TryHackMe — Watcher WalkThrough

Image for post
Image for post
Source

This is a practical walkthrough of room “Watcher” from TryHackMe. Although this room is marked as easy level, but for me it was kind a medium level. This room is aimed at Boot2root, Web exploitation, Privilege escalation, LFI.

Passwords, hashes and Flags will be redacted to encourage you to solve those challenges on your own.

First Things First

Deploy the target machine (this machine might take upto 3–5 minutes to load and accessible)
There are two ways to access the deployed target machine.
1) Use attacker box — Provided by TryHackMe, it consist of all the required tools available for attacking.
2) Use OpenVpn configuration file to connect your machine (kali linux) to their network.
For the sake of demonstration I am using OpenVPN connection on my Kali Linux machine.

We won’t be using Metasploit for this challenge

All of my further commands will be executed as normal user not as root. So, if you’re also not executing all the commands as root then make sure to use sudo, as it can give you permission to run elevated programs.

There are two generic flags, four user flags and one root flag to collect to complete this room.

Enumeration

We will kick off this room with Nmap to enumerate the target IP address.

Image for post
Image for post
Nmap Scan
Image for post
Image for post
Nmap Scan

From nmap result, there are three open ports on target, HTTP, FTP and SSH. Let’s run GoBuster on target HTTP service to find any pages and/or directories.

Image for post
Image for post
GoBuster Result

Let’s visit, /robots.txt and find if there’s any information.

Image for post
Image for post
robots.txt

There’s flag and secret text, lets retrieve our first flag.

Image for post
Image for post
Flag 1

Now let’s check that secret text.

Image for post
Image for post
secret text

We don’t have permission to access the file. Let’s visit the homepage and find any information.

Image for post
Image for post
Homepage

As you can see in address bar, it’s accessing a different file from different location. This might lead us to LFI. Let’s try a generic LFI string and find out.

Image for post
Image for post
LFI Confirm

I tried to access the /etc/passwd and we got the result. Let’s read secret text now.

Image for post
Image for post
FTP Creds

From secret text we got FTP users credentials. Let’s login and find.

Image for post
Image for post
Flag 2

Cool, retrieve the second flag. As you can see, the directory on FTP “files” is writable to us. Let’s upload a php reverse shell and gain our initial foothold.

For this you can use default PHP reverse shell file from kali linux and change the parameters accordingly.

Image for post
Image for post
php reverse shell
Image for post
Image for post
Upload php file

It’s on target ftp folder, now set up a netcat listener to get a reverse conenction.

Image for post
Image for post
netcat listener

Now we need to access that reverse shell file, it gets executed and we get reverse connection.

Image for post
Image for post
access php file
Image for post
Image for post
reverse connection

We got the shell, let’s find our next flag.

Image for post
Image for post
Flag 3

Now we need to escalate our privileges to another user. Let’s check out sudo privileges.

Image for post
Image for post
Sudo Priv

It seems we can run anything with sudo as “toby” user without any “toby’s” password. Let’s access bash using sudo.

Image for post
Image for post
flag 4

We are accessing “toby” users bash environment now and we got the fourth flag too.

Now we need to escalate privileges to next flag user.

Image for post
Image for post

There’s a note in “toby’s” home directory. It say’s about cron job setup by “mat” user for toby. Let’s check that “job” directory.

Image for post
Image for post

There’s a shell file names “cow.sh” and we have the R/W/X permission. Let’s read the file content.

Image for post
Image for post

It’s copy a cow.jpg file to /tmp directory. Let’s edit this “cow.sh” to get a reverse shell.

Image for post
Image for post
Edit cow.sh

Add a one-liner to the file with your IP and Port and set up a netcat listener to get a reverse connection.

Image for post
Image for post
Netcat listener
Image for post
Image for post
Flag 5

we are in “mat” users bash environment and we got out fifth flag too.

There’s a note too in “mat” users home folder, let’s read it.

Image for post
Image for post
Note

It seams there’s a python script which we can run with sudo privileges of “Will” user. Let’s check our sudo privileges first.

Image for post
Image for post

As you can see, we can run python3 binary with sudo privileges as “will” user without his password. This script file is in script directory, let’s check it.

Image for post
Image for post
Script directory

There are two python files, “cmd.py” owner is “mat” and “will_Script.py” owner is will. So, we can’t edit the “will_script” but we can edit “cmd.py”.

Let’s read both files and check what it contains.

Image for post
Image for post
Will_Script.py
Image for post
Image for post
cmd.py

So, if we run “will_script.py” with 1 or 2 or 3 parameters then it checks “cmd.py”. If we run “will_script.py” 1 then we’d get ls -lah. Everytime we run will_script it calls cmd.py to run system commands.

As can edit/modify the “cmd.py”, let’s add a python one-liner to “cmd.py” and get a reverse shell. You can use this as one-liner and make sure to change IP:port.

Image for post
Image for post
Python one-liner

If we run “will_script” then we’d a reverse shell now. Set up a netcat listener.

Image for post
Image for post
Netcat listener

Now run the script as “will” user to get reverse connection.

Image for post
Image for post
run script
Image for post
Image for post
reverse connection

We got reverse connection and retrieved sixth flag too. Now all the user flags we retrieved, let’s move to get the root flag.

Image for post
Image for post
backup key

After searching of notes and hints, I stumbled upon this backup file. If we read it, then its a Base64 encoded.

Image for post
Image for post

We have to decode it and find out.

Image for post
Image for post
decoded

It’s a RSA private key (SSH) probably of root account. We need to copy the key and save it on our kali machine in a file.

Image for post
Image for post

Once you save it, change the permission of file and authenticate it.

Image for post
Image for post

Aight, *hacker voice* we are in. Got the root!!!

Thank you for reading this walkthrough.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store