TryHackMe-ConvertMyVideo Writeup

This is a really Hard Machine in which we find that our target is vulnerable to command execution and have to bypass certain blocked characters.Once we gain a low level shell, we run PSPY Tool to find hidden cron jobs and root processes and privilege escalate via one such cronjob having root permission.

Port 22 and 80 are open.Port 80 is hosting a webpage in which we can convert video to mp3.We view the source code but are unable to find anything juicy.

Fire up Burp and enter any random word in the input field(Video ID) and intercept the request.

Send the intercepted requested to Repeater.We can see that the only input we are passing is in a field called yt_url .Lets check if we can run any command,Lets run “whoami” command:

we see that we get an error: ‘whoami is not valid’.Now a point to learn is that if we copy paste the error in google, it leads us to a github page of youtube-dl.If we lookk carefully, we find that there are many commands of youtube-dl as well on its github page which is another indication of command execution.

Anyways, there are many ways to bypass command checks such as using ``(bakticks), pipeline (|) , &&, colon( ; ) , urlencoding.

Here is an awesome cheatsheet-

Moreover, in a previous Tryhackme room called ULTRA TECH which i had solved, we learned that one such way to bypass checks was to pass the command within `` backticks. example: `whoami` So lets try it-

And indeed it works.We find that we are www-data by running the whoami command withing backticks ``

Running ls shows us a file called admin.We then try to run ls -la to see all files & directories.Why miss anything?

Unfortunately we get an error. The command after ls doesn’t seem to work.It looks like space is not allowed.This was a tricky part to catch and honestly i personally think that this machine is hard as well.

Fortunately we can bypass this as well.If we google ‘how to run bash command without space’ we will find this article in the first link where people mention ${IFS}

And sure it works like a breeze.Here we are just replacing space with ${IFS} and running the command within backticks `` as we were doing.

So we can run commands.Why don’t we write a reverse shell or upload a malicious shell file containing a reverse shell and catch it using netcat.Running commands here in burp isn’t the best thing and many characters apart from space are also blocked.

Now create a file called shell.sh in your kali containing a reverse shell.We can use pentest monkey to search for a one line bash reverse shell.Then, run a simplehttpserver using python to host the malicious file(shell.sh).

Once our server is up and running we can run the wget command to download the file onto our target as shown below

Once our shell.sh is uploaded on the target, we need to give it permission to execute using- chmod 777 shell.sh (NOTE: chmod +x wont work here as + is blocked just like space)

Finally we need to run shell.sh using ./shell.sh. However we get an error instead.Looks like ./ is also blocked.

A simple way to bypass this is to use bash or shell instead.(You can also google a bit on various ways to run linux executables). We start a netcat listener and finally forward the request which runs the command and we get a shell!

Once we are in, we try to privilege escalate but don’t find anything interesting.We can try running Linpeas or viewing cronjobs using cat /etc/crontab. This is the point when we should try watching the processess running using ps aux OR see any internal ports to port forward to using netstat -nl or ss -tulpn .

On runnng ps aux command, we come across a cronjob running as root.Moreover there is a really useful tool called PSPY which shows us hidden root cronjobs and processes.

result of- ps aux

Lets go to PSPY’s github page and we will download the 64 bit version as show below since our target is x64 bit.(we foind this by running uname -a command)

Once we have it downloaded, simply host it using python’s simplehttpserver as we had done prevously. Now on to our target machine, download PSPY using wget.

Finally give it executable permission and run it using ./pspy64 and wait patiently.

And Volia, we find a file called clean.sh which is being run by root(UID=0).It’s location is also shown as /var/www/html/tmp.It is a cronjob you will see these commands running again and again as you scroll.

All we have to do is replace the contents inside clean.sh with a bash revershell and our work will be done! Lets run ls- la on clean.sh to check what permissions we have.We see that we can (rw) read and write and it is owned by us(www-data).

since nano was not working properly, i echoed the reverse shell into clean.sh

We finally start a netcat listener and patiently wait for the cronjob(clean.sh) to run.And boom, we got a shell and it’s a root shell because the UID of the cronjob was 0 as we saw on PSPY.

Although this machine was pretty difficult, we learned a lot about bypassing command execution checks and also about an amazing tool called PSPY.This room does require pretty good grip in linux command line and a bit of google.I hope you learned from this, make sure to follow me here for more such ctf writeups and articles on cybersecurity.

I am a Penetration Tester, Currently pursuing OSCP. Skilled in Network Pen-testing and Developing Hacking Tools using Python.I Share my Knowledge on YouTube

I am a Penetration Tester, Currently pursuing OSCP. Skilled in Network Pen-testing and Developing Hacking Tools using Python.I Share my Knowledge on YouTube