Gallery [ Try Hack Me ]
1. Scanning :
IP address : 10.10.234.128
Nmap Scan :
We found two ports are open port 80,8080 and web services are running in this port.
On the port 8080, login system for a simple image gallery system cms is running.
We try to find exploit for the cms gallery system and luckily we get it . we use searchsploit tool.
- searchsploit simple gallery system
- searchsploit -x php/webapps/50198.txt
2. Exploit :
But first we need to bypass the login system we try to use some default credential , It does not work
We try some boolean based sql injection and it works.
We bypass admin login page and found the interface like this.
We enumerate the page and discover some images in the alumb directory, as well as the ability to upload a image to the album. I send the request first and then check it on burp. I see an id parameter in the url, and we know that the image gallery system is vulnerable to sql injection in the id parameter. So let’s use sqlmap to take use of it.
Save the request into galery.req
run sql map “ sqlmap -r galery.req “
sqlmap -r gallery.txt — dbs
sqlmap -r gallery.tx -D gallery_db — tables
sqlmap -r gallery.txt -D gallery_db -T users — dump
We get admin hash and we need to find the user.txt so we need a shell. I upload a php reverse shell and getting a reverse shell in netcad.
3. Privilage Escalation :
Now I have shell find the user.txt file but I cannot access. It permission denied. I have a hint that mike has a permission to read this file. So let’s try to find the password of mike account .
In the var directory there is backup directory. It looks sensitive. I analysis and found a account.txt. This file having the password of mike account
But its show authentication fail. Then enumerate more and found a hidden .bash_history file . This file contain a password. Let use and check it .
Now we need to escalate the mike to root and find root.txt. We have a sudo permission let’s check
Open “/opt/rootkit.sh” file in nano editor press CTRL+R paste the “ reset; sh 1>&0 2>&0” command and press CTRL+ X and press enter.
Wah ! I am root .