Wgel is a beginner box from try Hack Me, which is fast becoming the top website for aspiring security people and CTF enthusiasts.
We can start off by running a service scan with standard scripts using nmap.
So we have two ports open, port 80 which is an Apache web server and port 22 which is an Open SSH server.
Let’s take a look at the web server on port 80:
It looks like the standard Apache landing page, although the configuration layout seems to have been cut short. Lets check out the page source code.
We see a comment, “Jessie don’t forget to update the website.” I will log jessie as a potential username for later. The source code does not reveal anything else. I also check to see if there is a robots.txt file; however, it is not found.
We can run Gobuster to brute force directories:
We can see one directory /sitemap, lets check this out
This takes us to a website, I always use Wappaltzer, which is a Firefox plugin to provide information regarding the site and the technology used.
Although it provides a lot of information, it does not tell us the framework being used. Looking through the source code, I cannot see any further information. Given that Gobuster did find a directory, I will re-run Gobuster, adding this directory to the search. Using the previous wordlist did not provide many additional results, so I switched to the dirb/common.txt wordlist.
This provided some interesting information. Unfortunately /.htpasswd is forbidden; however, /.ssh was returning a 301.
Bingo a ssh id_rsa key, which may allow us to access the ssh server on port 21 using the username we found earlier (jessie). Lets navigate to this page and download the id_rsa key. We will need to chmod the key to 600 so it will have the required permissions.
Using VIM I will copy the id_rsa key and save the file as id_rsa and chmod as above. I will now try to login to ssh using the username ‘jessie’ and the id_rsa private key.
Next convert the id_rsa private key to a format that John the Ripper can use:
So, this is good news, the id_rsa does not have a password, so no need to brute force, we can simple log into the ssh server using the username and the id_rsa key.
That's strange, usually there is a user.txt file in the home directory of the user. I will use the find command to try and locate it.
find / -type f -name *.txt 2>/dev/null
We find the user flag in /home/jessie/Documents/user_flag.txt
PRIVESC — Time to get root
First thing to check is Sudo privileges with sudo -l
OK, so we can run wget as root. It is likely that this binary is exploitable, to check this out I always head over to GFTObins, which is an excellent resource.
A quick search for wget on GFTOBins gives us the following:
On the attacking system, set up a Netcat listener on port 80
nc -lnvp 80
We can now run the privesc as detailed on GFTOBins.
We catch the root-flag.txt on our Netcat listener as below:
Another box pawned and a real fun box, especially for a beginner like me:-)
Thank you to the developer of this box, I enjoyed it a lot.
