This post documents the complete walkthrough of Irked, a retired vulnerable VM created by MrAgent, and hosted at Hack The Box. If you are uncomfortable with spoilers, please stop reading now.

On this post

Background

Irked is a retired vulnerable VM from Hack The Box.

Information Gathering

Let’s start with a masscan probe to establish the open ports in the host.

# masscan -e tun0 -p1-65535,U:1-65535 10.10.10.117 --rate=1000

Starting masscan 1.0.4 (http://bit.ly/14GZzcT) at 2019-01-23 01:43:12 GMT
 -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth
Initiating SYN Stealth Scan
Scanning 1 hosts [131070 ports/host]
Discovered open port 80/tcp on 10.10.10.117                                    
Discovered open port 111/tcp on 10.10.10.117                                   
Discovered open port 65534/tcp on 10.10.10.117                                 
Discovered open port 48358/tcp on 10.10.10.117                                 
Discovered open port 22/tcp on 10.10.10.117

Interesting. masscan finds five open ports. Let’s do one better with nmap scanning the discovered ports.

# nmap -n -v -Pn -p22,80,111,48358,65534 -A --reason 10.10.10.117 -oN nmap.txt
...
PORT      STATE SERVICE REASON         VERSION
22/tcp    open  ssh     syn-ack ttl 63 OpenSSH 6.7p1 Debian 5+deb8u4 (protocol 2.0)
| ssh-hostkey:
|   1024 6a:5d:f5:bd:cf:83:78:b6:75:31:9b:dc:79:c5:fd:ad (DSA)
|   2048 75:2e:66:bf:b9:3c:cc:f7:7e:84:8a:8b:f0:81:02:33 (RSA)
|   256 c8:a3:a2:5e:34:9a:c4:9b:90:53:f7:50:bf:ea:25:3b (ECDSA)
|_  256 8d:1b:43:c7:d0:1a:4c:05:cf:82:ed:c1:01:63:a2:0c (ED25519)
80/tcp    open  http    syn-ack ttl 63 Apache httpd 2.4.10 ((Debian))
| http-methods:
|_  Supported Methods: POST OPTIONS GET HEAD
|_http-server-header: Apache/2.4.10 (Debian)
|_http-title: Site doesn't have a title (text/html).
111/tcp   open  rpcbind syn-ack ttl 63 2-4 (RPC #100000)
| rpcinfo:
|   program version   port/proto  service
|   100000  2,3,4        111/tcp  rpcbind
|   100000  2,3,4        111/udp  rpcbind
|   100024  1          33661/udp  status
|_  100024  1          48358/tcp  status
48358/tcp open  status  syn-ack ttl 63 1 (RPC #100024)
65534/tcp open  irc     syn-ack ttl 63 UnrealIRCd

Hmm. IRC? Is this what it’s about?

Remote Command Execution - UnrealIRCd 3.2.8.1

So, the IRC daemon is UnrealIRCd 3.2.8.1.

This particular version is susceptible to a remote code executation vulnerability as per EDB-ID 13853 and it’s extremely easy to exploit with nc.

Meanwhile at my nc listener…

Let’s upgrade the shell to a full TTY.

Privilege Escalation

During enumeration of ircd’s account, I notice a setuid executable. Look at the timestamp on this guy.

I ran the executable and spotted something very interesting. A setuid executable trying to run another executable that’s missing? I smell privilege escalation.

Simply echo the following Python code to /tmp/listusers and make it executable should do the trick.

Getting user.txt and root.txt should be easy with a root shell.

:dancer:

Afterthought

I thought it was interesting to share an additional observation during my enumeration of ircd’s account. I was looking for user.txt and found a text file .backup at /home/djmardov/Documents.

The content of the file .backup is as follows.

It appears that some kind of steganography is going on here. If I have to guess, I would say that something is hidden in this image and that the password is UPupDOWNdownLRlrBAbaSSss. Damn, that’s the Konami Code!

Anyways, the box doesn’t have any stego tools installed, so I enlisted the help of an online tool to do the job of unhiding, if you will.

There you have it. That must be djmardov’s password.