/var/log $ cat "Hack The Box - Irked Walkthrough"
2019-04-27 | hackthebox ctf
Enumerating Port 80
This is what we get when opening the address in our browser:
The source of the page is useless. Also bruteforcing files and directories with
gobuster doesn’t reveal something helpful:
The ‘manual’ directory contains only the expected Apache documentation:
It seems this is a dead end.
Connecting to the IRC service it seems the box runs UnrealIRCd version 126.96.36.199:
With this information we can search for possible vulnerabilities:
Especially the ‘Backdoor Command Execution’ looks promising. As described in CVE-2010-2075 there was a backdoor distributed for this particular version.
nmap comes with a handy script to check if the running instance does have it:
Exploiting the UnrealIRCd Backdoor
A detail explanaition of the backdoor can be found in the posts UnrealIRCd 188.8.131.52 backdoored, investigation and Metasploitable 2 How-to - IRC Backdoor exploitation ( Metasploit & python ). Using the described Metasploit module ‘exploit/unix/irc/unreal_ircd_3281_backdoor’ we can exploit the backdoor to gain access:
Not that we’re in we spawn a shell and look where we can find the flag. Presumably it is in the home dir of ‘djmardov’:
And indeed the user flag is there but we can’t access it. But there’s another file names
.backup which could be helpful:
We can assume that ‘steg’ is short for steganography. It seems ‘UPupDOWNdownLRlrBAbaSSss’ is the password for some data hidden inside another file. So we need to find this file. Actually the machine’s name ‘Irked’ is a hint for this.
To be honest I originally had now idea where to use the password. So after some wasted time I switched to see what else I could do within this low priv shell. And as it turned out you can go directly to root from here without getting access as ‘djmardov’ first. And this is what I did. After coming back to the box to write this I looked for some hints in the Hack The Box Forum and was finally able to figure it out. But as said you can skip this part if you like.
Getting the User Flag
The file in question is the emoticon (
irked.jpg) from the website (see above). Using
steghide with the password ‘UPupDOWNdownLRlrBAbaSSss’ we can extract a file named
pass.txt which probably contains the password for the user ‘djmardov’:
Switching to user ‘djmardov’ using the password ‘Kab6h+m+bbp2J:HG’ works. Now we can retrieve the user flag:
Also we can now ssh into the box with these credentials (‘djmardov:Kab6h+m+bbp2J:HG’). Or we can proceed with the shell we already have.
Using basic Linux methods for privilege escalation enumeration we can find the odd file
/usr/bin/viewuser which runs with root privileges:
Running it produces the following output:
I copied the file over to my Kali VM for further analysis. I’m really not good in Assembly but from what I understood the program is setting the processes UID to 0 and than executing
/tmp/listusers. I’m not sure if this is the correct understanding but it was enough to gain a root shell with just three commands:
And here’s the whole thing in action: