Home Irked
Post
Cancel

Irked

Emanuelle Jimenez on Nov 152021-11-15T12:00:00-06:00
3 min read

Link of the box: Irked

Enumeration (NMAP)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33

# Nmap 7.91 scan initiated Mon Nov 15 17:58:21 2021 as: nmap -sC -sV -p22,80,111,6697,8067,50848,65534 -oN scan 10.10.10.117
Nmap scan report for 10.10.10.117
Host is up (0.17s latency).

PORT      STATE SERVICE VERSION
22/tcp    open  ssh     OpenSSH 6.7p1 Debian 5+deb8u4 (protocol 2.0)
| ssh-hostkey: 
|   1024 6a:5d:f5:bd:cf:83:78:b6:75:31:9b:dc:79:c5:fd:ad (DSA)
|   2048 75:2e:66:bf:b9:3c:cc:f7:7e:84:8a:8b:f0:81:02:33 (RSA)
|   256 c8:a3:a2:5e:34:9a:c4:9b:90:53:f7:50:bf:ea:25:3b (ECDSA)
|_  256 8d:1b:43:c7:d0:1a:4c:05:cf:82:ed:c1:01:63:a2:0c (ED25519)
80/tcp    open  http    Apache httpd 2.4.10 ((Debian))
|_http-server-header: Apache/2.4.10 (Debian)
|_http-title: Site doesn't have a title (text/html).
111/tcp   open  rpcbind 2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|   100000  3,4          111/udp6  rpcbind
|   100024  1          45415/udp   status
|   100024  1          48275/udp6  status
|   100024  1          50424/tcp6  status
|_  100024  1          50848/tcp   status
6697/tcp  open  irc     UnrealIRCd
8067/tcp  open  irc     UnrealIRCd (Admin email djmardov@irked.htb)
50848/tcp open  status  1 (RPC #100024)
65534/tcp open  irc     UnrealIRCd (Admin email djmardov@irked.htb)
Service Info: Host: irked.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Nov 15 17:58:41 2021 -- 1 IP address (1 host up) scanned in 20.30 seconds

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20

# Nmap 7.91 scan initiated Mon Nov 15 17:57:10 2021 as: nmap -p- -vvv -n --min-rate 5000 -oN port 10.10.10.117
Warning: 10.10.10.117 giving up on port because retransmission cap hit (10).
Increasing send delay for 10.10.10.117 from 320 to 640 due to 293 out of 976 dropped probes since last increase.
Increasing send delay for 10.10.10.117 from 640 to 1000 due to 739 out of 2462 dropped probes since last increase.
Nmap scan report for 10.10.10.117
Host is up, received syn-ack (0.17s latency).
Scanned at 2021-11-15 17:57:10 EST for 28s
Not shown: 65192 closed ports, 336 filtered ports
Reason: 65192 conn-refused and 336 no-responses
PORT      STATE SERVICE    REASON
22/tcp    open  ssh        syn-ack
80/tcp    open  http       syn-ack
111/tcp   open  rpcbind    syn-ack
6697/tcp  open  ircs-u     syn-ack
8067/tcp  open  infi-async syn-ack
50848/tcp open  unknown    syn-ack
65534/tcp open  unknown    syn-ack

Read data files from: /usr/bin/../share/nmap
# Nmap done at Mon Nov 15 17:57:38 2021 -- 1 IP address (1 host up) scanned in 28.18 seconds

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15

# Nmap 7.91 scan initiated Mon Nov 15 17:59:27 2021 as: nmap --script vuln -oN vulns 10.10.10.117
Nmap scan report for 10.10.10.117
Host is up (0.17s latency).
Not shown: 997 closed ports
PORT    STATE SERVICE
22/tcp  open  ssh
80/tcp  open  http
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-enum: 
|_  /manual/: Potentially interesting folder
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
111/tcp open  rpcbind

# Nmap done at Mon Nov 15 18:00:35 2021 -- 1 IP address (1 host up) scanned in 67.93 seconds

Exploitation

Apparently we can login into the RFC by doing the following commands

1
2
3
4

nc 10.10.10.117 8067
PASS password
NICK emanlui
USER guest 8 * :Ema

This info can be found at: https://datatracker.ietf.org/doc/html/rfc2812#section-3.1

Image

We also got some version info and got that the IRC is vulnerable to a backdoor.

We are going to use this code: https://github.com/Ranger11Danger/UnrealIRCd-3.2.8.1-Backdoor/blob/master/exploit.py Image

Inside the Documents folder from djmardov we can find a user.txt flag and also a .backup file This can be used to locate all the backup files in th system

1

locate *backup*

Image

There’s a password and also says something about steg, maybe the image from the beggining needs to be steg.

Image

We can then login with ssh into djmardov account with the password

Webpage is run as root, in this case we can't take advantage of that

Image

Viewuser is trying to run a file, this file doesn’t exist and that’s why it gave some errors. We can create a file with just

1
2
3

#!/bin/bash

bash

And should work. We run the viewuser and we get a shell.

HackTheBox
Cryptography Web
This post is licensed under CC BY 4.0 by the author.
Recent Update
Contents

Methodology

Valentine