Wonderland Tryhackme Walkthrough

[Stefanie Mordaunt]

Wonderlandis a freely-available capture the flag (CTF) challenge created by NinjaJc01 on TryHackMe. In this CTF walkthrough, we will fall down the cybersecurity rabbit hole and enter a strange pentesting wonderland!

In this command, the -c option followed by a number allows us to specify how many times we want to send the packet. Without this, ping will continuously send its packets until it is interrupted with a ctrl-c.

If we get a response from the target machine, it will mean it is indeed online and accessible from our system. However the opposite is not true: not receiving a reply does not mean the system is inaccessible. A firewall might be inhibiting its replies for security reasons.

Steganography is a neighboring practice to cryptography. It consists of hiding information inside another message or object. For example, we might hide a message, an image, a video, or any other file inside another file, video, image, or message.

This is our opportunity to create our own random.py script in the same directory as walrus_and_the_carpenter.py (/home/alice/). When it executes, Python will first search for random.py in the current directory (/home/alice). It will find our own script and will import it right away without looking any further. It will therefore execute our malicious version of random.py instead of the Python library module. But what should we put in our script? We have a thousand and one options, including two that we will explore below.

Although slightly more complex than the previous option, this method can prove to be particularly useful since it essentially creates a backdoor for us. If we ever get disconnected from the Wonderland machine, for example, we will be able to reconnect without going through Alice. In more complicated CTFs, leaving this kind of key behind will work as a checkpoint to save our progress, and will avoid us having to restart a multi-stage exploit, depending on how difficult it is to obtain a shell.

In order to do that, we need to open the Decompiler window if it is not already by selecting Window > Decompiler. Then, in the Symbol Tree menu in the left-hand side of the window, we can find the main function. Clicking on it shows the translated C source code in the Decompiler window.

The first thing we might notice is that the segfault is not even a real segfault! And there is no countdown of any kind, which means there is no hope for the Mad Hatter to ever arrive at the time the program states!

First of all, this teaParty program sets the user identifier to 0x3eb with setuid. A small hexadecimal to decimal conversion shows that is 1003. If we hop back to the Wonderland machine, we can discover that the id belongs to Hatter with the id 1003 command. So Hatter is the one that will be executing the rest of this process, not root or Rabbit.

The teaParty program was sensitive because of its ability to set a user ID with setuid. And the fact that it called an external program without specifying an absolute path to it made it vulnerable to our manipulation of its environment. Inappropriate use of setuid is therefore a security risk when an executable is not carefully designed.

Finally, the Perl misconfiguration that gave it the setuid capability allowed us to switch user IDs as we saw fit. This capability to manipulate the user ID of the current process is also a security risk. It should not be granted to executables lightly.

3a8082e126