TryHackMe Inferno Report
Inferno is a medium-difficulty room created by @mindsflee.
- Directory busting the main web app reveals an authentication-protected path. The authentication can be bypassed with a list of possible usernames and the rockyou.txt password list.
- After authenticating, there is another login page to access Codiad. The same credentials can be used.
- Public remote code execution exploit on Github allows for command injection and ultimately, a reverse shell connection as low-privileged www-data user.
- @mindsflee configured the room such that any bash shell will be terminated every so often. A simple workaround ensures we have uninterrupted shell.
- Lateral privilege escalation to Dante user via SSH is possible because of a hex-encoded file with Dante’s password.
- The user flag, local.txt is in Dante’s home directory.
- Privilege escalation to Root is possible due to a misconfiguration in /etc/sudoers file, allowing Dante to run /usr/bin/tee as root. Tee can be used to append text to the end of a file. With sudo, tee can append to Root-owned files. To escalate, can append to /etc/sudoers and allow Dante to run any command with sudo.
- Port 22, SSH
- No obvious usernames or passwords to try and perform a dictionary attack.
- Port 80, HTTP
- Main web application page.
- The other ports are not used/have nothing to contribute towards exploiting the room.
Directory brute forcing with dirsearch shows /inferno directory. Navigating there pops up with a basic authentication form.
Thinking about possible usernames:
Use Hydra to try and brute force dictionary attack this authentication form.
The valid password is found on line 14201 in rockyou.txt.
Once authenticated, there is another login page. The same credentials can be used to login.
Once logged in, Codiad shows the files associated with the inferno web application. Playing around and trying to modify the files shows that the user role associated with Codiad cannot modify any files, just read them.
A public exploit based on a 0-day is available on Github (could not find on exploit-db): https://github.com/WangYihang/Codiad-Remote-Code-Execute-Exploit.
Try to run the exploit, but it results in an error.
** So, the exploit doesn't work for me and I could not find similar experiences on the THM discord server. Manually examining the Python source code for the exploit, and intercepting the requests it makes with proxychains and burpsuite, I determined that the authentication header needs to be included as well. The final crafted HTTP request that successfully executes the exploit is shown below:
Make sure to follow the exploit directions and paste the two separate commands in two different terminals and voila! a reverse shell connection is established.
But one problem, every 10 seconds or so, the shell crashes and the exploit needs to be executed again to get another shell. A quick workaround is to keep spawning shells so that when nested shell is terminated, the parent shell can spawn another one and keep the connection alive. But this is tedious and inconvenient.
To figure out why this was happening, a couple nested shells were spawned and pspy64 transferred to the target.
Looks like those open ports found with Nmap are distractions/rabbit holes. And the command responsible for terminating the shell is found!
The obvious workaround is to not use bash, but instead use /bin/sh.
Now that we don’t have to worry about the shell terminating constantly and executing the exploit every 20 seconds, we can try to get the user flag and escalate to root.
But the www-data user does not have access to read /home/dante/local.txt
In /home/dante/Downloads, there is a hidden .download.dat file. Reading it shows a bunch of hexadecimal characters. Decoding it shows it’s a quote from Dante’s Inferno, much like the quote on the main web application page. But at the bottom of the text is credentials.
With these credentials, SSH to the target as Dante, and make sure to spawn a /bin/sh shell so that it doesn’t terminate and can work uninterrupted.
Dante can run /usr/bin/tee as root without password using sudo. Tee, according to gtfobins can write/append to files as root, with sudo privileges.
To test this out, can try to write to a file that we can read, but not normally write to: /etc/passwd
To escalate privileges, can append Dante to end of /etc/sudoers and allow Dante to run all commands with sudo.
Run /bin/sh with sudo and read the proof.txt flag. The room creator even gives us a friendly congrats!