This post documents the complete walkthrough of Irked, a retired vulnerable VM created by MrAgent, and hosted at Hack The Box. If you are uncomfortable with spoilers, please stop reading now.
On this post
Background
Irked is a retired vulnerable VM from Hack The Box.
Information Gathering
Let’s start with a masscan
probe to establish the open ports in the host.
# masscan -e tun0 -p1-65535,U:1-65535 10.10.10.117 --rate=1000
Starting masscan 1.0.4 (http://bit.ly/14GZzcT) at 2019-01-23 01:43:12 GMT
-- forced options: -sS -Pn -n --randomize-hosts -v --send-eth
Initiating SYN Stealth Scan
Scanning 1 hosts [131070 ports/host]
Discovered open port 80/tcp on 10.10.10.117
Discovered open port 111/tcp on 10.10.10.117
Discovered open port 65534/tcp on 10.10.10.117
Discovered open port 48358/tcp on 10.10.10.117
Discovered open port 22/tcp on 10.10.10.117
Interesting. masscan
finds five open ports. Let’s do one better with nmap
scanning the discovered ports.
# nmap -n -v -Pn -p22,80,111,48358,65534 -A --reason 10.10.10.117 -oN nmap.txt
...
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 63 OpenSSH 6.7p1 Debian 5+deb8u4 (protocol 2.0)
| ssh-hostkey:
| 1024 6a:5d:f5:bd:cf:83:78:b6:75:31:9b:dc:79:c5:fd:ad (DSA)
| 2048 75:2e:66:bf:b9:3c:cc:f7:7e:84:8a:8b:f0:81:02:33 (RSA)
| 256 c8:a3:a2:5e:34:9a:c4:9b:90:53:f7:50:bf:ea:25:3b (ECDSA)
|_ 256 8d:1b:43:c7:d0:1a:4c:05:cf:82:ed:c1:01:63:a2:0c (ED25519)
80/tcp open http syn-ack ttl 63 Apache httpd 2.4.10 ((Debian))
| http-methods:
|_ Supported Methods: POST OPTIONS GET HEAD
|_http-server-header: Apache/2.4.10 (Debian)
|_http-title: Site doesn't have a title (text/html).
111/tcp open rpcbind syn-ack ttl 63 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100024 1 33661/udp status
|_ 100024 1 48358/tcp status
48358/tcp open status syn-ack ttl 63 1 (RPC #100024)
65534/tcp open irc syn-ack ttl 63 UnrealIRCd
Hmm. IRC? Is this what it’s about?
Remote Command Execution - UnrealIRCd 3.2.8.1
So, the IRC daemon is UnrealIRCd 3.2.8.1.
This particular version is susceptible to a remote code executation vulnerability as per EDB-ID 13853 and it’s extremely easy to exploit with nc
.
Meanwhile at my nc
listener…
Let’s upgrade the shell to a full TTY.
Privilege Escalation
During enumeration of ircd
’s account, I notice a setuid
executable. Look at the timestamp on this guy.
I ran the executable and spotted something very interesting. A setuid
executable trying to run another executable that’s missing? I smell privilege escalation.
Simply echo
the following Python code to /tmp/listusers
and make it executable should do the trick.
Getting user.txt
and root.txt
should be easy with a root
shell.
Afterthought
I thought it was interesting to share an additional observation during my enumeration of ircd
’s account. I was looking for user.txt
and found a text file .backup
at /home/djmardov/Documents
.
The content of the file .backup
is as follows.
It appears that some kind of steganography is going on here. If I have to guess, I would say that something is hidden in this image and that the password is UPupDOWNdownLRlrBAbaSSss
. Damn, that’s the Konami Code!
Anyways, the box doesn’t have any stego tools installed, so I enlisted the help of an online tool to do the job of unhiding, if you will.
There you have it. That must be djmardov
’s password.