Watcher Writeup

 

Watcher link


Enumeration



Starting off with a quick nmap scan we can see we have 3 ports open, 21(ftp), 22(ssh), 80(http), so first thing will be checking out the website and seeing what we have.


Nothing too exciting here, most of the links seem to be broken on the page for some reason, the source code doesn't reveal much either, clicking on one of the images does redirect us though and creates a post request which could be worth looking at.


Before looking further at the above query we might as well run a quick gobuster scan and see if we can dig up any hidden directories.


Gobuster reveals some pretty standard stuff, always worth looking through though just incase there is any interesting contents in any of the directories, also worth looking at the pages css just incase there's any hidden comments in their that could be worthwhile.


Starting with the robots.txt we can see a couple of hidden txt files that certainly look worthwhile looking at, one being our first flag so lets grab that.
Taking a look at /secret_file_do_not_read.txt we get a 403 message so we'll just need to remember this one and try find a way to view it later, just incase it has something interesting inside.

Nothing interesting was found in any of the directories that gobuster found, so going back to that post request the website makes when loading one of the product pages, we can try see if we can load anything else from the webserver.
Starting with the secret_file_do_not_read.txt file we found early we can see that we infact can load other files locally found on the webserver.
Looks like we have some ftp credentials, lets jump on to the ftp server with them and see what that has instore for us.


And success, looks like we have our second flag and a directory labeled files, lets continue exploring the ftp server.



And absolutely nothing, the files directory is empty. One thing that was mentioned in the note was the location of the files directory, so lets put a reverse shell in the directory and try see if we can get some path traversal going on the website so that we can run our php reverse shell.
As above you can see I have gone ahead and put reverse.php in the files directory.


Exploit




And it's just that simple, seems there's no filtering on the post request and no directory allow list so we were easily able to navigate to the file we wanted and now we have a reverse shell!
Before exploring the machine lets get a more stable shell, I always like to just upload socat and utilize that so that I have a full tty shell.



Now with socat on there and a stable shell we can start enumerating the machine, lets start by doing a quick bit of exploration in the basic directories and then we might as well upload linpeas and let that dig up some stuff for us.



PrivEsc


Doing a quick search on the machine we can find our third flag. Now to get linpeas on the machine and start digging.


Looks like linpeas found that the www-data user is able to run sudo as toby without a password, this means we can very easily switch users to toby.


Nice and easy. Now that we're toby we can go ahead and grab our forth flag from his home directory.


Looking in tobys home directory we can see a note has been left for him, looks like there's some cron jobs running which the scripts for are most likely in that jobs folder.
Lets take a quick look at our linpeas output to see what cron jobs are running.


Looks like there's a shell script in the jobs folder under tobys home directory called cow.sh that runs every minute as mat, lets go edit that script quickly so that we can establish a reverse shell as mat



Navigating to mats home directory we can grab our fifth flag. We need to remember that we are no longer using socat for a stable full tty shell, we could run socat again from mats account and get another stable shell but I think we'll just leave it for this one unless we feel we need it later.


Taking a look in mats home directory we can see another note, viewing that note we see we are able to run a python script as will, running sudo -l we can also see that we sure enough can run it without a password.
Lets go see if we can get access to wills account by exploiting this python script.


Looking at the scripts located under the script directory we have two, the will_script.py we can't edit as it's owned by will and only writeable by that account, it does call another file though, cmd.py and we are the owners of that file with write permission, so lets edit that file to give us a shell.


Really simple, no need to get too creative here, just replace the contents of cmd.py so that it imports pty and spawns /bin/bash, then we just need to run the script as will with sudo and we should have a shell as will.


Make sure that when you call the script you add something at the end, I just added 2 their because it was a cmd in the original script, doesn't have to be one, you could you something arbitrary, but the script is expecting an argument to be given with it, once you've done that it will call cmd.py and load up a shell as will which can be seen above.
Now onto getting our 6th flag!


Running sudo -l it seems we require a password for wills account which we don't have so we need to look elsewhere to gain root.
The id command on will, we can see that they are apart of the admin group, lets quickly run linpeas again under will and just see if that shows us anything interesting that we can do whilst apart of that group.




Looks like we have a base64 file in /opt/backups called key.b64 this could be an interesting file to look at, we can also see base64 is on the machine in the useful software so lets see what that file holds.


After decoding the b64 file it looks like we have a private ssh key that possibly belongs to root based on the file permissions, lets transfer this to our machine and try ssh into the machine as root using the private key.


And sure enough, after copying over the private key to our machine and adding the correct file permissions we are able to ssh into the machine as root, now we can just go grab our seventh and final flag!

Comments

Post a Comment

Popular posts from this blog

Biteme Writeup

Image
  Biteme link Enumeration Firing up nmap we can see that we have 2 ports open, 22(ssh) and 80(http), let's take a quick look at the webserver first and see what's running on it. Just the default apache page, lets run gobuster and see if we can find any directories. Looking at gobuster we only seem to have the one directory, /console/  so let's take a look at that, we may need to possibly run a bigger wordlist later if we can't net anything from this. Interesting, we have a login page with a captcha, taking a quick look at the page source doesn't reveal any hidden details so let's take a look at what happens and what data is submitted when we attempt to login. Interesting, it seems there was a message logged to the console when we attempted to sign in stating that php file syntax highlighting has been turned on. We can also see that when we submit a sign in attempt there is an extra variable of clicked = yes. Lets run a quick gobuster scan on the console director...
Read more

0day Writeup

Image
  0day link Enumeration Running an initial nmap scan we can see that we have port 80 and 22 open, so lets start by taking a look at the website to see what we have. Nothing exciting on the main page and looking into the page source we don't have much so lets run gobuster and see what that brings us back. Gobuster returns a whole bunch of interesting directories, we'll start by looking at robots.txt just incase there's anything extra listed in their that gobuster didn't find and then we'll slowly start working through each of the folders that returned a 301 redirect. Nothing really interesting on any of the directories, mainly looks to be a bunch of rabbit holes, the /backup/  directory did have a private rsa key in it though which we'll copy and save for later just incase, but we don't have a known user that it could be associated with so it's not much use. Next step would be to look for exploits, usually with /cgi-bin/  exposed we'd be hoping for an...
Read more

Olympus Writeup

Image
  Olympus link Enumeration Starting off with a nmap scan we can see that we have two ports open, 22(ssh) and 80(http), let's start by taking a look at the web server first. Looks like we instantly get redirected to olympus.thm so we need to make sure we add this to our /etc/hosts  file. Once we get to the website we can see that there is a message letting us know that we can still visit the old version of the website on this domain, so lets run gobuster and see if we can find a directory that will take us there. Taking a look at the gobuster scan we can see that we have a /~webmaster/  directory so we should go check that out, we can also see that the site is running a mysql db based on the /phpmyadmin/ Looks like we have a pretty basic CMS system, there's some interesting details on this page other than the Admin and Register links, we should probably go look for that wordlist quickly, we can also run another gobuster scan on this directory as well to see if we find anyt...
Read more