TryHackMe — Inferno
This is a practical walkthrough of room “Inferno” from TryHackMe. Although this room is marked as medium level, but for me it felt like difficult. This room is aimed at HTTP basic auth and IDE Exploit and Linux PrivEsc.
This walkthrough will be explanatory, because I learned couple new things from this room. So, don’t mind my blabbering.
Room Link: https://tryhackme.com/room/inferno
Passwords, hashes and Flags will be redacted to encourage you to solve those challenges on your own.
First Things First
Deploy the target machine (this machine might take upto 3–5 minutes to load and accessible)
There are two ways to access the deployed target machine.
1) Use attacker box — Provided by TryHackMe, it consist of all the required tools available for attacking.
2) Use OpenVpn configuration file to connect your machine (kali linux) to their network.
For the sake of demonstration I am using OpenVPN connection on my Kali Linux machine.We won’t be using Metasploit for this challenge
All of my further commands will be executed as normal user not as root. So, if you’re also not executing all the commands as root then make sure to use sudo, as it can give you permission to run elevated programs.
There are two flags to collect to complete this room.
Enumeration
We will kick off this room with Nmap enumeration. When I ran nmap on target, there were 33 ports open, out of all only two ports are legit, the rest is trap.
We got SSH and HTTP port open on target. Even if we visit the webpage, there’s nothing other than Dantes poems in Italian language and there’s no robots.txt too. Let’s run GoBuster and find any directories and/or pages.
Let’s visit that directory and find out.
As you can see, there’s a pop-up for user and password. We need to crack them using Hydra.
We got the password and now provide these credentials access the page.
There’s an authentication, use the same creds to access the portal.
It’s an IDE named Codiad and there’s no any version to check the vulnerabilities. However, its GitHub page shows that its not actively maintained. If we google “codaid exploit” you get a github link with RCE PoC code. This code executes system command on Codiad to get a reverse shell.
Clone the code to your kali machine and run below command.
After executing the above command, it asks you to run certain commands on your kali machine to receive reverse connection. Run those both commands from different terminal and then confirm.
Note: For some weird reason the reverse connection was unstable and it was disconnecting often, IDK, if it happened to only me or everyone.
Once you get a reverse connection, run above commands to have a stable connection.
Permission denied to read the user flag (local.txt).
There’s a .dat file in downloads directory, print it and copy the contents. It’s in Hex format, we need to convert it into ASCII.
We got a password from the converted HEX. Let’s login using these creds.
There’s a binary available to run it as sudo. “tee” reads from standard input and write to standard output and files. So, we can edit any configuration file to gain root shell.
So what we did is, configured sudoers file to run any binary with all (root) privileges.
We got all the flags required to complete this rooms.
Thank you for reading this blog. While attempting this challenge I learned so many things. This was unique target with unique vulnerability.
Reference
https://stackoverflow.com/questions/16915260/how-to-configure-default-term-in-screen-session
https://d00mfist1.gitbooks.io/ctf/content/privilege_escalation_-_linux.html
https://www.rapidtables.com/convert/number/hex-to-ascii.html
https://github.com/WangYihang/Codiad-Remote-Code-Execute-Exploit