Dissection of ippsec’s youtube video HackTheBox - Irked (Fixed). Box includes enumeration to UnrealIRCd server, stenography and tools, SUID stickybit that leads to root escalation.
Legal Usage: The information provided by [email protected] is to be used for educational purposes only. The website creator and/or editor is in no way responsible for any misuse of the information provided. All the information on this website is meant to help the reader develop penetration testing and vulnerability aptitude to prevent attacks discussed. In no way should you use the information to cause any kind of damage directly or indirectly. Information provided by this website is to be regarded from an “ethical hacker” standpoint. Only preform testing on systems you OWN and/or have expressed written permission. Use information at your own risk.
By continued reading, you acknowledge the aforementioned user risks/responsibilities.
This series of write-up will contain comprehensive write-ups of hackthebox machines. In an effort to sharpen reporting techniques and help solidify the understand and methodologies used during penetration testing.
YouTube Link: https://www.youtube.com/watch?v=OGFTM_qvtVI
Check out web-server on port 80
since it says IRC move to perform full scan of box
full nmap scan
return to web-webserver
~root - some apache servers allow this (old/not very often)
return to web-server
we get this main page. Establishing that the target is html.
return to gobuster
gives default apache page. Copywrite is 2014 which could me its old.
nmap full port scan
returned an open port of
Begin to enumerate what this port is with nmap:
port is open with UnrealIRCd.
connect to port
8067 with ncat
since using the hostname we need to edit the ‘hosts’ on our local box to reflect
edit host file:
check that hostname works with firefox and for any virtual host routing issues.
IRCd banner information grab
google “RFC IRC”
connect to IRC with ncat and pass the parameters
Search for unrealirc change log for version name
end up finding multiple vulnerabilities
metasploit backdoor command execution identified.
google “unrealirc backdoor” leads to Link: https://lwn.net/Articles/392201/ which describes exactly how the exploit works.
nutshell: Backdoor disguised to look like debug code:
moving forward without metasploit as now know how the exploit functions.
Setup tcpdump pipe to UnrealIRC
setup ping to UnrealIrc:
after connection to IRC timed out we got an execution of the ping (ICMP) that was captured on tcpdump.
from the realization that a ping can be sent via the “AB” exploit now move to create a reverse shell
setup listener & send reverse shell
reverse shell via IRC:
wait for timeout… which didn’t result in a shell.
retry but putting bash
' within the command just incase system is linked to nsh or dash
connection established and reverse shell.
print working directory
check when kernal was compiled: uname -a
check for hidden files find . -ls
quite a few permission denied. find . -ls -type f
more permission denied.
we can not read because we are not
there is a
and now we have a backup password for some stenography.
there has only been one image on this box the entire time and so now download locally
if not installed download via:
most commonly use on CTFs:
ouputted a password file and a string
SSH Attempt as djmardov
Looking for anything obvious.
return to user.txt
Enumeration with LinEnum
create local web server hosting the LinEnum
SUID files that stick out have last been modified in “2018”
exim4 = mail server viewuser = interesting prospect
Check SUID/sticky bit on
indeed this binary has the ability to run as root.
Test the functionality of
copy binary off remote box via base64
(copy to clipboard)
decode base64 locally:
-could have been opened with Ghidra or Ida Pro opting to use
strace = list all sys calls
(difficult to read)
ltrace = another sys call outputer
the system(call) uses the variable “who” with no full path included which could lead to an entry to overwrite value. Which afterword changes the SUID and executes
/tmp/listusers (target box)
change chmod to executable
which if executed launches a shell
viewusers who en turn will execute this file should launch a bash shell as root.
secondary exploit of “who” statement
what should be seen is “/usr/bin/who”
now we can edit
change chmod to executable
did not priv-esc because the “who” calls the /bin/bash before the setuid(0) in the function causing it not to be vulnerable.
don’t know who ippsec is? check him out at:
Youtube: https://www.youtube.com/channel/UCa6eh7gCkpPo5XXUDfygQQA Twitter: https://twitter.com/ippsec