add: writeup-ctf

content/writeup-ctf/writeup-irked-htb/index.md

@@ -0,0 +1,97 @@
+---
+title: "Writeup - Irked (HTB)"
+date: 2022-05-24
+slug: "writeup-irked-htb"
+type: "writeup-ctf"
+--- 
+
+This is a writeup for the [Irked](https://app.hackthebox.com/machines/Irked) machine from the HackTheBox site.
+
+## Enumeration
+
+First, let's start with a scan of our target with the following command:
+
+
+```bash
+nmap -sV -T4 -Pn 10.10.11.146
+```
+Many TCP ports are discovered:
+
+![](img/image-1.webp)
+
+- 22/tcp : SSH port (OpenSSH 8.2)
+- 80/tcp : HTTP web server (Apache 2.4.41)
+- 111/tcp : rpcbind
+- 6697/tcp : IRC (UnrealIRCd)
+- 8067/tcp : IRC (UnrealIRCd)
+- 52411/tcp : Status
+- 65534/tcp : IRC (UnrealIRCd)
+
+![](img/image-2.webp)
+
+## Exploit
+
+Following the nmap scan I notice that there is the port 65534 open with the UnrealIRC service. After some research on google I find that there is a big exploit for version 3.2.8.1. Before doing anything else I start by testing this exploit. I search the module in Metasploit :
+
+![](img/image-3.webp)
+
+Then after setting the options I launch the exploit:
+
+![](img/image-4.webp)
+
+Without success, but it's weird it's an error related to a setting and not a problem related to the target, so I try a second version that I find on github: [UnrealIRCd-3.2.8.1-Backdoor](https://github.com/Ranger11Danger/UnrealIRCd-3.2.8.1-Backdoor)
+
+After adding my IP/Port in the file, I launch the exploit with the following command:
+
+![](img/image-5.webp)
+
+After a few seconds I now have a reverse shell as ircd.
+
+![](img/image-6.webp)
+
+I don't have the permissions to read the first flag, but I find a hidden `.backup` file I can consult:
+
+![](img/image-7.webp)
+
+In this file a sentence and what could look like a password. In the sentence it is referred to steganography.
+
+
+> Steganography  is the practice of concealing a message within another message or a physical object. In computing/electronic contexts, a computer file, message, image, or video is concealed within another file, message, image, or video.
+
+The only image we've come across so far is on the site of the beginning of the machine. I download it and use [steghide](https://0xrick.github.io/lists/stego/#steghide) with the password I found.
+
+![](img/image-8.webp)
+
+I manage to extract a `pass.txt` file! In this file I find the following password :
+
+
+```bash
+Kab6h+m+bbp2J:HG
+```
+So I try to connect via SSH to the user `djmardov` :
+
+![](img/image-9.webp)
+
+I now have a shell with the user `djmardov` and I can get the first flag.
+
+## Privilege escalation
+
+I start by running a [linpeas.sh](https://linpeas.sh) scan.
+
+![](img/image-10.webp)
+
+Quickly I find that the machine is vulnerable to CVE-2021-4034. So I will use the following [CVE-2021-4034 Github](https://github.com/berdav/CVE-2021-4034) exploit.
+
+After downloading the different files, I compile the code with `make`, then I launch the program.
+
+![](img/image-11.webp)
+
+I now have a `root` shell and can retrieve the last flag.
+
+## Recommendations
+
+To patch this host I think it would be necessary to perform a number of actions:
+
+- Update UnrealIRC to fix the exploit
+- Do not store clear passwords in a file
+- Update Linux to fix CVE-2021-4034