Gallery [ Try Hack Me ]

1. Scanning :

IP address : 10.10.234.128

Nmap Scan :

We found two ports are open port 80,8080 and web services are running in this port.

On the port 8080, login system for a simple image gallery system cms is running.

We try to find exploit for the cms gallery system and luckily we get it . we use searchsploit tool.

  1. searchsploit simple gallery system
  2. searchsploit -x php/webapps/50198.txt

2. Exploit :

But first we need to bypass the login system we try to use some default credential , It does not work

We try some boolean based sql injection and it works.

We bypass admin login page and found the interface like this.

We enumerate the page and discover some images in the alumb directory, as well as the ability to upload a image to the album. I send the request first and then check it on burp. I see an id parameter in the url, and we know that the image gallery system is vulnerable to sql injection in the id parameter. So let’s use sqlmap to take use of it.

Save the request into galery.req

run sql map “ sqlmap -r galery.req “

Sqlmap :

sqlmap -r gallery.txt — dbs

sqlmap -r gallery.tx -D gallery_db — tables

sqlmap -r gallery.txt -D gallery_db -T users — dump

We get admin hash and we need to find the user.txt so we need a shell. I upload a php reverse shell and getting a reverse shell in netcad.

3. Privilage Escalation :

Now I have shell find the user.txt file but I cannot access. It permission denied. I have a hint that mike has a permission to read this file. So let’s try to find the password of mike account .

In the var directory there is backup directory. It looks sensitive. I analysis and found a account.txt. This file having the password of mike account

But its show authentication fail. Then enumerate more and found a hidden .bash_history file . This file contain a password. Let use and check it .

Now we need to escalate the mike to root and find root.txt. We have a sudo permission let’s check

Open “/opt/rootkit.sh” file in nano editor press CTRL+R paste the “ reset; sh 1>&0 2>&0” command and press CTRL+ X and press enter.

Wah ! I am root .

--

--

--

Love podcasts or audiobooks? Learn on the go with our new app.

How to Create a Ubuntu Packer Image and Deploy on a Bare Metal Server

Best of the first 6 months of Swift by Sundell

What does LAD Stand for?

Randomness in Unit Tests is your friend

Share Component Data With Other Components in Angular 10

Part 3— Fire & Forget: Creating a Smart Homing Missile for your Unity Game Project!

Jenkins CI/CD — SonarQube Jenkins Integration

Gojek Hiring Freshers For Associate Software Engineer Position | Apply Now

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
shiv shankar yadav

shiv shankar yadav

More from Medium

TryHackme: Frank & Herby make an app

[Hack The Box] Forge— Walkthrough

[ Hack The Box ] Secret

OverTheWire:~$ Bandit Level 19 → 20