π{THM} Inferno
Last updated
Last updated
"Midway upon the journey of our life I found myself within a forest dark, For the straightforward pathway had been lost. Ah me! how hard a thing it is to say What was this forest savage, rough, and stern, Which in the very thought renews the fear."
There are 2 hash keys located on the machine (user - local.txt and root - proof.txt), can you find them and become root?
in the nine circles of Hell you will find some demons that will try to prevent your access, ignore them and move on.
As usual, I always start with scanning port and directory.
Huge of opening port here. Wooww.. and for directory only one.
Let proceed to check this directory.
On landing page, it prompt credentials. At here, I stuck cause I always bruteforce password using burpsuite, but I cant intercept the request. After few reading, I know that, hydra can solve this problem.
Using this script, I manage to get credentials. At this point, assume the username are admin.
Let login use same credential for both login page.
We manage to get access as admin. Let play around here to understand this panel.
Since we know this is codiad. Let see any cve or vulnerability for this codiad. I use searchploit to find out.
That mean, Codiad 2.8.4 allows remote authenticated (RCE) administrators to execute arbitrary code by uploading an executable file. Seem dangerous enough.
In mean time, open 2 listening, one for rce and another for shell.
Weird things happen, the connection only up for 60sec. We need to make it stable as soon as possible.
Its really weird since daemon seem to be failed to summon and it automatically close the connection. After struggle for 30 minutes, I manage to get stable connection by add screen -S bash. Thanks for noted.
Checking on /home directory, found one user, Dante and inside it contain the flag. Unfortunately, we cannot read the flag since we are www-data.
After looking around, once suspicious file found on /Download, it contain hex. Let decode it
From here we cant get credential for dante. To be note, it also terminates every 30seconds when using ssh. I just use shell before and change user. Every 60seconds, it will kill my connection for ssh (still need to figure how to bypass this).
Check sudo permission, and we found something here.
To understand more, let read into gtfobin
We know that tee can write data into any targeted or any owner. Let exploit this method by assigning dante as root. Which dante can do all
echo 'dante ALL=(ALL) NOPASSWD:ALL' | sudo /usr/bin/tee -a /etc/sudoers
This command will put into sudoer, where dante doesnβt need any password to do something. To make this command run,
sudo /bin/bash -p
We manage to get the flag. Quite annoying since this machine always terminated my shell. But this means, this system security have good implementation by kill unknown connected port.
Thank for reading.
Bypasses terminate shell/bash using screen -S bash
Tee escalation.
Another RCE excersice.
