Open in app

Sign in

Write

Sign in

Gallery [ Try Hack Me ]

shiv shankar yadav
4 min readApr 28, 2022

1. Scanning :

IP address : 10.10.234.128

Nmap Scan :

We found two ports are open port 80,8080 and web services are running in this port.

On the port 8080, login system for a simple image gallery system cms is running.

We try to find exploit for the cms gallery system and luckily we get it . we use searchsploit tool.

  1. searchsploit simple gallery system
  2. searchsploit -x php/webapps/50198.txt

2. Exploit :

But first we need to bypass the login system we try to use some default credential , It does not work

We try some boolean based sql injection and it works.

We bypass admin login page and found the interface like this.

We enumerate the page and discover some images in the alumb directory, as well as the ability to upload a image to the album. I send the request first and then check it on burp. I see an id parameter in the url, and we know that the image gallery system is vulnerable to sql injection in the id parameter. So let’s use sqlmap to take use of it.

Save the request into galery.req

run sql map “ sqlmap -r galery.req “

Sqlmap :

sqlmap -r gallery.txt — dbs

sqlmap -r gallery.tx -D gallery_db — tables

sqlmap -r gallery.txt -D gallery_db -T users — dump

We get admin hash and we need to find the user.txt so we need a shell. I upload a php reverse shell and getting a reverse shell in netcad.

3. Privilage Escalation :

Now I have shell find the user.txt file but I cannot access. It permission denied. I have a hint that mike has a permission to read this file. So let’s try to find the password of mike account .

In the var directory there is backup directory. It looks sensitive. I analysis and found a account.txt. This file having the password of mike account

But its show authentication fail. Then enumerate more and found a hidden .bash_history file . This file contain a password. Let use and check it .

Now we need to escalate the mike to root and find root.txt. We have a sudo permission let’s check

Open “/opt/rootkit.sh” file in nano editor press CTRL+R paste the “ reset; sh 1>&0 2>&0” command and press CTRL+ X and press enter.

Wah ! I am root .

Hacking
Tryhackme Walkthrough
Sql Injection
Privilege Escalation
Sqlmap

--

--

shiv shankar yadav

Written by shiv shankar yadav

0 Followers

I am a certified ethical hacker (CEH) and a certified red team professional (CRTP) with a strong background in active directory and web penetration testing.

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams