Hacker lair Welcome to my blog where I write about Threat Hunting, Pentesting and Cybersecurity in general.

HTB Irked Linux

Published on 19 Sep 2019
Forensic knowledge is needed for user, for root disassembly the binary file is paramount!

Recon

Nmap scan

Starting Nmap 7.70 ( https://nmap.org ) at 2019-11-06 14:21 EST
Nmap scan report for 10.10.10.117
Host is up (0.020s latency).
PORT STATE SERVICE VERSION
6697/tcp open irc UnrealIRCd
8067/tcp open irc UnrealIRCd
55581/tcp open status 1 (RPC #100024)
65534/tcp open irc UnrealIRCd
Service Info: Host: irked.htb

Starting Nmap 7.70 ( https://nmap.org ) at 2019-11-06 16:05 EST
Nmap scan report for 10.10.10.117
Host is up (0.026s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
111/tcp open rpcbind

Exploitation UnrealIRCd-3.2.8.1-Backdoor

The machine is running UnrealIRCd-3.2 which happens to be exploitable We google and download the following python script https://github.com/Ranger11Danger/UnrealIRCd-3.2.8.1-Backdoor/blob/master/exploit.py

We set up the IP, port and payload and we get a shell

We proceed to download and run LinuxEnum.sh and we notice useful info on the bash_history file We locate a .backup file that contains the following password

Super elite steg backup pw
UPupDOWNdownLRlrBAbaSSss

I tried using the passwd to switch to root and djmardov account but not luck. Upon reading again the .backup file, I noticed this time the word “Steg pw” which hinted me a possible stegnography file. I donwloaded the image irked.jpg from the website and running through steghide and we get a pass.txt file 

steghide --extract -sf irked.jpg
Kab6h+m+bbp2J:HG

Success!

Privilege Escalation

We use the obtained password and we login as user djmardov

We enumarate again usin linuxenum.sh and we notice an uncommon SUID binary called viewuser

When the binary is run we get the following info

This application is being devleoped to set and test user permissions
It is still being actively developed
(unknown) :0 2019-11-06 14:12 (:0)
djmardov pts/1 2019-11-06 16:42 (10.10.14.25)

The part of “set and test user permissions” seems interesting and decide to copy the binary file to my kali mahcine for further investigation 2/2 

base64 -w0 /usr/bin/viewuser

We paste the encoded content to a vim file and name it “viewuser.b64” and once in our machine, we decoded it and diasseble the binary execution with ltrace

base64 -d viewuser.b64 > viewuser

It appears the binary calls for a listusers on /tmp/ with a setuid(0) or ROOT. We create a file on tmp called listusers and we place a call for a bash shell, save it, chmod it and run viewuser one more time to get root.

FLAGS

ROOT "8d8e9e8be64654b6dccc3bff4522daf3" 
USER "4a66a78b12dc0e661a59d3f5c0267a8e"

Related posts