TryHackMe — Inferno

Source

This is a practical walkthrough of room “Inferno” from TryHackMe. Although this room is marked as medium level, but for me it felt like difficult. This room is aimed at HTTP basic auth and IDE Exploit and Linux PrivEsc.

This walkthrough will be explanatory, because I learned couple new things from this room. So, don’t mind my blabbering.

Passwords, hashes and Flags will be redacted to encourage you to solve those challenges on your own.

First Things First

Deploy the target machine (this machine might take upto 3–5 minutes to load and accessible)
There are two ways to access the deployed target machine.
1) Use attacker box — Provided by TryHackMe, it consist of all the required tools available for attacking.
2) Use OpenVpn configuration file to connect your machine (kali linux) to their network.
For the sake of demonstration I am using OpenVPN connection on my Kali Linux machine.

We won’t be using Metasploit for this challenge

All of my further commands will be executed as normal user not as root. So, if you’re also not executing all the commands as root then make sure to use sudo, as it can give you permission to run elevated programs.

There are two flags to collect to complete this room.

Enumeration

We will kick off this room with Nmap enumeration. When I ran nmap on target, there were 33 ports open, out of all only two ports are legit, the rest is trap.

Nmap Result

We got SSH and HTTP port open on target. Even if we visit the webpage, there’s nothing other than Dantes poems in Italian language and there’s no robots.txt too. Let’s run GoBuster and find any directories and/or pages.

GoBuster Result

Let’s visit that directory and find out.

HTTP Basic Auth

As you can see, there’s a pop-up for user and password. We need to crack them using Hydra.

Hydra Result

We got the password and now provide these credentials access the page.

Authentication

There’s an authentication, use the same creds to access the portal.

IDE

It’s an IDE named Codiad and there’s no any version to check the vulnerabilities. However, its GitHub page shows that its not actively maintained. If we google “codaid exploit” you get a github link with RCE PoC code. This code executes system command on Codiad to get a reverse shell.

Clone the code to your kali machine and run below command.

RCE

After executing the above command, it asks you to run certain commands on your kali machine to receive reverse connection. Run those both commands from different terminal and then confirm.

Config

Note: For some weird reason the reverse connection was unstable and it was disconnecting often, IDK, if it happened to only me or everyone.

Once you get a reverse connection, run above commands to have a stable connection.

No permission

Permission denied to read the user flag (local.txt).

.dat file

There’s a .dat file in downloads directory, print it and copy the contents. It’s in Hex format, we need to convert it into ASCII.

Password

We got a password from the converted HEX. Let’s login using these creds.

login
user flag
List user privileges

There’s a binary available to run it as sudo. “tee” reads from standard input and write to standard output and files. So, we can edit any configuration file to gain root shell.

edit sudoers

So what we did is, configured sudoers file to run any binary with all (root) privileges.

access bash
root flag

We got all the flags required to complete this rooms.