Wgel CTF

This box is an easy rated box. Appears to only be looking for user and root flag. So lets go!

Nmap scan shows us that 22 and 80 are open. Lets roll into the webpage

Here we get an apache web server. With this info we are going to run gobuster to find some directories

We find the directory /sitemap

Digging through the webpage I wasn’t able to locate anything noteworthy. Checked source code as well

Metasploit didnt return any results from searching “unapp”

So decided to run gobuster again against /sitemap

Hit a standstill with these directories.

Started testing against it with a different wordlist (one of my new techniques) and received a few additional hits

This yielded some additional results. Some interesting ones involved here. Especially the /.ssh one (knowing that SSH is open on this box)

Opening id_rsa we get an SSH key!

Trying to SSH with just the key is going to default to Root. Since we have a user flag we are looking for as well we will want to locate a username

Going through page source again we find “Jessie”

And we are in!

Searching the files we have our first flag!

Running sudo -l we get the following

Lets run out to GTFO bins to see if we can get an way to get root!


A little trial and error on this one and we get our root flag!