✅TryHackMe - ConvertMyVideo (Medium)
Summary
Port 80 hosts a "Convert My Video" service, which is a GUI wrapper of youtube-dl. Intercept the request with Burp and analyze it. Here we use command injection to transfer a PHP reverse shell payload to the victim machine and get a user shell as www-data.
In the privilege escalation phase, pspy finds a script gets executed as root every minute or so. Moreover, www-data has write permission on that script. Here we overwrite the script with a Bash reverse shell payload and catch a reverse shell as root.
IP
RHOST: 10.10.108.142
LHOST: 10.13.12.2
Nmap

Asset Discovery
Run Gobuster:
Gobuster finds /admin
:

http://convertmyvideo.thm/admin
prompts a login form but we don't know the credential yet:

www-data Shell: Command Injection
Use 1337
as input, capture the request and send it to Repeater:

Try command injection:

It works. Now let's try to transfer a PHP reverse shell payload to the victim machine. Start a HTTP server:
Use the following payload to transfer the PHP reverse shell payload:
Here ${IFS}
must be used to represent space, otherwise the syntax of the payload will be interpreted incorrectly. Send this request:

Trigger the payload at http://convertmyvideo.thm/php-reverse-shell.php
and catch a reverse shell as www-data:
User Shell: Password Cracking
In /var/www/html/admin
, we fidn .htaccess
and .htpasswd
:
Recall that http://convertmyvideo.thm/admin
prompts a login form and we did not know the credential. Here .htaccess
and .htpasswd
are responsible for this login form. The .htpasswd
file contains a password hash and we should try to crack it using John:
The credential is itsmeadmin:jessie
:
We won't use this credential though: it is possible to become root from www-data directly.
Privilege Escalation: Cronjob + Weak Permission
Transfer pspy64 to the victim machine. Note that /var/www/html/tmp/clean.sh
is executed as root by some cronjob:
We (www-data) have write permission on this script:
Start a pwncat listener and write Bash reverse shell into /var/www/html/tmp/clean.sh
:
Catch a reverse shell as root:
Last updated