Today, we’re going to solve another CTF machine “Irked”. It is now retired box and can be accessible to VIP member.

Specifications

  • Target OS: Linux
  • IP Address: 10.10.10.117
  • Difficulty: Easy

Contents

  • Getting user
  • Getting root

Reconnaissance

As always, the first step consists of reconnaissance phase as port scanning.

Ports Scanning

During this step we’re gonna identify the target to see what we have behind the IP Address.

Enumeration

Let’s browse URL http://10.10.10.117/

If we take a look at view-source:http://10.10.10.117/ we found nothing but and image.

Steganography

Let’s wget irked.jpg and enumerate for hidden information inside image.

If we try to extract information with steghide it requires password which is odd.

Let’s keep this aside for now and move ahead.

Exploitation

The nmap scan revels we have UnrealIRCd installed let’s find out which version is it. We can connect to IRC using HexChat and see the response.

It reveled version 3.2.8.1 for UnrealIRCd.

Let’s searchsploit unrealircd and see if there’s any exploit available for this version.

We have bunch of exploits let’s test them.

Metasploit

Let’s fire up msfconsole and search unreal

Now let’s exploit and see magic.

We have a restricted shell let’s upgrade our shell using python.

python -c 'import pty; pty.spawn("/bin/bash")'
export TERM=xterm

We found user.txt flag inside /home/djmardov/Documents but don’t have permission to read it.

For that we have to spawn our shell as djmardov user to read our flag but if you take a look at .backup file we have read permission.

It says steg backup password since we found and irked.jpg image and it was password protected we can try extracting information using this password.

Steghide extracted a pass.txt file successfully and it contains another password.

Kab6h+m+bbp2J:HG

We can assume that it’s an SSH password for djmardov because we had SSH port opened. let’s try our luck.

Now, we can successfully read user.txt flag.

Privilege Escalation

We can use scripts to find odd things or we could just manually enumerate for things.

Let’s get started!

Let’s find which services and applications are running or to find something interesting.

Let’s find SUID files.

OR

This file /usr/bin/viewuser seems odd because it’s recently modified.

Now if we execute /usr/bin/viewuser it will run our /tmp/listusers opening a shell as root, because viewuser was being executed as root.

And we got root flag.