HackTheBox – Irked

HackTheBox – Irked

Software used:

Linux kali 4.19.0-kali1-amd64 #1 SMP Debian 4.19.13-1kali1 (2019-01-03) x86_64 GNU/Linux
Metasploit v5.0.13
NMAP 7.70

Enumeration:

Initial port scan using the command nmap –sV –p- 10.10.10.117 has shown the following services running on the machine.

SSH on port 22 and http on port 80 are fairly standard and the software running on these ports has no known vulnerabilities. Ports 6697, 8067 and 65534 are running UnrealIRCd. A quick search using Metasploit shows that there is a version on UnrealIRCD with a known backdoor vulnerability.

Exploit:

This exploit is tested against the machine using the commands exploit/unix/irc/unreal_ircd_3281_backdoor
set RHOSTS 10.10.10.117
set RPORT 8067
exploit

This will provide a basic shell logged in as the user ircd.

I decided to attempt to upgrade this basic shell to bash using the python command:

python –c ‘import pty; pty.spawn(“/bin/bash”)’

Some simple enumeration led me to using the command:

 find / -perm -4000 2>/dev/null

This will show all of the files that can be accessed with SUID permissions.

There are a lot of standard files and directories listed here. There are also a few with known exploits, I looked into exim4 but it has been updated to a version which has no CVE’s. It is also worth noting that the Linux Kernel for this particular machine has a few known privilege escalation exploits, all of these seem to have been patched.

/usr/bin/viewuser is of particular interest, this is not a standard binary on Linux systems.

Running this brings an error /tmp/listusers: not found

This is easily exploited by creating /tmp/listusers with some basic commands as a payload. Using /bin/bash launches a new bash shell with the permissions set by viewuser, which happens to be root.

This has created a file that viewuser will execute but does not have permission to do so.

Using chmod 777 listusers will give all users full permissions over this file.
Executing viewuser again followed by the command whoami confirms that I have a shell with root access to the machine.

From here it is possible to read, write and execute all files on the machine, including and not limited to /etc/shadow which will provide hashes for all user accounts and passwords on the machine.