Hi there, yesterday i was going to sleep then i realized that THM has released another ctf-based room called gallery ... so let’s see how to PWN it .
Let’s perform a simple port scan using naabu
this time :
naabu --host $IP
-------------------------------------------------------------
[INF] Running CONNECT scan with non root privileges
[INF] Found 2 ports on host 10.10.252.139 (10.10.252.139)
10.10.252.139:80
10.10.252.139:8080
We can find that we have two ports opened 80 & 8080 ( both are http ) , by heading to port 80
Simple apache2 web page, honestly i didn’t bother myself to perform directory discovery before exploring port 8080 :
And our hunch was right ! ... We can see Simple Image Gallery
system, we can search for public exploits about this CMS but in this writeup - and as i did - i didn’t search for any so let’s do the things like the old ways :) .
Bypassing The login
We can try simple SQL authentication bypass payload in the login form by providing the username as : admin' or 1=1-- -;
:
And we are authenticated now .
Getting the Admin hash
By exploring this web app more we can see that the album section provides an id for each album .
Here we can see that the Avatar album has id of 1 , if we changed the id to 2 it will show us “Sample Images” Album , so what if we tried basic SQL injection in the id parameter ?
Nice , so with providing this payload : id=1'+or+1=1--+-;
it displayed to us the whole photos , now we can try manually to retrieve the admin hash , but first we need to know number of columns retrieved by the database :