Irked is an easy-rated Linux machine on the reputable penetration testing platform known as HackTheBox. The ultimate goal is to compromise this machine and gain root privileged access. In the write-up below I explain the steps I took to successfully gain root access to this machine. This one falls in the category of TJNull’s HackTheBox OSCP-like machines. So if you’re planning on taking the OSCP like me, this machine is good practice. The whole list of OSCP-like machines can be found here.
As always, let’s start with an Nmap. First I always scan all TCP ports in verbose mode so I can see which ports are open quickly. After that I run a detailed port scan on the ports that are found to be open. The result of the Nmap scan is pictured below.
The results show there are a couple of ports open:
- Port 22 is running OpenSSH 6.7p1,
- Port 80 is running Apache httpd 2.4.10,
- Port 111 is running rpcbind 2–4,
- Port 6697 is running UnrealIRCd,
- Port 8067 is running UnrealIRCd,
- Port 46279 is part of RPC,
- Port 65534 is also running UnrealIRCd;
As always let’s check out what’s running on port 80. After navigating to the website we are greeted by the page pictured below.
What caught my attention is the “IRC is almost working!” message on the bottom of the page. Let’s dig a little bit deeper into IRC since some ports showed up as open on our Nmap scan. I don’t have a lot of experience with IRC so I went to the following link to read up on IRC and how we can tinker with it: https://book.hacktricks.xyz/pentesting/pentesting-irc. Found below is a small description of IRC.
Basic information about IRC
IRC was originally a plain text protocol (although later extended), which on request was assigned port 194/TCP by IANA. However, the de facto standard has always been to run IRC on 6667/TCP and nearby port numbers (for example TCP ports 6660–6669, 7000) to avoid having to run the IRCd software with root privileges.
For connecting to a server it is required merely a nickname. Once connection is established, the first thing the server does is a reverse-dns to your ip:
It seems that overall there are two kinds of users: operators and ordinary users. For logging in as an operator it is required a username and a password (and in many occasions a particular hostname, ip and even a particular hostmask). Within operators there are different privilege levels wherein the administrator has the highest privilege.
The important information to note here is that once you connect to an IRC service it does a reverse-dns lookup to your IP-address. I immediately added an entry to my /etc/hosts file which is pictured below.
The next thing to note is that we need to specify a nickname while connecting to the IRC service. Since we don’t have a username yet, we can just try random usernames to see if we can actually connect. After trying that we seem to be able to connect with random usernames. We connected to the service using “NICK b1tsec and USER b1tsec 8 * : b1tsec”. Pictured below is our connection to the service.
As we can see the version of the IRC software is being disclosed to us: “Your host is irked.htb, running version Unreal 3.2.8.1.”. Are there any publicly available exploits for this particular version? A quick searchsploit reveals the following information:
It seems like there are multiple vulnerabilities in version 3.2.8.1 of UnrealIRCd. The one that’s of interest to us is the “Backdoor Command Execution” vulnerability. After a quick Google search I found the following article with information about the vulnerability and how to exploit it: https://metalkey.github.io/unrealircd-3281-backdoor-command-execution.html. It basically boils down to the fact that this version of UnrealIRCd contains a backdoor that is triggered upon entering “AB;”. According to the metalkey article we can generate a payload using msfvenom, so let’s do that first.
Basically what this payload does is, it opens up a port on the vulnerable server where the IRC service is hosted. After this port has been opened up we simply connect to it from our machine so we can execute commands. Let’s give it a try but first let’s execute our BIND shell payload on the IRC service.
Let’s try and see if we can connect to the port we’ve opened up, which is port 4444. We use netcat for this purpose.
That seemed to have worked, pictured above we can see that port 4444 is indeed open on the vulnerable server and we can execute commands. First let’s improve our shell and then continue to root. After some digging around I found an interesting SUID binary that isn’t standard, which is located at “/usr/bin/viewuser”. You can find SUID binaries on Linux systems quickly with the following command: “find / -perm -u=s 2>/dev/null”.
Let’s checkout some more information on that particular binary.
Viewing the permissions on this particular binary we confirm that it indeed has the SUID bit enabled. The binary is owned by root and all other users on the system have execute permissions. This means that all users on the system can execute this binary as root. Let’s run this binary to see what it does.
It throws an error, a very interesting one in fact. The binary is trying to access something at “/tmp/listusers”. This is particularly interesting for us because everyone on the system has write permissions on the /tmp directory. We can create our own version of /tmp/listusers. This means we can put any piece of code there and it will be executed as the root user. Let’s just try to see if we can invoke /bin/bash as root.
We have now gained root privileges on the server. This wraps up Irked, I hope you enjoyed reading this write-up and have learned something new. See you next time!
