HackTheBox: Irked - Writeup
date_range 15/05/2019 07:53 infosorthtblabel
HackTheBox: Irked was a fairly easy machine which was mostly a CTF style machine on linux with some privilege escalation.
1.1 - Scanning
I first started by doing a port scan of Irked (10.10.10.117).
The most interesting port open is the Apache server. The web page on port 80 only has an image of a smiley face. Dirb and Nikto is used in the background to enumerate the server, but nothing useful was found.
1.2 - Web server enumeration
An image is on the web server with html text saying
("IRC is almost found"). This suggests that there may be IRC ports open. A more in-depth port scan can be done to confirm.
More in-depth port scan:
1.3 - UnrealIRCd enumeration
The port scan shows that
UnrealIRCd is open on several ports, this is likely the point of attack. Searchsploit and metasploit is used to find possible vulnerabilities on
UnrealIRCd. After doing some search an RCE exploit is found for metasploit:
2.1 - Exploitation
The exploit found is loaded up in metasploit and the
rhosts is set to the targets IP address (10.10.10.117).
The exploit is successful and a reverse shell is opened!
3.1 - Post Exploitation
After doing some enumeration of the user account, a hidden file is found in the directory of the
djmardov user. When viewing the contents of the file a password is revealed with the text ‘Super Elite steg backup pw’. This suggests that there is some form of steganography used.
3.2 - Steganography
steghide is used to attempt to decrypt the image and find any hidden information. The password found on the
.backup file is used with
pass.txt has retrieved from the steganography extraction which contains a password.
3.3 - Further user enumeration
djmardov can be used to login via SSH with the password found. Once logged more enumeration can be done
to attempt to get root access.
When executing the file it shows that the file is used to test user permissions.
This file appears to execute the
/tmp/listusers file which can be manipulated to execute root commands.
A file inside /tmp is created called
listusers and a command is added to the file via the text editor
vi. Inside the file
cat /root/root.txt is inputted and saved. chmod is then used to make the /tmp file executable to view the flag. The file is executed with
./usr/bin/viewuser to view the root flag.