Open in app

Sign in

Write

Sign in

Wgel CTF | TryHackMe

Nihir Zala
4 min readFeb 8, 2023

--

Enumeration

NMAP Scan

So, we first use a tool called NMap to scan the IP address to know which services are running and what vulnerabilities it might hold.

nmap -T4 -A -v {IP Address of victim machine}

From the above results we find out majorly 2 Ports are active:

So we use enumerate on port 80 as it hosts a website. On opening the website we find it is hosting a default Apache UBUNTU server.

Source Code Enumeration

After going through the source code of the page, we find:

Hmm, looks like we found that there is a user named ‘Jessie’.

DIRB enumeration

Here we use a tool called DIRB (Directory Buster). It shows us possible directory routes on this portal.

DIRB returned some awesome data:

Looks like we have hit a Jackpot!

http://10.10.3.112/sitemap/.ssh/

On browsing to that URL, we find a private RSA key for a user’s SSH

FootHold

Footholding is getting a basic control over a system with minimum privileges to execute a reverse shell or read/write private information.

Save the above RSA Priv Key to a .ppk format and use

Load an existing private key file.

And after that click on Save Private key .

After that open PuttY and Click Connection > SSH > Auth in the left navigation pane and configure the SSH private key to use by clicking Browse under Private key file for authentication.

Then Login using PuttY

With username Being:’jessie’ we found before.

Going into Documents Folder we find the user_flag.txt

Root Privilege Escalation

Root Privilege Escalation is required to get the highest permissions to system. A root user can do anything with system, including the system source files itself.

On Doing sudo -l (this commands lists all the )

Found the Vulnerability LPE (Local Privilege Escalation)

So We have sudo permissions for wget, I wonder what we can do.

  • UPLOAD to attacker machine
  • Download to attacker machine
  • Re/Write Files on PWN machine
  • Read Files on PWN machine

So we can directly upload /root/root_flag.txt to Our machine but thats not enough in real life. So we will rewrite the /etc/sudoers file. This file is responsible for giving sudo-without-password permissions to various users and programs.

Start a reverse shell listener on your attacking machine. So as to create a communication between the victim and the attacker machine.

nc -lvnp 80

And then we will write this :

The wget command sends the /etc/sudoers file to the provided IP.

You will get this type of output on your attacking machine:

Save The Data To a file named sudoer2
Edit out the NOPASSWD: /usr/bin/wget Portion to NOPASSWD: ALL using ONLY VISUDO

And download it back to victim machine

And Done

I followed this writeup all credits goes to

https://medium.com/acm-juit/tryhackme-wgel-ctf-writeup-e8561740aa2f

Tryhackme
Tryhackme Walkthrough
Ctf
Ctf Writeup
Cybersecurity

--

--

Nihir Zala
Nihir Zala

Written by Nihir Zala

38 Followers
1 Following

Hi there, I'm Nihir Zala—a Laravel developer from Gujrat, India, with over 2.5 years of professional experience. I also learning Penetesting from THM and HTB.

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams