling out the word rabbit. So we'll slap that in slap those in and there we go open the door and enter Wonderland now we have a little bit more. Oh you're sure to do that so the cat if you only walk long enough Alice felt she could not be denied so she tried another set question. What sort of people live here had her in that direction. The March here yeah I thought this was weird okay is there going to be anything more in here is going to be an age to get to had her or is there going to be something else for other things or I thought okay let's go ahead and take a look at this new image is there there's no secondography in this no those seem to particularly work for me as I was staring at the source code I noticed and it actually slipped right under my eye the very first time because all this text kind of threw me off. There is a little paragraph tag that is purposefully hidden there's a CSS style here to do not display this and it's simply seemingly credentials. So Alice maybe as a user that colon kind of indicates here okay this is a username and a password. So let's try to simply SSH in with that I will go ahead and just slap that in so I have it available to me and then I'll go grab this IP address because I constantly forget that and it will ask me for the password. And I'll say yes to accept the key and enter the password there we go now I am logged in as Alice peculiar okay. There's a root dot text in this directory which is kind of funky. I guess we can't read it it's owned by root so kind of a jerk move I guess there's a root dot text in a regular user directory so maybe we'll see a user dot text in the root directory. Not that peculiar enough though there is a walrus in the carpenter dot py file just a little Python script. Sorry I guess my face is in the way you couldn't really see that well. Let's take a look at what that is whoa. What is this I can see some code here for I in range of 10 it'll choose a random line from the poem choose a line was line. And this is a giant long poem that's just stored as a string variable and they're using it with that random module in Python. Okay, so I wonder if this is actually executed I wonder if this is ran from anything. Let's upload. Opt Lynn piece just to run it. Did that go through. Yep, looks like it did. Okay, so I store that in devs hm with the poor man's pentas just to kind of have a spot for it. And okay Lynn piece will just fire off. I'll let this run and I'll pause the video while this goes. Okay, it looks like there are some results now we can review an older pseudo version which is kind of interesting maybe we could abuse that somehow potentially. I am scrolling through here kind of quickly because Lynn piece does a really good job of like highlighting what could be a potential privilege escalation technique and nothing is sticking out extremely well oh they're they are running cron though I can see that running as root so maybe there'll be an interesting cron tab. Or like a peculiar thing where they'll run that interesting Python script we found I'm in the cron section here now. But I don't see anything new it doesn't look like they actually run it odd. Oh I wonder if our user can run like pseudo commands to invoke that as another user or something. Some host names and it said rehosts file. Nothing. All that gimmicky another trip on the pseudo words directory so we could check that out. See if there's anything odd in there. No my sequel. Sorry I'm scrolling through here kind of quick because nothing is standing out. Interesting files oh set you IDs okay cool. That's normally a good thing to take a look at that might be quick easy wins for privilege escalation sg it doesn't have anything odd or out of the out of place capabilities that has more entries and it usually does. Normally you just see MTR packet in here. Pearl has the capability to set you ID. See when you see that that's usually a big thing. Because if you set the user ID then you can effectively become a different user. So that might be used for privilege escalation we should definitely check that out. There's our walrus in the carpenter blah blah blah. A lot of output sorry. Okay okay I don't see anything else extremely good I want to check out that curl that pearl thing can I just run Pearl know what what. Why can I not run Pearl. Let's tackle slap that in. It's owned by root. And it's in the Hatter group which is weird that's not normal but Hatter can execute it but no one else can. Okay. So it looks like Hatter is the kind of the keys to the kingdom that if we get into Hatter we could probably just run Pearl with the set you ID trick and an instant win. If we can set you ID into root that would be handy but we need to get into Hatter. Limpies always trips up on that suitors dot D and the suitors directory. Can I can I CD in there. Please not cat. Alice we have read me which I can't read we have Alice and oh Alice can do something she can run as rabbit user bin Python 3.6 home Alice well okay. So I would be able to find that just with pseudo attack out wouldn't I because I know Alice's password. And I should probably write that down like a read me or something yep so she can run Python 3.6 home Alice walrus in the carpenter dot pie. Good. Let's mess with that so because this script if I go back to my home directory. This is a Python script that's running out of the context of our home directory. And because I can create other files in my home directory. And this Python script imports the random module we could take advantage of one neat trick that Python will do when it's trying to import modules because Python searches for modules and like three different places. The very very first thing it will do is it will search for modules and libraries and packages in the current directory of the script that you're trying to run. That's the very first place it looks and that takes precedence over all the others. The other locations are like the system libraries and the Python package libraries etc. So all we need to do is create a fake malicious random dot pie or random like a Python module that will have the same name Python package. But since Python modules are really just Python scripts and they can be anything because we can define this in our home directory. We could just slap in some other malicious code or like make a connection out back to us. So or we could do that or we can actually just do a little system right if I import OS can I just do import import OS system bin bash. And I guess I'll use tack P just to be safe but I don't think that should matter because we're running this with with pseudo does that work for me. Let's try it. I'll run that pseudo tack L and I need to run as the rabbit user. So when I invoke walrus in the carpenter it will run import random and random dot pie will take effect and that will just import OS the real module and start off bin bash. And I should be able to work with it and invoke it and work with that. Let's try that. So I'll pseudo tack you to run it as the rabbit. I'll slap that command in. And now I'm the rabbit user. Okay. Where am I? I'm just in my home directory. No, I'm still in Alice. So let's go into home rabbit because I can do that now. And we have tea party. Ah, okay. What the heck is this? What is tea party? It is lit up in red. So that kind of indicates to me that this might be a set you ID binary, which is owned by root. Interesting. Was that will that just grant me root? I would think so. Can I? What is the tea party? It's a binary. Okay, set you ID set GID. Can I run tea party? Welcome to tea party. The matter will be here soon probably by Thursday, which is the time of recording August 20th and an hour from now. And please ask very nicely and I'll give you some tea while you wait for it. Please. Okay. Okay. Can I see what this is actually doing with like strings or something? I don't have strings. Great. Let's download that file. I'm going to use some poor men's pen test again, just so I can quickly spin up the little net cat thing to do that. That is that IP address and I want the tea party file in the current directory. So please pull that down. Got it. Now I have tea party in my current directory. So let's check out the strings of tea party. I realize I'm working through quake here. I'm sorry. That's probably not the easiest to read. But welcome to tea party. Matt Harvey will be here soon. Regular echo command and they're using the full path for echo. So I can't really abuse that probably be, but they are using date without a full path prefix. So I could abuse that tackle art. They're just past the arguments to get the next hour to date. Does that like behave different? Wait, is segmentation fault core dump is a string? That's hilarious. So is that normal? Like if I were to let me, let me mark tea party is executable and just run it. If I L trace that it just prints it out on the screen waits for my input and then it puts segmentation fault. That's not a real segmentation fault. That's awesome. All right. Sweet. Okay. Anyway, we know a plan of attack right now, right? Date. It invokes date. Could we actually modify the date command that's ran in path? Is there any location that we control? Let me just try to make things. Oh, that doesn't work. Not that location. What about here? None of those work. All these are just going to end up being like system directory. So I don't think I can put anything in that. I might be able to just make more our own directory. I mean, obviously I can. It's my home directory. But if I just specify like a prompt here, will that work? Let's do path variable in this location. Let me make a date file. I'll use nano. Everyone can hate me because I don't use them right now anyway at least. And let's just run bash. Right? Will that work? Again, I'll use tack P. And I think I do need to stick with that tack P because that one will be set you ID. Let's try that. So if I CH mod plus a plus X date and if I run date. I'll use the new bash session and exit will keep me. So I did invoke a second layer of bash there. Like if I take a look at shell level, the environment variable right now, then if I run date, take a look at shell level again to see what level of shells on my end looks like I'm, I've advanced. Okay. So now I need to add this into my path. We export that path variable to be this location and the original path as well. Because that way it will reach our malicious fake date command first, which will actually just give me access as that user before it reaches the real date command because that original string, when we saw it isn't going to be using a prefix of an absolute location for that binary. So let's just dot slash tea party. And there we go. You can see right where it would have filled in the date command output. It actually just gave me Hatter at Wonderland. And now I am that user. Okay. Awesome. Oh, and now that we're Hatter, remember Hatter was the one that could actually run Pearl. So Pearl, did that work? Oh, sorry. Which Pearl? What's happening? Is that a command that I can run? Which Pearl? Pearl? I'm very confused. Oh, oh, oh, oh. It's because my current UID is that, but I'm still not the real Hatter right now. I don't have his GID. No. Lamo, Lamo, Lamo. Okay. Let's not use that date then because when I use tack P, it'll keep my set UID privileges, but it's not going to keep my GID privileges for group ID. And that Pearl command was the one that had the actual group set to Hatter. So let's, let's, let's mess with that a little bit more. Go into our attack directory. Let's modify our date. And let me just slap in some bone cat syntax. There we go. Okay. Regular reverse shell. Poor man's pen test shows that port. So we'll keep that listening and waiting. I will mark that as a black background so you can see it a little bit better. Run it. And if I go back to dot slash tea party over here on the side, I'll make it real big dot slash. There we go. Now you can see bone cat firing off. And I should be exactly Hatter at that point. Cause that show will run as him, not just with bash tack P. We'll see if that'll work. Fingers crossed. Been bash. That's good. As much as I love bone cat, I wish we were a little bit faster. Yeah. Yep. No, still GID rabbit. Wait a second. Wait a second. Do I. Hatter CD Hatter. Oh, Hatter has a what the heck is that cat password dot text? Why is Raven like a writing desk? Is that the password for Hatter? Yes, it is. Okay. So now I'm, now I'm the real Hatter with the, yes, with proper group ID. So I should be able to actually run Pearl. Yeah. Yeah. Yeah. Yeah. So if I LS hack L on that and we know Pearl is the binary that has set UID capabilities. Let's, uh, switch my prompt back because I like, I like that. Like the bone cat prompt. Um, let's go ahead and do that Pearl trick and technique. Uh, I think they, yeah, you can just search for Pearl set UID capabilities. And it's actually in GTF opens. Like GTF opens has an entry for that down at the very, very bottom. All of those are just setting up. Okay. The set UID, but Pearl attack E with this syntax. We'll just give it to you. So let me copy that. Slap it in. And there we go. Who am I? I'm root. So because that, uh, ran with SH it doesn't all that, it doesn't look all that good. And if I were to run it with bash, I would have to make sure to run tack P. There we go. So now I keep it as root. I don't think, um, I don't think bone cat will actually know to use capabilities yet. Oh, sorry. I need to get into slash root and root has a user dot text. And Alice is the one that has a root dot text. So cat home Alice root dot text, little funky backwards Alice in Wonderland gimmick. So there you go. We've rooted the box. I don't think bone cat actually knows to do, uh, privileges, privileges or capabilities use if I were to try and prevask tack E to get to root, uh, tech you root, uh, it'll look for things, but all the GTF opens. I think that we have in there doesn't cover capabilities yet. So that might be worthwhile to, to tinker with, uh, me personally or any of you, if you're interested in helping out with bone cat and some of the automatic red team stuff automated, uh, escalation and things. I could let that run and I'll see if there's anything that comes from it, but looks like it's finding all those set UID binaries. It's thought it had a password foobar, but it does not. I'll move my face. Yeah. Okay. Uh, let me actually dive into that because you guys might find it kind of interesting and sprinkle in some extracurricular content in the bone cat directory, uh, in the data directory. Excuse me. It's under poem cats data. There was a GTF opens.json, which is a file that like I had created and poured a ton of time into as to how it will actually do privilege escalation. If it finds a set UID or pseudo binary that it can abuse and really how it could abuse it between, okay, a right permission or a read permission or just simply getting a shell. We don't actually have functionality for capabilities in here though, that would be really good to add just if anything so we can run through this room and any other rooms that will do this. So that would be, that would be slick. I need to do that or maybe a call to action for you guys to come help out with that project. Okay. That's it everybody. We made it to root. We solved all the problems. We submitted those tasks and we finished the Wonderland room. So thank you guys so, so much for watching. If you did like this video and I hope you did, please do press that like button. Maybe leave a comment. Maybe subscribe. You know, I'm super duper grateful. I know I've been going hard on try hack me videos lately because I think they're fun to do and I enjoy them. But I know I need to sprinkle in a little bit more extra curricular stuff. Maybe do some rock and pour him. Some people are asking for a long hub. Obviously to give some love to hack the box a lot more. There's just too much for me to do. But thank you so much for sticking with me and supporting and being a part of this incredible community. So thank you. Thank you. See you in the next video guys.