TryHackMe — Inferno Write-Up

5 min readMar 1, 2021

Hi guys! Today I would like to share my write-up for the room Inferno! It is created by mindsflee from the TryHackMe platform. Without further ado, let’s get started!

Link to TryHackMe Inferno room: https://tryhackme.com/room/inferno

Nmap

Run Nmap. AND we have a HUGE amount of open ports.

GoBuster

Run Gobuster.

Home Page

Go to the address. And saw a few lines of words and an image.

I Google Translate it.

Although I am not sure if these important.

I also ran stegoveritas for the image but I also think that the image is “normal”.

/inferno Directory

We saw /inferno from gobuster and after going to the directory, we are required to input credentials.

So we can try to use hydra to brute-force the password.

And we have it. But we have another…

After I put the same credentials, it works!

But after looking for any special item inside these documents, I try to search for the name of the system.

And I found this RCE exploit.

After downloaded it, I started to run it.

Reminder: Do not forget to place the credentials for the machine IP address. I did not place it and it can’t run.

Gonna make it fast guys. It will exit quite fast. After getting the reverse shell connection, spawn pty shell immediately. If not, just re-do the previous step and spawn pty shell again.

After that, I found a .sh file that causes the huge amount of Nmap results.

I try to modify it but failed. So, it’s time to look for another exploit.

And after a few minutes, I found something interesting in the downloads directory. And the content of download.dat seems quite suspicious, and we can copy it to CyberChef and decode it.

And we got it.

Now let's try to ssh using the obtained credentials. And we get it.

Local.txt

And we can just use the “cat” command to show the flag.

Now it's root.txt turn.

Root.txt

Now, I run the command “sudo -l” to get anything useful.

It always disconnects, but I am not sure how to make it not to disconnects. Anyway, I manage to download the tee file found.

Yes, I know, SO MANY TRIES. I am still learning.

Now, let’s see what is this tee.

It seems tee is an executable, so I run Ghidra to look into it.

But still, few minutes wasted here. I got nothing from the tee file. And I am looking for another exploit…

And I think of sudoers, and I think could give it a try.

Yes, and now we try…

Yes, it works, now just the final display…

Ok, we are done!

This room is pretty impressive. Although it stated for newbie pentester, it is quite hard for a beginner like me (I know, I am not a pentester. XD) This room help to gain new knowledge on new exploitation method which I didn't learn before.

Thank you for reading and finishing the write-up!

###########################################

Anyone willing to provide me free coupons or vouchers is greatly appreciated!! XD