Wonderland — TryHackMe writeup

GrimTheRipper

4 min readFeb 2, 2025

This is Lab of TryHackMe

First flag

As always we start with a nmap scan of the machine:

We found 2 port that open is 22 , 80 .

After discovering that port 80 is open, I tried to open the website using the target IP.

View Page Source.

After reviewing, I didn’t find anything, so I decided to download the image to check if I could find anything.

After downloading the image, I tried using the steghide command.

command: steghide extract -sf white_rabbit_1jpg

Then, open file hint.txt that we got after steghide.

URL: 10.10.113.77/r/a/b/b/i/t/

Inspecting the source code reveals something that looks like credentials.

View Page Source.

We can now use the credentials above and SSH into the box.

We now have access to the machine, but when running the lscommand, we notice something strange: the root.txt file is located in our user's directory...

After gaining access to the machine, we used the command ls to check for files.

We found root.txt and try to open this file but we got Permission denied.

We try to see what in the file walrus_and_the_caroenter.py with nano command.

We found nothing.

Then, Create new file random.py

command:

echo “import subprocess;subprocess.call(‘/bin/sh’);” > random.py

2. sudo -u rabbit /usr/bin/python3.6 /home/alice/walrus_and_the_carpenter.py

Now we are access to rabbit.

cat /root/user.txt

Obtain the flag in user.txt

Second flag

After we are access to rabbit,

Go to /home/rabbit

At the top of the file, we can see that the Python random module is imported. So, if we create a file named random.py in our current working directory that executes /bin/bash, our Python file should be loaded instead of the real random module, giving us a shell as the rabbit user.