Gallery TryHackMe Walkthrough

Hello guys back again with another walkthrough this time we’ll be tackling gallery from TryHackMe. A really nice beginner box that teaches about SQL injection, authentication bypass, insecure file upload and finally privilege escalation. We start off by doing a nmap scan of the box and finding a website running simple image gallery version 1.0. The CMS is vulnerable to a SQL Injection and Insecure File upload. We exploit both vulnerability and gain initial shell access on the system. Then running linpeas we are able to leak the password of the mike user from a history file and the password allows as to log in to the system as him. Next we exploit a really crazy implementation of nano to get root shell on the system. Also at the end we’ll create a python script to exploit the blind SQL Injection and I’ll probably submit the exploit to exploitdb hope it gets accepted. Without much say let’s jump in.

As always we start of with a nmap scan of the box and looking at the result below we have two ports that are open

Port 80 which has the Apache default web page and port 8080 which seems to be running a website. I decided to run a directory brute force on port 80 we might be lucky and disclose sensitive information

Going to port 8080 and looking at the website it looks like a content management system. Doing some googling i discovered it was called Simple Image gallery. Looking for some exploits online i found there was a way of getting remote code execution by performing a SQL injection and a file upload

The CMS doesn’t sanitize user input upon performing a login request meaning we can inject raw SQL queries and the server would be kind enough to execute them

To perform an authentication bypass all we had to do was send the payload below

admin'-- -

The reason as to why this payload work is because there is a user called admin on the application else it wouldn’t work

A better payload we would have used is

musyoka' or '1'='1'-- -

Which would always return a true and allowing us to bypass authentication. The next step is to upload an image

I intercepted the request with burpsuite

Next i copied the image link and opened in a new tab and as you can see in the screenshot below the file existed. If it wasn’t there we could have gotten a 404 not found

Next i just added the parameter cmd and looking at the screenshot below i got remote code execution (RCE)

The remaining thing to do is get a shell on the system. Intercepted the request using burpsuite

Created a netcat listener and submitted the reverse shell payload. Going back to my listener i had a shell on the box

We know that the CMS is vulnerable to SQL Injection next i tried to leak the contents of the database but i wasn’t that lucky SQLMap kept failing with the error message the back-end DBMS is not MySQL

But we know that the system is vulnerable to a blind SQL Injection so at the end of the walkthrough we’ll create a python script which can be used to leak the database administrator’s hash

But we now have a shell on the system. Next i upgraded my TTY and ran linpeas

Looking through the output of linpeas we notice that there was a password leaked through the history files

I tried to use that password to escalate my privileges to the user mike and looking at the screenshot below it worked !!!

Running sudo -l we see we can ran that we can ran rootkit.sh as the root user without a password.

Looking through the source code we see that if we use the command read, we could read a file using nano

Looking at GTFOBins there’s a way of getting a shell

So i executed the script as the root user and chose the read command

The script dropped me to a nano shell

Next i pressed ctrl +R followed by ctrl + x and pasted the following command

reset; sh 1>&0 2>&0

This dropped me to a shell that has root access

Sweet we are root on the box. The only thing remaining was to read the flags

You can now submit the flags and get the points for the machine

Now it’s time for exploit development. SQLMap did work i don’t know why but good thing we understand how blind SQL Injection work and we are good with python coding

The heart of the exploit is the following payload

<username>' and binary password  like '%'-- -

What the payload does is if the username exists it uses the like operator and leaks the password hash of the user one character at a time

So what the script essentially does is perform an authentication bypass then leaks the username of the first account and then brute forces the password using a blind SQL Injection attack

Below is a result of the script

I uploaded the exploit to my GitHub page so you can access using the link below

GitHub

Lastly

Going back a little bit we had an exploit in exploitdb. I prefer showing how it works and appreciating the person who made the exploit Tagoletta(Tağmaç)

I just copied the source code to my box and executed using the command

python3 exploit.py

It asks for a target which i gave

http://10.10.173.39/gallery/

And after pressing enter i got a link of where exactly my shell had been uploaded

I navigated to the link using Firefox and looking at the screenshot below i had remote code execution on the system

That’s it for now guys hope you enjoyed the walkthrough if so clap for me down below and don’t forget to follow me so that you wont miss any upcoming walkthroughs

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store