Inferno: 1 Vulnhub Writeup (Details)

Difficulty: Easy/Intermediate


  • -sV : Version Scan
  • -A : Aggressive Scan
  • -p- : Scan all ports TCP/UDP
  • -T5: Insane Speed

Ok we only have two ports open, 80 and 22 (secure shell), let's proceed with the enumeration.


I've enumerated a lot, and the only good thing I've found is this directory /inferno, now let's navigate it

it is a 401 page we are not authorized, and we need to log in, I tried to extract the photos too, I used various techniques to find at least one user, to try to bypass the page, I tried as user dante or inferno, but nothing seems work, the only thing that works is the default user: admin

#Hydra Brute-Force:

hydra -l admin -P /usr/share/wordlists/rockyou.txt -f http-get /inferno/ -t 64

Ok now we are enabled to access the browser.

Ok re-enter your credentials. And we are in!!

Ok now i found in “Help” this is Codiad, so i found an RCE, i will link here the link


WE are IN!


Enter in directory /home/dante/Downloads/ and finally we find an interesting file.

I used chiper-identifier to parse the string and it seems to be a Hex, let’s go and decode it.

And finally we have credentials for dante!!! For convenience, instead of doing "su dante", I used the ssh dante@IP command and went back to get a better shell.

And we got the first flag!

#Vertical Privilege Escalation:

Initially it was very complex to understand what I could do with it, I simply gave the permissions I want to my user dante, with this command I can do anything, even read do that as a user I cannot read, but the key thing is to enter root , so I gave my user every privilege! For info

Command: echo ‘dante ALL=(ALL) NOPASSWD:ALL’ | sudo tee -a /etc/sudoers

just type sudo su


We are ROOT. In other way there is another method for root this machine.Check this link RCE

I hope it can help you. Good luck guys




| eCPTX | C|EH Master | CompTIA Security + | eJPT |

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

React — Understanding Component lifecycle methods

How To Run NodeJS APIs on AWS App Runner

How To Run Vue.js With NodeJS API on Minikube

Elixir: Ecto.put_assoc V.S. Ecto.Multi.update when updating multiple child records

Material-UI: Get started (Fast!) ⚡ React 16+

5 things you should know about ReactJs

Handling Scroll Based Animation in React / Animate Image zoom-in on scroll up and zoom-out on…

Building An Vue.js App With Azure Static Web Apps Service

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store


| eCPTX | C|EH Master | CompTIA Security + | eJPT |

More from Medium

OhSINT — TryHackMe Writeup

CSV Injection

XSS Attacks

Stored XSS and HTML Injection in United Nations Web Application