Midway upon the journey of our life I found myself within a forest dark,
For the straightforward pathway had been lost.
Ah me! how hard a thing it is to say
What was this forest savage, rough, and stern,
Which in the very thought renews the fear.
Sidenote: the quote above is from Inferno, Canto I by Dante Alighieri, part of the Divine Comedy. As I read it, it is basically the same as the introduction to one of my favourite Alkaline Trio songs, I Found Away:
Midway on our life’s journey, I found myself
In dark woods, the right road lost. To tell
About those woods is hard - so tangled and rough
And savage that thinking of it now, I feel
The old fear stirring….
This box was using port spoofing and reported having 1147 open ports. Yuck. I assumed there was a website; there was.
HTTP
It doesn’t take much gobusting to find our target; the directory we want is /inferno/. It’s protected by basic authentication, but we can Hydra that:
Codiad
The site is running Codiad, a sort of in browser IDE that I hadn’t seen before. It looks pretty neat but it’s now unmaintained and there is an exploit available.
I had to make a few changes to the exploit code it get it running, which was mostly adding the basic authentication header to the network calls; there were three of them. As an example, this is what the get_write_able_path function became:
And once the code modifications were made, we could get a shell:
Shell
After that I was on the box as www-data, and we only had one user with a home directory - dante. He’s got a file we can read:
This is a space-delimited hex encoded file that contains some verse, and some creds:
dante:V1rg1l10h3lpm3
SSH + Privesc
Remember the port spoofing and how I got lucky with the webserver on port 80? Well, SSH was on the standard port too, and dante had sudo access to tee. tee reads from standard input and writes to a file, so I added my favourite root2 user with the password mrcake to /etc/passwd. This is slightly different to what GTFOBins suggested, but the concept is the same. Enjoy: