TryHackMe — Inferno

Image for post
Image for post
Source

This is a practical walkthrough of room “Inferno” from TryHackMe. Although this room is marked as medium level, but for me it felt like difficult. This room is aimed at HTTP basic auth and IDE Exploit and Linux PrivEsc.

This walkthrough will be explanatory, because I learned couple new things from this room. So, don’t mind my blabbering.

Enumeration

We will kick off this room with Nmap enumeration. When I ran nmap on target, there were 33 ports open, out of all only two ports are legit, the rest is trap.

Image for post
Image for post
Nmap Result

We got SSH and HTTP port open on target. Even if we visit the webpage, there’s nothing other than Dantes poems in Italian language and there’s no robots.txt too. Let’s run GoBuster and find any directories and/or pages.

Image for post
Image for post
GoBuster Result

Let’s visit that directory and find out.

Image for post
Image for post
HTTP Basic Auth

As you can see, there’s a pop-up for user and password. We need to crack them using Hydra.

Image for post
Image for post
Hydra Result

We got the password and now provide these credentials access the page.

Image for post
Image for post
Authentication

There’s an authentication, use the same creds to access the portal.

Image for post
Image for post
IDE

It’s an IDE named Codiad and there’s no any version to check the vulnerabilities. However, its GitHub page shows that its not actively maintained. If we google “codaid exploit” you get a github link with RCE PoC code. This code executes system command on Codiad to get a reverse shell.

Clone the code to your kali machine and run below command.

Image for post
Image for post
RCE

After executing the above command, it asks you to run certain commands on your kali machine to receive reverse connection. Run those both commands from different terminal and then confirm.

Image for post
Image for post
Config

Once you get a reverse connection, run above commands to have a stable connection.

Image for post
Image for post
No permission

Permission denied to read the user flag (local.txt).

Image for post
Image for post
.dat file

There’s a .dat file in downloads directory, print it and copy the contents. It’s in Hex format, we need to convert it into ASCII.

Image for post
Image for post
Password

We got a password from the converted HEX. Let’s login using these creds.

Image for post
Image for post
login
Image for post
Image for post
user flag
Image for post
Image for post
List user privileges

There’s a binary available to run it as sudo. “tee” reads from standard input and write to standard output and files. So, we can edit any configuration file to gain root shell.

Image for post
Image for post
edit sudoers

So what we did is, configured sudoers file to run any binary with all (root) privileges.

Image for post
Image for post
access bash
Image for post
Image for post
root flag

We got all the flags required to complete this rooms.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store