HackTheBox Irked writeup

#1

Hey nullers. This is my write-up about Irked, a retired machine from HackTheBox, an awesome place to practice your skills on infosec.

Selection_050

This is my first ever writeup so feedback is more than welcome


I started with what I think 90% of everyone out there starts, an nmap scan.

Visiting the website at http://10.10.10.117/ we get this content

web

From the beggining we get the first clue: IRC. But my first scan wasn’t satisfying, so I looked a little deeper with nmap -p- 10.10.10.117

So there is an open irc port. The website was telling us that the irc was not working correctly, so if we connect to it, we might find something that we can take advantage of.

There I spent some time researching what a MOTD file is, but it didn’t help me. So the next step for me is to search for a IRC exploit on Metasploit (skid detected) in a desperate hope for an exploit.
After seeing the results and spending a minute or so, my brain finally started to kick: the specific IRC version (Unreal3.2.8.1) was vulnurable to backdoor command execution

After setting the RHOST set RHOST 10.10.10.117 and RPORT set RPORT 6697, I run the exploit

Hacker’s voice: I’m in.

After navigating through the system I found a user named “djmardov”. In his Documents file there were 2 files: user.txt and .backup. Being only able to read the backup file, I came across this result:

What I understood is that steg stands for steganography, i.e. the way of hiding data within other files. But there must exist an image for this, because most steg challenges that I’ve encountered hide data inside image files. And there was only one image available in the hole machine:

For steg challenges that requires extracting information from an image with a password, I either use steghide steghide --extract -sf irked.jpg -p UPupDOWNdownLRlrBAbaSSss or I often visit this site. This time, to show something different than the classic steghide, I entered this image with the password on the website and I got the djmardov’s password.

I logged in via ssh and user.txt was patiently waiting for me there.

[email protected]:~/Documents$ cat user.txt
cat user.txt
4a*********

Now on to root!

My privilage escalation skills are not that great, so for a start I use some standard commands from the 0x00sec forum. After running
find / -perm -g=s -o -perm -u=s -type f 2>/dev/null
I came across some binaries that were executed as root.

It took me quite some time to figure this out. An experienced hacker would easily recognize the binaries that stand out in a normal Linux machine.

After testing some binaries I came across the /usr/bin/viewusers. After putting it to the test I get this error.

So this particular binary was searching for the /tmp/listusers file and was executing whatever command the file contained. So the solution is to create the /tmp/listusers file and write a command that the binary will execute as root, i.e. cat /root/root.txt

After giving the permission to execute the file with chmod +x /usr/bin/viewusers I executed the binary and there’s our flag :smiley:

[email protected]:~$ echo "cat /root/root.txt" > /tmp/listusers
[email protected]:~$ chmod+x /tmp/listusers
[email protected]:~$ /usr/bin/viewuser
This application is being devleoped to set and test user permissions
It is still being actively developed
(unknown) :0           2018-11-17 13:54 (:0)
djmardov pts/1        2018-11-17 14:19 (10.10.14.23)
8d8e9*************************

I think Irked was an easy box . Nevertheless, it taught me to be patient and to read everything line by line.
Thankee

4 Likes

(fxbg) #2

good job man, youre on your way :wink:

1 Like

(Leader & Offsec Engineer & Forum Daddy) #3

Awesome writeup man!

I really liked this box, this one really taught me to not underestimate basic privesc enumeration. As one of my first walls on a privesc for a linux box, this root actually took me about 6 hours to complete.

I was up late at night and I finally got this root.

This is now why I always execute the binaries found with this command:

find / -perm -g=s -o -perm -u=s -type f 2>/dev/null

3 Likes