Irked – HackTheBox writeup
info card

Exploitation Summary

Initial Exploitation

  • Vulnerability: Backdoor Command Execution of UnrealIRCD
  • Explanation: A malicious backdoor was added to UnrealIRCD version

Privilege Escalation

  • Vulnerability: suid executable viewuser
  • Explanation: It can execute as root and is looking for another command to execute in which we can exploit


nmap -p- -A -T4
TCP 22: OpenSSH 6.7p1
TCP 80: Apache 2.4.10
TCP 111: RCP #100000
TCP 6697, 8067, 65534: UnrealIRCd
TCP 48953: RPC #100024

Initial Shell Exploitation

Let’s first check out the website at port 80


There’s only an image and a simple text talking about IRC. There’s no other links and no robots.txt. I then run a gobuster scan but does not return any additional webpage of interest.

I then do a quick check on unrealIRCd ports 6697, 8067 and 65534 but do not find any additional information.

unrealIRCd port check

There’s not much else to check so I check to see if there’s any vulnerability in unrealIRCd.

Searchsploit unrealIRCd


There’s a Backdoor Command Execution exploit available in Metasploit for UnrealIRCd version Let’s give it a try.


use exploit/unix/irc/unreal_ircd_3281_backdoor
set rhosts
set rport 6697
metasploit setup

low shell as ircd obtained

Privilege Escalation – Part 1

Let’s do some poking around the /home folder. User ircd does not have any files of interest. But there’s a file .backup that looks interesting under user djmardov’s Documents folder:

backup file

There seems to be a password. Let’s try to log in as djmardov using the password:

login attempt

Unfortunately, that doesn’t work. Let’s examine the .backup file again. There was a sentence ‘Super elite steg backup pw’. The word steg could potentially mean the password is hidden using some steganography technique.

Recalling there is an unhappy smiley face in the website. Let’s download it and see if any information is hidden in there using command steghide:


All right! We got another password. Let’s try to ssh into account djmardov:


That is! We get in as djmardov! And we get the user.txt!


Privilege Escalation – Part 2

After poking around the system for a while, I find a file with suid privilege that looks interesting. The below command will look for files with suid privilege that are owned by root:

find / -perm -4000 -user root 2> /dev/null

The command viewuser looks interesting. Let’s try to run it:

execute viewuser

It does not result in root account but it shows the the execution looks for a file /tmp/listusers. Let’s copy command dash to it and try again:

root shell obtained

Bingo! root shell obtained. Let’s get our root flag:

root flag

Thank you for the box Irked, MrAgent!

Leave a Reply

Close Menu