Difficulty: Easy/Intermediate
#NMAP:
- -sV : Version Scan
- -A : Aggressive Scan
- -p- : Scan all ports TCP/UDP
- -T5: Insane Speed
Ok we only have two ports open, 80 and 22 (secure shell), let's proceed with the enumeration.
#Gobuster:
I've enumerated a lot, and the only good thing I've found is this directory /inferno, now let's navigate it
it is a 401 page we are not authorized, and we need to log in, I tried to extract the photos too, I used various techniques to find at least one user, to try to bypass the page, I tried as user dante or inferno, but nothing seems work, the only thing that works is the default user: admin
#Hydra Brute-Force:
hydra -l admin -P /usr/share/wordlists/rockyou.txt -f 192.168.1.120 http-get /inferno/ -t 64
Ok now we are enabled to access the browser.
Ok re-enter your credentials. And we are in!!
Ok now i found in “Help” this is Codiad, so i found an RCE, i will link here the link
RCE: https://github.com/WangYihang/Codiad-Remote-Code-Execute-Exploit
WE are IN!
#Enumeration:
Enter in directory /home/dante/Downloads/ and finally we find an interesting file.
I used chiper-identifier to parse the string and it seems to be a Hex, let’s go and decode it.
And finally we have credentials for dante!!! For convenience, instead of doing "su dante", I used the ssh dante@IP command and went back to get a better shell.
And we got the first flag!
#Vertical Privilege Escalation:
Initially it was very complex to understand what I could do with it, I simply gave the permissions I want to my user dante, with this command I can do anything, even read do that as a user I cannot read, but the key thing is to enter root , so I gave my user every privilege! For info https://gtfobins.github.io/
Command: echo ‘dante ALL=(ALL) NOPASSWD:ALL’ | sudo tee -a /etc/sudoers
just type sudo su
AND……….
We are ROOT. In other way there is another method for root this machine.Check this link RCE https://github.com/WangYihang/Codiad-Remote-Code-Execute-Exploit.
I hope it can help you. Good luck guys