Wgel CTF
Reconnaissance
Initial nmap scan to find open ports , using the flag "treat all hosts as alive" (-Pn)
Detailed Nmap Scan :
Command Breakdown:
(-sV): Service version
(-sC): Default nmap scripts
(-p): Specifying ports 22,80
(-oN nmap): Saving it into a files called nmap
Enumeration
Lets visit Port 80; the Web Server.
Its a default apache2 page, I made sure to check the source code and found something interesting
We now have a possible username Jessie
, there is nothing else of interest so lets run gobuster
to find hidden directories.
We found a hidden directory, lets go check it out
It is a very well made website, lets run gobuster on it in the background while we explore this webpage.
Looking at the website, most of the buttons work and are functional, we got the gobuster results, lets check them.
There is a /.ssh
directory, which is really interesting, lets go see it.
We have an id_rsa
file, which means that if we get the password for it with john the ripper
and then we can login through ssh
.
Lets first open the file and then copy the contents of the file and then make our own id_rsa
file and paste it in .
Now lets find the password for it using ssh2john
.
Oh, its looks like we do not need a password to login, so lets directly login.
We are logged in. We can now read the user.txt
file
Privilege Escalation
Lets run the command sudo -l
to check what we can run as root.
It looks like we can run /usr/bin/wget
as root, we can try to send the root flag file to our machine using wget as it is a command that can send files. So first we need to open a http server to receive files.
We also have to start a netcat listener
Now lets use this command to send the root flag to our machine, here we cannot be sure of the root flag file name but looking at the how the user flag was named, we can guess what it is named.
After you hit enter, you get contents of a file.
This is the root flag.
Last updated