Inferno: 1 Vulnhub Writeup (Details)

Difficulty: Easy/Intermediate

#NMAP:

  • -sV : Version Scan
  • -A : Aggressive Scan
  • -p- : Scan all ports TCP/UDP
  • -T5: Insane Speed

Ok we only have two ports open, 80 and 22 (secure shell), let's proceed with the enumeration.

#Gobuster:

I've enumerated a lot, and the only good thing I've found is this directory /inferno, now let's navigate it

it is a 401 page we are not authorized, and we need to log in, I tried to extract the photos too, I used various techniques to find at least one user, to try to bypass the page, I tried as user dante or inferno, but nothing seems work, the only thing that works is the default user: admin

#Hydra Brute-Force:

hydra -l admin -P /usr/share/wordlists/rockyou.txt -f 192.168.1.120 http-get /inferno/ -t 64

Ok now we are enabled to access the browser.

Ok re-enter your credentials. And we are in!!

Ok now i found in “Help” this is Codiad, so i found an RCE, i will link here the link

RCE: https://github.com/WangYihang/Codiad-Remote-Code-Execute-Exploit

WE are IN!

#Enumeration:

Enter in directory /home/dante/Downloads/ and finally we find an interesting file.

I used chiper-identifier to parse the string and it seems to be a Hex, let’s go and decode it.

And finally we have credentials for dante!!! For convenience, instead of doing "su dante", I used the ssh dante@IP command and went back to get a better shell.

And we got the first flag!

#Vertical Privilege Escalation:

Initially it was very complex to understand what I could do with it, I simply gave the permissions I want to my user dante, with this command I can do anything, even read do that as a user I cannot read, but the key thing is to enter root , so I gave my user every privilege! For info https://gtfobins.github.io/

Command: echo ‘dante ALL=(ALL) NOPASSWD:ALL’ | sudo tee -a /etc/sudoers

just type sudo su

AND……….

We are ROOT. In other way there is another method for root this machine.Check this link RCE https://github.com/WangYihang/Codiad-Remote-Code-Execute-Exploit.

I hope it can help you. Good luck guys

| eCPTX | C|EH Master | CompTIA Security + | eJPT |