July 14, 2026
I Chained Four Privilege Escalation Bugs to Root a Box — Here’s the Full Breakdown

By Debojit Singh
1 min read
If you've ever felt stuck at "I got a shell, now what?" — this one's for you. I just published a full walkthrough of TryHackMe's Wonderland room, and it's one of the better rooms I've done for actually understanding privilege escalation instead of just memorizing commands. It's not a single trick. It's a chain — four separate weaknesses stacked on top of each other, each one teaching something you'll see again on other boxes, other CTFs, even real environments. Here's the shape of it, without spoiling the specifics: It starts on the web. Not an obvious login page — a hidden path buried in nested directories, themed around Alice in Wonderland. The kind of thing you only find if you actually inspect the raw HTML instead of trusting what renders in the browser. Then it moves to Python. A sudo rule lets you run a script as another user — and that script imports a module in a way that lets you hijack it. This is the part people skip in tutorials but is genuinely one of the most common real-world privesc patterns in Python-heavy environments. Then a SUID binary that trusts PATH. Classic, devastating, still shows up constantly in the wild. If you don't already have "check PATH trust in SUID binaries" as a reflex, this will build it. And finally, Linux capabilities — the modern, quieter cousin of SUID that a lot of write-ups gloss over entirely. cap_setuid on the wrong binary is root, full stop. What I liked about writing this one up: every stage has a "why this worked" and a "defensive lesson" section, so it's not just an offensive checklist — it's also a mini blue-team reference on what to actually go fix. I go deep on the reasoning, the enumeration steps, and the exact thought process at each pivot — all fully sanitized (no flags, no creds, per TryHackMe's write-up guidelines) but with nothing important cut out. 👉 Read the complete walkthrough here: https://debojit.blackpandalabs.in/blog/wonderland-tryhackme-walkthrough.html If you're working through Linux privesc rooms or prepping for OSCP-style boxes, this is worth the ten minutes.