Home Irked — Hack The Box [Write-up]
Post
Cancel

Irked — Hack The Box [Write-up]

This was an easy Linux box that involved exploiting malicious backdoor that was added to the Unreal IRCD 3.2.8.1 download archive to get initial shell, Then exploiting a custom SUID binary to gain root access.

Used Tools:

  • nmap
  • Metasploit

1. SCANNING & ENUMERATION

I will start with nmap and the -A parameter to enable OS detection, version detection, script scanning, and traceroute and append the output to tee command which save the in a file named “nmap” and also show the output on the screen.

Nmap is done with port 22 (FTP), port 80 (http) and port 111 (rpcbind) open.

Let’s check the web application first on port 80…

Nothing Except the sentence below “IRC is almost working!” which made me suspect for having and IRC service working

IRC: https://en.wikipedia.org/wiki/Internet_Relay_Chat

Let’s test its existance through this nmap script

1
nmap -sV --script irc-unrealircd-backdoor -p 194,6660-7000 10.10.10.117

We successfully found open IRC service on port 6697

2. EXPLOITATION

Searching for exploit online I found most of the exploits on version 3.2.8.1 and found an exploit for it on metasploit, So let’s try it…

We successfully gained a shell and upgrade it to interactive shell using:

1
python -c 'import pty;pty.spawn("/bin/bash")'

But our user can’t do anything and doesn’t even have privalages to read user.txt, So let’s try to find some way to upgrade it…

3. PRIVILEGE ESCALATION:

After some enumeration let’s try finding if there is a SUID files we could execute as a root SUID: https://pentestlab.blog/2017/09/25/suid-executables/

1
find / -perm -u=s 2>/dev/null

We found /usr/bin/viewusr and we could run it with our user but it will be executed with root premissions, Let’s try to run it…

He prompted that there is a file called /tmp/listusers that isn’t found, and it is located in the tmp directory and any user can write on it, So we could create it in the tmp directory and write an exploit in it which will be executed as root when we run /usr/bin/viewusr again.

BOOOOOOOOOOOOOOOOOOOOM!!!!! Now we are root :D

Thank you so much for reading and I hope you learned a lot as I did ❤

0x3ashry

This post is licensed under CC BY 4.0 by the author.