Gallery THM Walkthrough
Welcome to the walkthrough of the Gallery room of TryHackMe which is released recently, here is the link to the room: https://tryhackme.com/room/gallery666.
It’s an easy machine. This machine includes CMS exploitation, SQLi, CVE, and privilege escalation. I’ll give the complete process to solve this challenge, though, I would hide the flags as I want you to test and learn the concepts on your own. So without wasting your time, let’s start the challenge.
My Tryhackme Profile: technoreck
We’ll first scan the host to see what ports are open and what services they are giving:
So I found two open ports and both are http, so lets see what we can find on these ports.
I found nothing interesting on port 80 though I enumerated it, port 8080 looked quite interesting as surfing through the source code, I found that the service is having a CMS which is vulnerable and can be exploited.
I quickly searched the CMS on exploit-db for CVEs and found this:
We got two vulnerabilities, so I tried both of them, and let me tell you that you can use any of them to take a reverse shell.
1. bypass the login page using SQLi ( admin’#) as username → entering the admin panel and uploading a reverse shell code with the help of the “upload a new album” option. From # as a comment, we can infer that the DB is MySQL. Keep it in mind as we’ll need this later.
2. this is the one which I did, the one with Remote Code Execution vulnerability.
just download the python file and run it:
So it successfully did a RCE and uploaded a shell on the host. The Shell URL is given in the image.
When you’ll open the link you will see something like this:
So we can see that it is executing the whoami command and displaying www-data. So now let’s try putting a reverse shellcode in place of whoami.
you can easily create a reverse shell in the language of your choice from here: https://www.revshells.com/
So since the website was not accepting the plain code as a command, I intercepted the request in the burp suite and encoded the reverse shell payload using URL encoding:
before sending the the request, I started the listener to receive the reverse shell connection from the host.
So, here is an important thing which you should know, I first did it with netcat but I was facing a problem, in the end, to get the root flag as Netcat will not give you a stable reverse shell. I’ll discuss this once again when we will escalate our privileges. So I used pwncat for starting a listener and proceed with taking the reverse shell. To install pwncat you can refer to this https://pwncat.readthedocs.io/en/latest/installation.html.
Great! I received a reverse connection on my port 4444. So after getting a connection from the host, type sessions to see your active connection and then press CTRL+D to shift to the remote shell from your local shell.
Admin’s Password Hash
So, let’s first see if we can find the hash of the admin user. After surfing through the files in /var/www/html/gallery, I found a file initialize.php which gave me the username and the password for accessing the database.
Now if you remember, I discussed this earlier that the database is on mysql, and here it will help us connect to it.
The name of the database is gallery_db. Lets switch to this database and see what we can find in it.
BOOM! we got the hash of the admin in users table of gallery_db.
Now we need to find the user flag, but the problem is that the user.txt is mike’s property and we cannot access it unless we change our privileges to that of mike.
So, when I was going through the files in the /var directory, I found a suspicious folder with the name “backups” and in that backups, there was a folder with the name “mike_home_backup”. So I tried to see the .bash_history if I could get something interesting, and know what…hehe, I got mike’s password:
So directly changed myself to mike and got the user flag in mike’s home directory.
Now it’s time to escalate our privileges and get the root flag. first let’s check if mike is allowed to run any file with sudo permissions and found this:
So I found a file /opt/rootkit.sh which mike was allowed to run as sudo. So I first saw the code of rootkit.sh to understand what it is doing.
It will ask the user for input and perform the job according to it. So with an input of read command, it actually opened nano and since we can run rootkit.sh with root permissions, hence nano will be automatically run with root privileges.
So I quickly searched for nano on GTFObins to see vectors for privilege escalation.
So the concept is that, if I open a shell being in the nano with root privileges, then it will spawn a shell with root privileges. So what are we waiting for, lets root it…
running the file using sudo, entering the read command to open nano:
Now, ^R^X means pressing CTRL+R and then CTRL+X to execute a command in nano. So, its time to discuss that why I chose pwncat instead of netcat. If we use netcat, we will not get a stable shell and in the nano shell, we will not be able to execute ^R^X command. Hence chose pwncat to get a stable and interactive shell.
now executing the command from GTFObins to spawn a shell, annddd…
BOOOM! we are root now, so lets move to the root directory and get the root flag.
According to me, it was an easy but very nice machine to learn the basics of exploitation. I hope you enjoyed reading my blog and hope it helped you if you were stuck at any moment between the challenge.
By the way, I liked pwncat and would like to use it in future challenges.
So, this was all from my side, see you in the next blog, till then, learn hacking to hack for good!