TryHackMe — Wgel CTF Writeup
Wgel is a TryHackMe Machine. It’s an easy level machine to demonstrate the basics of system hacking. TryHackMe provides almost free labs to study and practice penetration testing and CTF based skills needed for a pen-tester.
Enumeration
NMAP Scan
So, we first use a tool called NMap to scan the IP address to know which services are running and what vulnerabilities it might hold.
nmap -T4 -A -v {IP Address of victim machine}
From the above results we find out majorly 2 Ports are active:
So we use enumerate on port 80 as it hosts a website. On opening the website we find it is hosting a default Apache UBUNTU server.
Source Code Enumeration
After going through the source code of the page, we find:
DIRB enumeration
Here we use a tool called DIRB (Directory Buster). It shows us possible directory routes on this portal.
DIRB returned some awesome data:
Looks like we have hit a Jackpot!
http://10.10.3.112/sitemap/.ssh/
On browsing to that URL, we find a private RSA key for a user’s SSH
FootHold
Footholding is getting a basic control over a system with minimum privileges to execute a reverse shell or read/write private information.
Save the above RSA Priv Key to a .ppk format and use
Load an existing private key file.
And after that click on Save Private key
.
After that open PuttY and Click Connection > SSH > Auth in the left navigation pane and configure the SSH private key to use by clicking Browse under Private key file for authentication.
Then Login using PuttY
With username Being:’jessie’ we found before.
Going into Documents Folder we find the user_flag.txt
Root Privilege Escalation
Root Privilege Escalation is required to get the highest permissions to system. A root user can do anything with system, including the system source files itself.
On Doing sudo -l
(this commands lists all the )
So We have sudo permissions for wget, I wonder what we can do.
- UPLOAD to attacker machine
- Download to attacker machine
- Re/Write Files on PWN machine
- Read Files on PWN machine
So we can directly upload /root/root_flag.txt to Our machine but thats not enough in real life. So we will rewrite the /etc/sudoers
file. This file is responsible for giving sudo-without-password permissions to various users and programs.
Start a reverse shell listener on your attacking machine. So as to create a communication between the victim and the attacker machine.
nc -lvnp 80
And then we will write this :
The wget command sends the /etc/sudoers
file to the provided IP.
You will get this type of output on your attacking machine:
Save The Data To a file named sudoer2
Edit out the NOPASSWD: /usr/bin/wget
Portion to NOPASSWD: ALL
using ONLY VISUDO
And download it back to victim machine
VOILA!!
VOILA! We found the root flag which means we pwned the machine.