d3vyce/blog
1
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases Wiki Activity
blog/content/writeup-ctf/writeup-irked-htb/index.md
d3vyce 095a13b2c9
Some checks failed
Build Blog Docker Image / build docker (push) Failing after 1m11s
Details
add: writeup-ctf
2024-03-02 21:49:07 +01:00

98 lines
3.0 KiB
Markdown
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

---
title: "Writeup - Irked (HTB)"
date: 2022-05-24
slug: "writeup-irked-htb"
type: "writeup-ctf"
---
This is a writeup for the [Irked](https://app.hackthebox.com/machines/Irked) machine from the HackTheBox site.
## Enumeration
First, let's start with a scan of our target with the following command:
```bash
nmap -sV -T4 -Pn 10.10.11.146
```
Many TCP ports are discovered:
![](img/image-1.webp)
- 22/tcp : SSH port (OpenSSH 8.2)
- 80/tcp : HTTP web server (Apache 2.4.41)
- 111/tcp : rpcbind
- 6697/tcp : IRC (UnrealIRCd)
- 8067/tcp : IRC (UnrealIRCd)
- 52411/tcp : Status
- 65534/tcp : IRC (UnrealIRCd)
![](img/image-2.webp)
## Exploit
Following the nmap scan I notice that there is the port 65534 open with the UnrealIRC service. After some research on google I find that there is a big exploit for version 3.2.8.1. Before doing anything else I start by testing this exploit. I search the module in Metasploit :
![](img/image-3.webp)
Then after setting the options I launch the exploit:
![](img/image-4.webp)
Without success, but it's weird it's an error related to a setting and not a problem related to the target, so I try a second version that I find on github: [UnrealIRCd-3.2.8.1-Backdoor](https://github.com/Ranger11Danger/UnrealIRCd-3.2.8.1-Backdoor)
After adding my IP/Port in the file, I launch the exploit with the following command:
![](img/image-5.webp)
After a few seconds I now have a reverse shell as ircd.
![](img/image-6.webp)
I don't have the permissions to read the first flag, but I find a hidden `.backup` file I can consult:
![](img/image-7.webp)
In this file a sentence and what could look like a password. In the sentence it is referred to steganography.
> Steganography  is the practice of concealing a message within another message or a physical object. In computing/electronic contexts, a computer file, message, image, or video is concealed within another file, message, image, or video.
The only image we've come across so far is on the site of the beginning of the machine. I download it and use [steghide](https://0xrick.github.io/lists/stego/#steghide) with the password I found.
![](img/image-8.webp)
I manage to extract a `pass.txt` file! In this file I find the following password :
```bash
Kab6h+m+bbp2J:HG
```
So I try to connect via SSH to the user `djmardov` :
![](img/image-9.webp)
I now have a shell with the user `djmardov` and I can get the first flag.
## Privilege escalation
I start by running a [linpeas.sh](https://linpeas.sh) scan.
![](img/image-10.webp)
Quickly I find that the machine is vulnerable to CVE-2021-4034. So I will use the following [CVE-2021-4034 Github](https://github.com/berdav/CVE-2021-4034) exploit.
After downloading the different files, I compile the code with `make`, then I launch the program.
![](img/image-11.webp)
I now have a `root` shell and can retrieve the last flag.
## Recommendations
To patch this host I think it would be necessary to perform a number of actions:
- Update UnrealIRC to fix the exploit
- Do not store clear passwords in a file
- Update Linux to fix CVE-2021-4034
Reference in New Issue View Git Blame Copy Permalink