Wgel CTF is a free beginner level box to try on TryHackMe
Look for open ports
First of all we are going to scan the box for open ports , you can use any port scanner but here I am using nmap,it’s going to take some time while scanning because we scan for every open port on the box.
nmap -T4 -A -p- 10.10.81.198
From here we can see that there are 2 ports open
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| 2048 94:96:1b:66:80:1b:76:48:68:2d:14:b5:9a:01:aa:aa (RSA)
| 256 18:f7:10:cc:5f:40:f6:cf:92:f8:69:16:e2:48:f4:38 (ECDSA)
|_ 256 b9:0b:97:2e:45:9b:f3:2a:4b:11:c7:83:10:33:e0:ce (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
It just shows the default http server page but if we look at the source code of this page we can find a user name there ‘jessie’.
Lets enumerate directories by using dirbuster
I am also going to perform a nikto scan for vulnerabilites on the site
nikto -h 10.10.81.198
Result of Nikto
Nothing much came out of nikto scan
Result of Dirbuster
From directory busting , we came to know that there is a directory called sitemap
I again tried to bruteforce directory but this time i used ‘common.txt.’ wordlist
Here we can see that there is a directory “.ssh” with sub directory “id_rsa”
Copy the whole text found here into a file a name it ‘id_rsa’ which is a key file for ssh. Now we can utilize this key through the port 22 which is ssh
First of all change the file permissions because it won’t allow to execute this file.
We can now grab the user flag from here but we are not done yet we still have to escalate our privileges to get root flag to complete the whole box.
By using netcat we will listen on any port
nc -lvp 4444
And on the target machine we will try to send that file to us
This will be the response you will receive on your terminal.
Submit the flag in order to complete this CTF