Irked is a retired vulnerable VM from Hack The Box.
Let’s start with a
masscan probe to establish the open ports in the host.
# masscan -e tun0 -p1-65535,U:1-65535 10.10.10.117 --rate=1000 Starting masscan 1.0.4 (http://bit.ly/14GZzcT) at 2019-01-23 01:43:12 GMT -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth Initiating SYN Stealth Scan Scanning 1 hosts [131070 ports/host] Discovered open port 80/tcp on 10.10.10.117 Discovered open port 111/tcp on 10.10.10.117 Discovered open port 65534/tcp on 10.10.10.117 Discovered open port 48358/tcp on 10.10.10.117 Discovered open port 22/tcp on 10.10.10.117
masscan finds five open ports. Let’s do one better with
nmap scanning the discovered ports.
# nmap -n -v -Pn -p22,80,111,48358,65534 -A --reason 10.10.10.117 -oN nmap.txt ... PORT STATE SERVICE REASON VERSION 22/tcp open ssh syn-ack ttl 63 OpenSSH 6.7p1 Debian 5+deb8u4 (protocol 2.0) | ssh-hostkey: | 1024 6a:5d:f5:bd:cf:83:78:b6:75:31:9b:dc:79:c5:fd:ad (DSA) | 2048 75:2e:66:bf:b9:3c:cc:f7:7e:84:8a:8b:f0:81:02:33 (RSA) | 256 c8:a3:a2:5e:34:9a:c4:9b:90:53:f7:50:bf:ea:25:3b (ECDSA) |_ 256 8d:1b:43:c7:d0:1a:4c:05:cf:82:ed:c1:01:63:a2:0c (ED25519) 80/tcp open http syn-ack ttl 63 Apache httpd 2.4.10 ((Debian)) | http-methods: |_ Supported Methods: POST OPTIONS GET HEAD |_http-server-header: Apache/2.4.10 (Debian) |_http-title: Site doesn't have a title (text/html). 111/tcp open rpcbind syn-ack ttl 63 2-4 (RPC #100000) | rpcinfo: | program version port/proto service | 100000 2,3,4 111/tcp rpcbind | 100000 2,3,4 111/udp rpcbind | 100024 1 33661/udp status |_ 100024 1 48358/tcp status 48358/tcp open status syn-ack ttl 63 1 (RPC #100024) 65534/tcp open irc syn-ack ttl 63 UnrealIRCd
Hmm. IRC? Is this what it’s about?
Remote Command Execution - UnrealIRCd 126.96.36.199
So, the IRC daemon is UnrealIRCd 188.8.131.52.
This particular version is susceptible to a remote code executation vulnerability as per EDB-ID 13853 and it’s extremely easy to exploit with
Meanwhile at my
Let’s upgrade the shell to a full TTY.
During enumeration of
ircd’s account, I notice a
setuid executable. Look at the timestamp on this guy.
I ran the executable and spotted something very interesting. A
setuid executable trying to run another executable that’s missing? I smell privilege escalation.
echo the following Python code to
/tmp/listusers and make it executable should do the trick.
root.txt should be easy with a
I thought it was interesting to share an additional observation during my enumeration of
ircd’s account. I was looking for
user.txt and found a text file
The content of the file
.backup is as follows.
It appears that some kind of steganography is going on here. If I have to guess, I would say that something is hidden in this image and that the password is
UPupDOWNdownLRlrBAbaSSss. Damn, that’s the Konami Code!
Anyways, the box doesn’t have any stego tools installed, so I enlisted the help of an online tool to do the job of unhiding, if you will.
There you have it. That must be