TryHackMe: ConvertMyVideo

The ConvertMyVideo is a medium difficulty room on but requires a lot of thinking at each step. Right from gaining the foothold to escalating our privileges, we need to think out of the box to get the desired result. This room focuses on various things such as intercepting traffic, OS command injection and analyzing cron jobs.

So, let’s begin!

Initial Enumeration

The first thing that we must do is scan all the ports and get details of the services running there using nmap:

So, here it can be seen that only port 22 and 80 are open. And as Apache is running on port 80, we can go and check the web pages that hosted over there.

On visiting the IP address through our browser, we land up on a page which looks like:

All that can be done over here is enter a Video ID. But can definitely take a look at the page’s source-code.

Over here, it can be seen that this page is referring to a JS file names as main.js which has the following code:

From this JS, it can be seen that the passed value is being added at the end of the string “" and then being sent to the server. We can intercept this traffic using Burp Suite and try to modify it to check for any vulnerabilities.

Here, we can see that the entered value “1234” has been added at the end of the passed string.

With the help of burp, we can modify the entire value that is being sent to the server and try to check if command injection is possible from here.

For this, first we need to send this request to “Repeater” and then try to send different values:

When only semicolon is passed, it returns an error. We can try to add some command after that as well:

It can be seen that our entered value gets reflected but we did not get the output of the command. We can try backticks (`) as they have the highest priority in a command.

Here, we can see that backticks worked. So, we can try to send a reverse shell payload and to get access to the machine:

Though we saw that we can perform command injection over here, it certainly did not work in the case of obtaining a reverse shell. And we look closely at the response through all the commands that we had sent then it can be seen that our provided command was getting reflected in "url_original":<entered_value>. But in the case of reverse shell, the value that was returned was just "url_original":"`rm". It appears that space () is being filtered from the input. To confirm this we can send the command ls -la.

And as expected only ls was returned in the output. So, we can be sure that space()is being filtered out.

Gaining Foothold

Now the issue here is that in order to get access to the system we need to run the reverse shell command anyhow on the system but our input is getting filtered. So, in order to bypass this we can do the following:

  1. Create a bash file with reverse shell payload in it on our local machine

2. Now, we need to start a python server on our local machine

3. We can now download the shell file on the target machine using wget

The ${IFS} means Internal Field Separator which is used for splitting words after expansion and to split lines into words. Its default value is <space><tab><newline>

4. From the response, we can say that the file was successfully download on the machine.

5. To make sure that the file is downloaded we can run the command ls

6. Now that the file is downloaded, we need to execute it but before that we need to make the file executable. So, we can send the command chmod +x as chmod${IFS}+x${IFS}

But it looks like even this is not working. And from the value that is returned we can assume that the issue is due to + in our command. But we have another option for this and that by sending the command chmod 777 with ${IFS}.

Normally the chmod command does not return anything and same is the case over here.

7. Start a listener on our local machine

8. Send the command to run the script and wait for a reverse shell connection

9. And there we get our shell.

10. But as this a dumb shell, we can upgrade it using the method explained here.

Now we can start exploring the files to which we have access

It can be seen that the owner of flag.txt is www-data itself, so we can read it and submit the user flag.

Privilege Escalation

Other than the flag, we have access to .htaccess and .htpasswd as well which we can check.

It can be seen that the hash starts with $apr1$ which after researching for a while we can come to know is developed by Apache for .htpasswd. Also, it is very difficult to crack this has.

I tried to crack it with hashcat and john but did not succeed.

But this appears to be a rabbit hole as this hash can’t be cracked easily. Moving on we can start looking for some other method for privilege escalation like searching for the SUID binaries

None of these appear to be useful for privilege escalation by using GTFOBins. We can also check the cron jobs

But looks like there are no cron jobs running on the system. The next thing that we can look for are the processes running on the system using the command ps aux.

While going the processes, we can see on odd process running

We just checked earlier and saw that there are no cron jobs running on the system but in the running processes we can see that cron is running. This appears to be something odd. To analyze such things we can use pspy64.

Directly download the pspy64 bit file using the download line (no need to clone the entire repository)

Once downloaded on our local machine, we can transfer the it to the target machine by using a python server and wget. And then make it executable.

We can run it with simply by executing the command ./pspy64 and then wait for sometime as it snoops the processes that are being executed on the system.

After waiting for sometime, we can see the command that cron is running

It appears that cron is executing a file named stored at /var/www/html/tmp. We can check the permissions for this bash script and see if we can modify that script to our benefit.

We can see that, www-data is the owner of the file. So, we can easily modify its content and use it to escalate our privileges.

We can change its content to create a bash binary with SUID bit as root so we can use it to gain access as root. For this, we can run the command

Once the content of the script are updated, we can again run pspy64 and monitor till the cron executes the script. But in this case even after the script gets executed by cron, the myroot file does not get created in the /tmp directory. We can try to change the path from /tmp to something else as well but it won't work. Also, when tried to run the script directly as www-data the script executes successful and the myroot file also gets created (obviously of no use because it'd have the SUID bit set for www-data. This can be done for making sure that script is working properly).

So, the next thing that we can do is try to create a remote shell by putting some reverse shell command in the file. For this we can run the command:

Start a listener on our local machine over the new port number provided and again start pspy64 to check when the script gets executed. Now, as soon as the script gets executed we get a shell as root on our listener

With this we have completed the room!

Key Points to Take Away

  1. Backticks (`) have the highest preference in a command.
  2. In command injection, if space()is being filtered, use ${IFS}.
  3. If a duplicate /bin/bash can't be created with root SUID bit set, try to gain a remote shell with root privilege.


  1. TryHackMe — convertMyVideo:
  2. Reverse Shell Generator:
  3. GTFOBins:
  4. PSPY64:

Just another CyberSec Guy

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store