Wgel CTF — THM Writeup
Machine Overview
Machine Name: Wgel CTF
Target IP: 10.10.xxx.xxx (IP changed multiple times during the lab)
Operating System: Linux (Ubuntu-based)
This assessment focused on web enumeration, information disclosure through source code analysis, SSH key abuse for initial access, and privilege escalation via a misconfigured sudo permission.
1️⃣ Initial Reconnaissance
As expected, the engagement started with a TCP scan to identify exposed services and understand the attack surface.
🔍 Nmap Scan
nmap -sC -sV 10.10.xxx.xxx📌 Key Findings
The following services were identified:
- Port 22 (SSH) Service: OpenSSH 7.2p2 OS: Ubuntu Linux
- Port 80 (HTTP) Service: Apache httpd 2.4.18
With only SSH and HTTP exposed, the web application became the primary focus for initial access.
2️⃣ Initial Enumeration Challenges
Early attempts at enumeration were inconsistent:
- Automated directory enumeration tools were unreliable
- Manual access to the website was slow and unstable
After reconnecting to the lab at a later time, the target became responsive again and enumeration resumed normally.
3️⃣ Web Application Enumeration
Further investigation revealed a web application hosted under the following path:
/sitemap/Reviewing the content exposed multiple names, suggesting potential system users:
- Dave Miller
- Emily Turner
- Adam Morris
- Noah Nelson
- Dorothy Murphy
At this stage, none of these immediately led to access, but they confirmed that user enumeration was possible through the application.
4️⃣ Source Code Analysis
While inspecting the page source, an additional username was discovered:
jesseUnlike the other names, this username appeared in a more technical context, making it a stronger candidate for system access.
Continuing the investigation revealed a critical misconfiguration.
5️⃣ SSH Key Disclosure
Further enumeration exposed a private SSH key located inside a .ssh directory.
This represented a serious security failure, as private keys should never be publicly accessible.
Using the discovered key, an SSH connection was attempted.
The login succeeded, resulting in a stable user-level shell.
6️⃣ Initial Foothold
At this point-
- Initial access was established
user.txtflag was retrieved and submitted
The next step was privilege escalation.
7️⃣ Privilege Escalation
Post-exploitation enumeration revealed that the current user was allowed to execute the following binary with sudo privileges:
wgetWhile wget is not typically considered dangerous, its advanced functionality can be abused when executed with elevated privileges.
8️⃣ Root Flag Exfiltration
By leveraging wget's --post-file functionality, sensitive data could be exfiltrated to a remote listener.
Using this technique, the contents of the root flag were successfully sent to a controlled Netcat listener.
- Root flag retrieved
- Root access effectively achieved
- Full system compromise confirmed
This concluded the assessment.
🧠 Key Takeaways
- Unstable services can sometimes require patience rather than brute force
- Web applications often leak valuable information through source code
- Exposed SSH private keys completely bypass authentication mechanisms
- "Harmless" binaries like
wgetcan become dangerous under sudo - Understanding tool behavior is often more powerful than exploiting vulnerabilities
📬 Contact & Projects
Email: dakshbaweja20@gmail.com GitHub: https://github.com/sudo0xksh
🚀 Deteroid
Deteroid is a dedicated review platform for bug bounty hunters to share insights, rate programs, and collaborate on cybersecurity findings. Empowering ethical hackers with community-driven intel to hunt bugs smarter.
📸 Instagram: https://www.instagram.com/deteroids/