# SIMPLE PENETRATION TESTING ON A TRYHACKME ROOM hello guys am alienkeric today we are going to have a walkthrough (pentesting) on a simple easy machine from tryhackme and here is a link.  url:https://tryhackme.com/room/gallery666 **Description**: Gallery666 is a simple boot to root machine which is vulnerable to sql injection,rce,file upload vulnerability. time for work  **STEP 1: ENUMERATION** As we all know that enumeration is key of pentesting and hacking , so here am going to scan using nmap at the same time am going to browser to the IP to just see if i can find anything while my nmap is running  As we can see there were have just found to open ports 80,8080 If you browser to port 80 you will observer that is giving us a default apache2 page  If u view the source code there is nothing useful there so lets move and next phase of enumeration which is directory searching And from here we can see the gallery directory lets take a look at it  And it redirect us to a login page , mhmmmm cool lets play with and see if we can bypass the login page  **STEP 2: FOOTHOLDING** vuln1: sql injection At case one i tried to check if i can bypass it with default creds such as admin:admin,admin:password but nothing i got from this creds so i tried with sql injection to see if i can bypass it.  The payload i have highlight was the one which let me into the system(as admin), that was easy for sure(**admin' or 1=1#**) on both admin username and password **STEP 3: GETTING A SHELL** Time to snoop around and see what we can get from this admin  I came across this "id=2" parameter i tried to see if can get some LFI but i got nothing. But there is an upload section at the right hand side lets see if is filtered or not, if not there is a huge chance of getting a reverse shell. Lets upload a reverse shell and see if we can get a shell from here.  finally i got a shell  The reason why we got a shell from the upload section is that, the site allows image uploading but there is not restriction that only image can be uploaded that why i was able to exploit it from that small issue. **STEP 4:LATERAL MOVEMENT** **case 1:** upgrade a shell into a more interactive shell as pro hacker  **case 2:** check for users we can interect with  as you can see from there, we have ,root,ubuntu,mike **case 3:** Try to interact with each user if possible  It seems we can't interact with user mike,ubuntu so lets try to find a way to login as mike if possible  Before i uploaded **linpeas** into this machine when i got a shell i saw something in the /var/www/html but i didn't take into consideration so its time to take a look at every file i saw into this initiatize.php there are some creds of msql mhmmmm  and there are the mysql creds, so lets use them to login as mysql and finally u can get some creds to login into there system but for now, no use for them  and there is admin password hash  Back again on mike there is a backups file lets see what we can get from it  the creds i get from this accounts they were not usefull at this time, as am looking a way to login as mike, i tried again to check the bash_history of in backups and find something very usefully for sure.  and finally there we have login as mike **STEP 5:PRIVELEGE ESCALATION** If we run sudo -l and we can see that there is a script that can be runned as root without no passwd, lets see what is content inside this script.  Checking the executables called by this script against gtfobins, we’ll see that nano can be used to spawn a shell, and since the rootkit script will be running as root, we’ll have ourselves a root shell! **how to get a shell** 1.sudo -u root /bin/bash /opt/rootkit.sh 2.Enter **read** when prompted to start nano. 3.Hit** Ctrl+R** followed by **Ctrl+X** — this will allow us to enter a single command to execute and will insert the output into the current file. 4.We don’t want that, so running reset; sh 1>&0 2>&0 will open a shell for us. 5.From there we can capture the root flag!  Thank u, dont forget to leave a comment