Tryhackme – Watcher

Initial foothold

As usual I set the boxip and scan it. 3 ports open, ftp, ssh and http.

Flag 1

Checking robots.txt we get a filename /flag_1.txt browse to it, we get our first flag.

Flag 2

Browsing to the second file we found in /robots.txt we get a forbidden access error.

Each post on the website however, link to a php file, this could be LFI. Using the post paramater and pointing it to secret_file_do_not_read.txt we get ftp credentials: ftpuser:givemefiles777
And note down that the ftp files are saved to /home/ftpuser/ftp/files/

By including the file ../../../../etc/passwd we get two potential users.


ftp $(boxip) using the aforementioned credentials we get the second flag, and see the files folder.


Flag 3 & 4

Uploading a php shell and then browsing to we pop a www-data shell.

After checking sudo -l and getting a shell as user toby, I got flag 4, so I missed a flag.

Running find / -name flag_3.txt I found it in /var/www/html/more_secrets_a9f10a/flag_3.txt

Flag 5

Running LinPEAS is always a great idea, I found an interesting cronjob.

I added a reverse shell command to the shell script and a minute later the next shell popped.

And from that user I could grab flag 5.

Flag 6

Running sudo -l, we see we can run a script in /home/mat/scripts/ as the user will.
Inspecting the code, we see it imports a custom module named cmd. We do a module injection and write our own module which runs bash.
And get shell as will.

Of course I grabbed the flag aswell.


Flag 7

Poking around, I eventually stumbled upon /etc/ssh
But it was a rabbit hole since I can’t read any of the interesting files there. Eventually I could see that will is part of the group adm. When I searched for all files belonging to that group something came up.

A base64 encrypted file. Putting it through cyberchef I got an rsa_id file content.

chmodding the file to 600 and using it with ssh, I got logged in as root.
Last flag snagged.