🕳️
The Cyber Security Library
  • The Library
  • Offensive Security
    • Solar, Exploiting log4j
      • Reconnaissance
      • Discovery
      • Proof of Concept
      • Exploitation
    • Basic Authentication Bypass
      • Username Enumeration
      • Brute Force
      • Logic Flaw
      • Cookie Tampering
    • Insekube
      • Recon with Nmap
      • Checking out the web address
      • Creating a Reverse shell
      • Inside the Kubernetes pod
      • CVE-2021-43798
    • Snort
      • What is Snort? (For the uninitiated)
      • Task exercise
      • Traffic Generator
      • Brief overview of IDS and IPS
      • Checking Snort
      • Snort Sniffer mode
      • Packet Logger mode
    • Runtime Detection Evasion
      • Learning Objectives of AMSI
      • Runtime detections
      • AMSI Overview
      • AMSI Instrumentation
      • Powershell Downgrade
      • Powershell Reflection
      • Patching AMSI
    • Red team recon using OSINT
      • Taxonomy of Reconnaissance
      • Built-in tools
      • Advanced Searching
      • Specialized Search Engines
  • Malware
    • Introduction to Malware Analysis
      • What are the different types of malware analysis
      • Doing different types of analysis
      • Anti analysis techniques
    • Ransomeware: Maze
    • Exploring Steganography
    • Simple Trojan with Python
      • The Python Trojan
      • Breaking down the python code
  • Vulnerability Management
    • Nessus
      • Introduction
      • Nessus Essentials
      • Scans
      • Authenticated Scans
      • Results
      • Running custom scans
  • Cloud
    • AWS
      • AWS CDK: Deploy and using amazon SQS Que from Repo
        • Node modules and Bootstrapping troubleshooting
        • Sending and Receiving information from the stack
        • Destroying the stack and cleaning up
      • Using Different AWS Services with Splunk
        • AWS Config
          • How Does Config work?
          • How to enable Config
          • Settings
          • Aggregation
          • Creating Config Resource
          • Creating Aggregator
          • Adding Rules
        • CloudTrail
          • What is CloudTrail?
          • Features of CloudTrail
          • Benefits of CloudTrail
          • CloudTrail Event History
          • Securing CloudTrail
        • EventBridge
          • Configuring EventBridge and Event Patterns
          • EventBridge Targets
        • CloudWatch
          • The CloudWatch Dashboard
            • Virtual Machine
          • CloudWatch Alarms and Metric Filters
            • Searching logs using metric filters
            • CloudWatch Alarms
          • CloudWatch CIS Alarms
            • SNS
        • Configuring VPC Flow Logs
          • An introduction to VPC flow logs
        • Automating Incident Response with EventBridge
          • Creating Lambda functions
        • CloudTrail SIEM Integration (Splunk)
          • AWS architecture for integrating with Splunk
      • AWS DevOps EBS Volumes
        • CloudWatch
        • EBS Volume
        • Lambda
      • EKS Creating a deployment with AWS in the command Line
        • Setting up AWS Cloud9
        • Creating a Cluster
        • Creating Deployment
      • How to CloudShell SSH in to ec2 Instances
    • Azure
      • Worker CTF (Azure DevOps)
        • Enumeration
        • Using SVN
        • Exploring the Domain
        • Cracking Azure DevOps console
      • Software development environments and Azure DevOps pipeline abuse
        • Accessing Azure Devops
        • Exploring Project Pages
  • Splunk
    • Splunk SIEM Integration
      • AWS architecture for integrating with Splunk
    • Splunk Threat Hunting Ep.6 Credential Access
  • DevOps
    • Using AWS, Docker, Jenkins and SonarQube to improve code quality
      • Updating the Cloud Instance and Getting Docker
      • Installing SonarQube
      • Creating Jenkins Server
      • Manaing SonarQube and Jenkins
    • Creating a Codebuild project and getting the output with CloudWatch Logs
      • IAM
      • CodeBuild
  • CTF's
    • THM Wonderland
      • Nmap and Gobuster
      • Entering Wonderland
      • Privilege Escalation
    • Healthcare OpenEMR system -THM Plotted EMR
      • Recon with Nmap
      • Exploring the ports found
      • Gobuster
      • Searchsploit Open emr
    • Steam Cloud CTF Exploiting Kubernetes
      • SteamCloud Privilege Escalation
    • THM Flatline CTF
      • Recon with Nmap
      • Searchsploit for freeswitch
      • Using the exploit
      • Escalating my privileges
      • Gaining access inside the Windows RDP
    • Biteme CTF
      • Recon
      • Looking into the PHP code and decoding hexadecimal
      • Python script and Bash script
      • Bruteforcing MFA Code
      • Trying to gain access via SSH
      • Inside SSH
      • Fail2ban Privilege Escalation
    • Devoops CTF
      • Enumeration
      • Exploiting Web Page
      • Creating Python exploit
    • GoBox CTF
      • Enumeration
      • Using Burpsuite and creating Reverse shell
    • Explore: Android Box
      • Enumeration
      • Initial foothold
      • Privilege escalation
Powered by GitBook
On this page
  1. CTF's
  2. THM Wonderland

Privilege Escalation

PreviousEntering WonderlandNextHealthcare OpenEMR system -THM Plotted EMR

Last updated 2 years ago

Finding User file:

First I used sudo-l to check my privileges

So I can run a command as rabbit. interesting. I looked at what this python file was. I've cut most of it out (of the screenshot) as it was a poem.

It seems to import random which is convenient. We can do something called python library hijacking. If we place a random.py file in the same directory when import random runs it will use our python file instead of the random.py library python file.

Now as you can see I have successfully created a shell as "rabbit"

Now in rabbit I looked around the directories and a binary called tea party

Initially I wanted to copy the file back to my system using python3 and http server then making a strng on the file in my main system to see the kind of calls it makes and ultimately hijack the path and take over the date binary but that did not work (for me)

instead I tried a different. First I needed to give myself permission to download the file while in the rabbit shell with "chmod 777 /home/rabbit"

Then in a new terminal tab I would use sudo scp (secure copy protocol)

I can still analyse the binary file using strings

As we can see the echo is being called by its absolute path but the date is not being called, something I can try to exploit with the environment variable priv escalation method.

I create a nano file called date

What i am doing now is, I am using home rabbit as one of the paths in the env variable. Now when the file starts to look for a date it is going to look through the path i created which should run bin/bash giving me shell access.

it didnt initially work, but after a slight chmod change to executable permission it worked.

2 ways to move forward, we can do standard enumeration using linpeas and see that /usr/bin/perl has cap_setuid+ep capabilities or use a quick command that is specific for listing capabilities for binaries for further exploitation "getcap -r / 2>/dev/null"

Im going to look for the capabilities regarding perl. First I need to go to GTFObins and select perl > capabilities which should get me the command

I've tried previously to execute the command but there was a password requirement. I thought to look around and found it within the hatter directory. Even though I found the password I was still not able to run the command.

So i decided with the password and the information I already have, I could just SSH into hatter@ip and try to execute the command there.

Now that I am root I can find the files I need for the flag

creating my random py script
what i wrote in python script