Sws101_wgel_ctf

Posted Apr 19, 2024

By Ranjung Yeshi Norbu 3 min read

Topic: Wgel Ctf

Hello everyone, I hope you all are doing good! In this page we will be learning about the Wgel CTF challenges from Try Hack Me.

Target IP Address

10.10.88.13

Enumeration

First, I have pingged the target IP address to check whether I can communicate wirh it and it is up.

Then I have used nmap to scan the target IP address to see the open ports.

Result

There are 2 open ports and they are;

80 http Apache httpd 2.4.18
22 ssh OpenSSH 7.2p2

Web Server

Since the machine is running a web server, I have opened the browser and navigated to the target IP address.

There is nothing usefull in here, so I checked the source code of the page.

luckily, I have found a comment in the source code of the page and it is a hint to find the hidden directory.

It says that;

<!-- Jessie don't forget to udate the webiste -->

Brute Force

Then I used ffuf to brute force and find the hidden directorys.

This is the command that I have used to find the hidden directorys.

rybnorbu@lenevo-ranjung:~/Downloads$ ffuf -w /home/rybnorbu/SecLists-master/Discovery/Web-Content/common.txt -u http://10.10.88.13/FUZZ

And I got this result;

        /'___\  /'___\           /'___\       
    /\ \__/ /\ \__/  __  __  /\ \__/       
    \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
        \ \_\   \ \_\  \ \____/  \ \_\       
        \/_/    \/_/   \/___/    \/_/       

    v1.1.0
________________________________________________

:: Method           : GET
:: URL              : http://10.10.88.13/FUZZ
:: Wordlist         : FUZZ: /home/rybnorbu/SecLists-master/Discovery/Web-Content/common.txt
:: Follow redirects : false
:: Calibration      : false
:: Timeout          : 10
:: Threads          : 40
:: Matcher          : Response status: 200,204,301,302,307,401,403
________________________________________________

.htpasswd               [Status: 403, Size: 276, Words: 20, Lines: 10]
.hta                    [Status: 403, Size: 276, Words: 20, Lines: 10]
.htaccess               [Status: 403, Size: 276, Words: 20, Lines: 10]
index.html              [Status: 200, Size: 11374, Words: 3512, Lines: 379]
server-status           [Status: 403, Size: 276, Words: 20, Lines: 10]
sitemap                 [Status: 301, Size: 312, Words: 20, Lines: 10]
:: Progress: [4727/4727] :: Job [1/1] :: 71 req/sec :: Duration: [0:01:06] :: Errors: 0 ::

After navigating to the hidden directory sitemap, I have found a login page.

There is nothing usefull here.

Earlier, I got something related to SSH. So, I tried to access the web server using .ssh directory.

Inside the ids_rsa file, I have found the private key.

This is the rsa Private key:

I then copied this private key and saved it in my local machine in a file called ids_rsa.

Then i have adjust the permission of the file using the command

chmod 600 ids_rsa.

SSH Connection

I used the private key to connect to the ssh server.

Inorder to find the user flag, I used this command to search for the user.txt file.

jessie@CorpOne:~$ locate *flag.txt
/home/jessie/Documents/user_flag.txt

I found the user flag inside the user.txt file.

Privilege Escalation

First, I check running this command,

From this we see that we can run every command as root, but we need a password for that, on the other hand, we can run wget with no password.

SWS101, Try_Hack_Me(CTF)

SWS101

This post is licensed under CC BY 4.0 by the author.