menu

HackTheBox: Irked - Writeup

  • date_range 15/05/2019 07:53 info
    sort
    htb
    label

HackTheBox: Irked was a fairly easy machine which was mostly a CTF style machine on linux with some privilege escalation.

1.1 - Scanning


I first started by doing a port scan of Irked (10.10.10.117).

nmap -sC -sV -A -oA irked-scan 10.10.10.117
Nmap scan report for 10.10.10.117
Host is up (0.029s latency).
Not shown: 997 closed ports
PORT    STATE SERVICE VERSION
22/tcp  open  ssh     OpenSSH 6.7p1 Debian 5+deb8u4 (protocol 2.0)
80/tcp  open  http    Apache httpd 2.4.10 ((Debian))
|_http-server-header: Apache/2.4.10 (Debian)
|_http-title: Site doesn't have a title (text/html).
111/tcp open  rpcbind 2-4 (RPC #100000)
| rpcinfo:
|   program version   port/proto  service
|   100000  2,3,4        111/tcp  rpcbind
|   100000  2,3,4        111/udp  rpcbind
|   100024  1          50416/tcp  status
|_  100024  1          55461/udp  status

The most interesting port open is the Apache server. The web page on port 80 only has an image of a smiley face. Dirb and Nikto is used in the background to enumerate the server, but nothing useful was found.

1.2 - Web server enumeration


An image is on the web server with html text saying ("IRC is almost found"). This suggests that there may be IRC ports open. A more in-depth port scan can be done to confirm.



More in-depth port scan:

nmap -T4 -A -Pn -p- -oA nmap-scan2 10.10.10.117
Nmap scan report for 10.10.10.117
Host is up (0.030s latency).
Not shown: 65528 closed ports
PORT      STATE SERVICE VERSION
22/tcp    open  ssh     OpenSSH 6.7p1 Debian 5+deb8u4 (protocol 2.0)
80/tcp    open  http    Apache httpd 2.4.10 ((Debian))
|_http-server-header: Apache/2.4.10 (Debian)
|_http-title: Site doesn't have a title (text/html).
111/tcp   open  rpcbind 2-4 (RPC #100000)
| rpcinfo:
|   program version   port/proto  service
|   100000  2,3,4        111/tcp  rpcbind
|   100000  2,3,4        111/udp  rpcbind
|   100024  1          50416/tcp  status
|_  100024  1          55461/udp  status
6697/tcp  open  irc     UnrealIRCd
8067/tcp  open  irc     UnrealIRCd
50416/tcp open  status  1 (RPC #100024)
65534/tcp open  irc     UnrealIRCd

1.3 - UnrealIRCd enumeration


The port scan shows that UnrealIRCd is open on several ports, this is likely the point of attack. Searchsploit and metasploit is used to find possible vulnerabilities on UnrealIRCd. After doing some search an RCE exploit is found for metasploit:

UnrealIRCd 3.2.8.1 RCE exploit

2.1 - Exploitation


The exploit found is loaded up in metasploit and the rhosts is set to the targets IP address (10.10.10.117).



The exploit is successful and a reverse shell is opened!

3.1 - Post Exploitation


After doing some enumeration of the user account, a hidden file is found in the directory of the djmardov user. When viewing the contents of the file a password is revealed with the text ‘Super Elite steg backup pw’. This suggests that there is some form of steganography used.

3.2 - Steganography


The tool steghide is used to attempt to decrypt the image and find any hidden information. The password found on the .backup file is used with steghide:

A file pass.txt has retrieved from the steganography extraction which contains a password.

3.3 - Further user enumeration


The user djmardov can be used to login via SSH with the password found. Once logged more enumeration can be done to attempt to get root access.

When executing the file it shows that the file is used to test user permissions. This file appears to execute the /tmp/listusers file which can be manipulated to execute root commands.

A file inside /tmp is created called listusers and a command is added to the file via the text editor vi. Inside the file cat /root/root.txt is inputted and saved. chmod is then used to make the /tmp file executable to view the flag. The file is executed with ./usr/bin/viewuser to view the root flag.