ConvertMyVideo - Tryhackme

 Room: ConvertMyVideo — TryHackMe

Skill-level: Beginner → Intermediate | Focus: web app logic, file upload/processing, post-exploit reasoning

I worked through ConvertMyVideo — a compact, realistic lab that models a video-to-audio conversion service. It’s a great exercise because media-processing code is everywhere in production, and small mistakes in how uploads are handled or how conversions are invoked can lead to compromise.

What I learned (high-level)

• File-handling and conversion pipelines (FFmpeg or similar) are common attack surfaces.

• Enumeration and careful probing often reveal the intended learning path — look for hidden endpoints, API behaviors, and filename handling quirks.

• Privilege escalation is frequently about trusting configuration and permissions rather than dramatic exploits.

High-level procedure (tools, methods & “tricks” used)

The following is intentionally non-actionable — it describes the investigative approach and common defensive lessons rather than exact exploit steps.

1. Recon & footprinting

   • Tools: nmap, http(s) headers inspection, browser developer tools.

   • Goal: identify open ports, web server, exposed services, and basic technology stack (web server, frameworks).

2. Web discovery & content enumeration

   • Tools: gobuster / feroxbuster / dirsearch, Burp Suite (or OWASP ZAP) for intercepting requests.

   • Goal: find admin panels, upload pages, hidden endpoints or REST APIs that aren’t linked from the main UI.

3. Functional analysis

   • Tools/techniques: manual testing via browser, curl, Burp Repeater.

   • Goal: understand how the video→mp3 flow works: upload form fields, conversion triggers, accepted file types, callback URLs, preview endpoints, and returned metadata.

4. File handling & input validation checks

   • Focus: how filenames, content-type, and metadata are handled by the server and conversion tool.

   • Why it matters: conversion tools often call external programs (e.g., ffmpeg) — unvalidated inputs or predictable temporary file locations can be abused or leak info.

5. Behavioral probing

   • Tools: Burp Suite, browser devtools, wget/curl.

   • Goal: observe server responses to malformed inputs, long filenames, specially crafted headers, or unexpected file formats. This reveals logic bugs without performing destructive actions.

6. Post-upload inspection

   • Look for converted files (public path / predictable names), temporary directories, or metadata leaks that disclose system paths or user accounts.

7. Pivot & privilege enumeration

   • Once initial foothold or information is obtained (e.g., weak credentials, readable config files, or accessible temp directories), enumerate local accounts, permissions, and scheduled tasks to find privilege-escalation vectors. Tools: standard Linux enumeration commands, linpeas/LinEnum in labs (only in your lab).

8. Clean reporting & defense

   • Document findings, reproduce safely, and propose fixes: strict file-type validation, sanitizer for filenames, process isolation, least privilege for conversion worker, immutable storage for uploads, and logging/monitoring.

Common “tricks” taught by this lab (conceptual)

• Predictable temporary file names are a liability.

• Services that pass user input to CLI tools need defensive quoting and sandboxing.

• Conversion services should run in isolated containers with strict capabilities (no broad filesystem or network access).

• Always instrument and log conversion jobs: who uploaded what, where it ran, and whether it produced unexpected output.

Defensive checklist you can offer clients

• Run media converters in containers with no extra privileges.

• Validate file headers (magic bytes), not just extensions or content-type.

• Use unique, unguessable filenames and object storage URLs.

• Remove or rotate temporary files quickly; set strict permissions.

• Monitor for anomalous file types or conversion parameters.