Wgel CTF

This is my write-up for the room located at: https://tryhackme.com/room/wgelctf

I had to find out what ports were open on the machine. I ran nmap in order to find out what is going:

nmap -T4 -A -oN nmap_output

The result I got from running this is:

    22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
    | ssh-hostkey: 
    |   2048 94:96:1b:66:80:1b:76:48:68:2d:14:b5:9a:01:aa:aa (RSA)
    |   256 18:f7:10:cc:5f:40:f6:cf:92:f8:69:16:e2:48:f4:38 (ECDSA)
    |_  256 b9:0b:97:2e:45:9b:f3:2a:4b:11:c7:83:10:33:e0:ce (ED25519)
    80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
    |_http-server-header: Apache/2.4.18 (Ubuntu)
    |_http-title: Apache2 Ubuntu Default Page: It works
    Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

I wanted to scan the http to find out what directories are available for me to access. To do this, I ran gobuster:

gobuster dir -u -w ~/Desktop/hacking/resources/SecLists/Discovery/Web-Content/directory-list-2.3-small.txt -t 30

I did find a /sitemap, which was a wesbite. I then ran a second gobuster command using this new information:

gobuster dir -u -w ~/Desktop/hacking/resources/SecLists/Discovery/Web-Content/directory-list-2.3-small.txt -t 30

This led me to find a /.ssh/ folder, with a file called "id_rsa".

I believe that I needed a username alonside this id_rsa file in order to get ssh access. I found this write-up, which helped me find the username. The username was in the main Apache page, in a hidden html comment.

Here we can see that the name Jessie is being used. I assumed that if we lowercased the first letter, and made it "jessie", that would be the ssh username. Before connecting to the ssh port, I had modified the idrsa file (after I downloaded it). In order to do this, I ran "chmod 600 idrsa". This allowed only root have access to edit and read the file. This is also how ssh is able to use the file. This let me into the server

After this, I had to find the user.txt (or user_file.txt) file. I found the file in the Documents directory:

Now that I had found the user flag, I had to find a way to escalate privileges. I ran the "sudo -l" command, which told me the commands I am able to run with sudo.

jessie@CorpOne:~/Documents$ sudo -l
Matching Defaults entries for jessie on CorpOne:
    env_reset, mail_badpass,

User jessie may run the following commands on CorpOne:
    (ALL : ALL) ALL
    (root) NOPASSWD: /usr/bin/wget

It can be seen that I can run "wget" as root. I have to find a way to use that to get the root.txt. I did get lost at this point. I referred back to the previous write-up in order to find out the correct command to get to root. I realized that I had to use wget to push something from the machine, and then have netcat open on my machine, in order to receive the information.

I then waited on my host to wait for the response.

I then got the password in plaintext. This was the last piece I needed for this room. I did learn a couple interesting things from this room. Although I knew that the http protocol has get and post requests, I did not picture that I would ever export information using the post command on the machine. In addition, I did realize that sometimes I have to look more closely at apache websites. I did not go deep enough as I should have. This is something I hope to improve on in the future.

Last updated