HackTheBox “Irked” Walkthrough
Irked, an easy-level Linux OS machine on HackTheBox, encompassing the exploitation of a specific vulnerability to enable remote file download and execution for initial access. The subsequent escalation of privileges involves the utilization of Steganography techniques to advance to the “djmardov” user level. Lastly, root access is obtained by exploiting a custom SUID binary “viewuser”.
Let’s get started! 🚀
Recon & Enumeration
Let’s use nmap to full scan for open ports and services:
Visit the target on port 80.
It shows us only an image irked.jpg.
The last nmap scan showed us that the target is running UnrealIRCd, an IRC (Internet Relay Chat) protocol, which is commonly employed for the development of chat clients and servers.
Let’s check what we can have on searchsploit about UnrealIRCd.
With more research.
Exploitation:
We get a different version linked here of the exploit we got on seachsploit “13853.pl which did not work well for us here”.
Upon reviewing the content, it has been identified that certain parameters require modification. Specifically, the targeted port, attacker’s IP, and port need to be edited. The targeted port has been edited from 6697 to 8067, as the previous setting proved ineffective in this scenario.
Next, start a listener on our attack box.
Run the script.
Back to our listener.
We get a shell.
Privilege Escalation:
When navigating to the documents folder, a hidden file is found “backup” containing what seems to be a passphrase to be used in steganography and related somehow to the irked.jpg image on port 80 of the target.
Navigate back to the directory containing the image file “irked.jpg” and initiate an HTTP server.
Download the image file.
The obtained passphrase was utilized to extract concealed information from the image through the steghide tool. This involved inputting the passphrase below when prompted.
UPupDOWNdownLRlrBAbaSSss
The pass.txt file was successfully extracted and it has another passphrase below.
Kab6h+m+bbp2J:HG
Since we have the user “djmardov” on the target, we try to ssh into it with the password above.
To enumerate available SUID binaries/commands, execute the following command:
find / -perm -u=s -type f 2>/dev/null
Let’s check /usr/bin/viewuser.
Upon execution of the program, it was observed that the intended functionality involved configuring user permissions for testing purposes. However, the expected “listusers” file was not present in the designated “/tmp” directory. Consequently, the program is currently unable to retrieve data from the absent “listusers” file.
To exploit this, a script can be written that has “su root” and saved as “listusers” within the “/tmp” directory. Subsequently, running the “viewuser” command will execute the newly created script.
And we get a root shell.
Cheers.
