ConvertMyVideo
Nmap
Port 80 lands us on a Youtube video conversion page.
Running feroxbuster against the target website produces only a few results. Of which only the /admin directory is interesting. The /admin directory uses a HTTP-basic-form and I was unable to crack using rockyou.txt with common user names such as 'admin'.
Running a generic query does not produces anything interesting.
Running the search query through Burpsuite gives us the parameter 'yt_url'.
Referring against this link we can try various command injection techniques for valid parameters.
As per the link trying the following gives us a command injection result:
Knowing we can inject commands we can attempt a reverse shell by running the command below in a terminal on our attacking machine then taking the output and using it in our command injection
Then paste the output into Burpsuite:
Once sent we should receive a reverse shell on the netcat listener.
After looking about the machine and running enumeration scripts I was unable to identify any points of escalation. I then decided to run pspy64 to see if anything is being executed on a regular basis.
After transferring and running we get the following results:
Frequently the following is being run:
/bin/sh -c cd /var/www/html/tmp && bash /var/www/html/tmp/clean.sh
From here I echo'd out the contents of clean.sh and replaced the contents with a netcat reverse shell.
Then set up a listener on port 4444 waited a few seconds and received a shell as root.
Last updated
