TryHackMe — Watcher WalkThrough

Source

This is a practical walkthrough of room “Watcher” from TryHackMe. Although this room is marked as easy level, but for me it was kind a medium level. This room is aimed at Boot2root, Web exploitation, Privilege escalation, LFI.

Passwords, hashes and Flags will be redacted to encourage you to solve those challenges on your own.

First Things First

Deploy the target machine (this machine might take upto 3–5 minutes to load and accessible)
There are two ways to access the deployed target machine.
1) Use attacker box — Provided by TryHackMe, it consist of all the required tools available for attacking.
2) Use OpenVpn configuration file to connect your machine (kali linux) to their network.
For the sake of demonstration I am using OpenVPN connection on my Kali Linux machine.

We won’t be using Metasploit for this challenge

All of my further commands will be executed as normal user not as root. So, if you’re also not executing all the commands as root then make sure to use sudo, as it can give you permission to run elevated programs.

There are two generic flags, four user flags and one root flag to collect to complete this room.

Enumeration

We will kick off this room with Nmap to enumerate the target IP address.

Nmap Scan
Nmap Scan

From nmap result, there are three open ports on target, HTTP, FTP and SSH. Let’s run GoBuster on target HTTP service to find any pages and/or directories.

GoBuster Result

Let’s visit, /robots.txt and find if there’s any information.

robots.txt

There’s flag and secret text, lets retrieve our first flag.

Flag 1

Now let’s check that secret text.

secret text

We don’t have permission to access the file. Let’s visit the homepage and find any information.

Homepage

As you can see in address bar, it’s accessing a different file from different location. This might lead us to LFI. Let’s try a generic LFI string and find out.

LFI Confirm

I tried to access the /etc/passwd and we got the result. Let’s read secret text now.

FTP Creds

From secret text we got FTP users credentials. Let’s login and find.

Flag 2

Cool, retrieve the second flag. As you can see, the directory on FTP “files” is writable to us. Let’s upload a php reverse shell and gain our initial foothold.

For this you can use default PHP reverse shell file from kali linux and change the parameters accordingly.

php reverse shell
Upload php file

It’s on target ftp folder, now set up a netcat listener to get a reverse conenction.

netcat listener

Now we need to access that reverse shell file, it gets executed and we get reverse connection.

access php file
reverse connection

We got the shell, let’s find our next flag.

Flag 3

Now we need to escalate our privileges to another user. Let’s check out sudo privileges.

Sudo Priv

It seems we can run anything with sudo as “toby” user without any “toby’s” password. Let’s access bash using sudo.

flag 4

We are accessing “toby” users bash environment now and we got the fourth flag too.

Now we need to escalate privileges to next flag user.

There’s a note in “toby’s” home directory. It say’s about cron job setup by “mat” user for toby. Let’s check that “job” directory.

There’s a shell file names “cow.sh” and we have the R/W/X permission. Let’s read the file content.

It’s copy a cow.jpg file to /tmp directory. Let’s edit this “cow.sh” to get a reverse shell.

Edit cow.sh

Add a one-liner to the file with your IP and Port and set up a netcat listener to get a reverse connection.

Netcat listener
Flag 5

we are in “mat” users bash environment and we got out fifth flag too.

There’s a note too in “mat” users home folder, let’s read it.

Note

It seams there’s a python script which we can run with sudo privileges of “Will” user. Let’s check our sudo privileges first.

As you can see, we can run python3 binary with sudo privileges as “will” user without his password. This script file is in script directory, let’s check it.

Script directory

There are two python files, “cmd.py” owner is “mat” and “will_Script.py” owner is will. So, we can’t edit the “will_script” but we can edit “cmd.py”.

Let’s read both files and check what it contains.

Will_Script.py
cmd.py

So, if we run “will_script.py” with 1 or 2 or 3 parameters then it checks “cmd.py”. If we run “will_script.py” 1 then we’d get ls -lah. Everytime we run will_script it calls cmd.py to run system commands.

As can edit/modify the “cmd.py”, let’s add a python one-liner to “cmd.py” and get a reverse shell. You can use this as one-liner and make sure to change IP:port.

Python one-liner

If we run “will_script” then we’d a reverse shell now. Set up a netcat listener.

Netcat listener

Now run the script as “will” user to get reverse connection.

run script
reverse connection

We got reverse connection and retrieved sixth flag too. Now all the user flags we retrieved, let’s move to get the root flag.

backup key

After searching of notes and hints, I stumbled upon this backup file. If we read it, then its a Base64 encoded.

We have to decode it and find out.

decoded

It’s a RSA private key (SSH) probably of root account. We need to copy the key and save it on our kali machine in a file.

Once you save it, change the permission of file and authenticate it.

Aight, *hacker voice* we are in. Got the root!!!

Thank you for reading this walkthrough.