This is a practical walkthrough of room “Watcher” from TryHackMe. Although this room is marked as easy level, but for me it was kind a medium level. This room is aimed at Boot2root, Web exploitation, Privilege escalation, LFI.
Passwords, hashes and Flags will be redacted to encourage you to solve those challenges on your own.
First Things First
Deploy the target machine (this machine might take upto 3–5 minutes to load and accessible)
There are two ways to access the deployed target machine.
1) Use attacker box — Provided by TryHackMe, it consist of all the required tools available for attacking.
2) Use OpenVpn configuration file to connect your machine (kali linux) to their network.
For the sake of demonstration I am using OpenVPN connection on my Kali Linux machine.
We won’t be using Metasploit for this challenge
All of my further commands will be executed as normal user not as root. So, if you’re also not executing all the commands as root then make sure to use sudo, as it can give you permission to run elevated programs.
There are two generic flags, four user flags and one root flag to collect to complete this room.
We will kick off this room with Nmap to enumerate the target IP address.
From nmap result, there are three open ports on target, HTTP, FTP and SSH. Let’s run GoBuster on target HTTP service to find any pages and/or directories.
Let’s visit, /robots.txt and find if there’s any information.
There’s flag and secret text, lets retrieve our first flag.
Now let’s check that secret text.
We don’t have permission to access the file. Let’s visit the homepage and find any information.
As you can see in address bar, it’s accessing a different file from different location. This might lead us to LFI. Let’s try a generic LFI string and find out.
I tried to access the /etc/passwd and we got the result. Let’s read secret text now.
From secret text we got FTP users credentials. Let’s login and find.
Cool, retrieve the second flag. As you can see, the directory on FTP “files” is writable to us. Let’s upload a php reverse shell and gain our initial foothold.
For this you can use default PHP reverse shell file from kali linux and change the parameters accordingly.
It’s on target ftp folder, now set up a netcat listener to get a reverse conenction.
Now we need to access that reverse shell file, it gets executed and we get reverse connection.
We got the shell, let’s find our next flag.
Now we need to escalate our privileges to another user. Let’s check out sudo privileges.
It seems we can run anything with sudo as “toby” user without any “toby’s” password. Let’s access bash using sudo.
We are accessing “toby” users bash environment now and we got the fourth flag too.
Now we need to escalate privileges to next flag user.
There’s a note in “toby’s” home directory. It say’s about cron job setup by “mat” user for toby. Let’s check that “job” directory.
There’s a shell file names “cow.sh” and we have the R/W/X permission. Let’s read the file content.
It’s copy a cow.jpg file to /tmp directory. Let’s edit this “cow.sh” to get a reverse shell.
Add a one-liner to the file with your IP and Port and set up a netcat listener to get a reverse connection.
we are in “mat” users bash environment and we got out fifth flag too.
There’s a note too in “mat” users home folder, let’s read it.
It seams there’s a python script which we can run with sudo privileges of “Will” user. Let’s check our sudo privileges first.
As you can see, we can run python3 binary with sudo privileges as “will” user without his password. This script file is in script directory, let’s check it.
There are two python files, “cmd.py” owner is “mat” and “will_Script.py” owner is will. So, we can’t edit the “will_script” but we can edit “cmd.py”.
Let’s read both files and check what it contains.
So, if we run “will_script.py” with 1 or 2 or 3 parameters then it checks “cmd.py”. If we run “will_script.py” 1 then we’d get ls -lah. Everytime we run will_script it calls cmd.py to run system commands.
As can edit/modify the “cmd.py”, let’s add a python one-liner to “cmd.py” and get a reverse shell. You can use this as one-liner and make sure to change IP:port.
If we run “will_script” then we’d a reverse shell now. Set up a netcat listener.
Now run the script as “will” user to get reverse connection.
We got reverse connection and retrieved sixth flag too. Now all the user flags we retrieved, let’s move to get the root flag.
After searching of notes and hints, I stumbled upon this backup file. If we read it, then its a Base64 encoded.
We have to decode it and find out.
It’s a RSA private key (SSH) probably of root account. We need to copy the key and save it on our kali machine in a file.
Once you save it, change the permission of file and authenticate it.
Aight, *hacker voice* we are in. Got the root!!!
Thank you for reading this walkthrough.