Irked is a Linux machine on HackTheBox which is rated as easy difficulty, and awards 20 points. Irked has some CTF-like aspects to it which I really enjoyed, and requires good enumerations skills to obtain both the user.txt and root.txt flags.
Let's get started on this machine by scanning all of the ports with masscan:
masscan -p1-65535 10.10.10.117 --rate=1000 -e tun0
-p1-65535: Tells masscan to scan all tcp ports -e <ifname>, --adapter <ifname>: uses the named raw network interface, such as "tun0" --rate=1000: Scan rate = 300 packets per second
Alright, so we have some interesting ports open. Let's first check port 80 and see what's going on.
We're only presented with a picture which is most likely not our foothold to this box. However, we can see a small message stating that the "IRC is almost working!" Let's hop over to nmap to look into the other ports and see if there's anything related to an IRC going on.
nmap -p 22,80,111,6697,8067,52245,65534 10.10.10.117
-p <port ranges>: Only scan specified ports
Okay, now we're talking. Port 6697 looks to be interesting. Let's use the elite hacking tool known only to the 3lite as "Google" and see if anything comes up for port 6697.. Sure enough, something does: https://www.hackingtutorials.org/metasploit-tutorials/hacking-unreal-ircd-3-2-8-1/
Let's just quickly verify that we're dealing with UnrealIRCd:
nmap -p 6697 -A 10.10.10.117
-A: Enable OS detection, version detection, script scanning, and traceroute
Schweeeet. Looks like we've found our foothold.
Let's search "unreal irc" in metasploit and see if anything interesting comes up:
Looks like there's only one exploit in metasploit which applies to this situation so let's type:
And then let's show the options for the module:
This all looks simple enough. Let's show our payloads and pick one from the list:
For this exploit we're going to be using a reverse tcp shell (via Perl) - so let's type:
set payload cmd/unix/reverse_perl
Once the payload is set it's important that we fill out our other options so edit the RPORT, RHOST, and LHOST before running the exploit. Here are my options before running:
Now let's run the exploit and see what happens:
Now let's get an interactive shell to browse the machine. This can be accomplished by typing "shell"
Okay - now let's start snooping around the machine for something interesting - the first place I'm going to check is the home directory and see if I can find the user.txt:
So - I did find the user.txt but I don't have permissions for it. It looks like I'll have to obtain the credentials to djmardov's account to read it (we are currently logged in as ircd).
There has to be something else going on in djmardov's documents.. Let's try looking a little closer:
-l: (The lowercase letter “ell”.) List in long format. -a: Include directory entries whose names begin with a dot (‘.’).
Interesting there's a .backup - let's view the contents of it:
Ooooo. A steganography password. There's only one image that I've seen throughout this machine and it was the first image that we ran into:
We could decode the image using steghide via terminal - but I want anyone to be able to decode this image. So let's use the website: https://futureboy.us/stegano/decinput.html
So let's upload the image and enter the "super elite steg backup pw" (it's the konami code)
After hitting submit we are presented with the following decoded text:
I threw the output of the decoded text into a few cryptography decoders online and didn't have any result. So I figured, why not try to SSH into the machine and use it as djmardov's password?
djmardov password: Kab6h+m+bbp2J:HG
We're in! Now let's go and read the user.txt file.
Noice! We were able to read the user.txt and submit the user flag! Now we're moving onto privilege escalation.
Now that we've owned user, we need to start enumerating to get root. Since I've already completed this box I won't go into the full enumeration process but you should check out this guide on Linux enumeration.
Our journey to root starts off with enumerating SUID files. We can accomplish this with the command:
find / -uid 0 -perm -4000 -type f 2>/dev/null
If we compare this list of SUID files next to a clean installation of a machine (in this case I used my Kali box) we can see that /usr/bin/viewuser is unique to this machine. We should try running viewuser to see what happens:
That's interesting. We can see that this is indeed something which is in development by root, and that /tmp/listusers cannot be found. What if we were to create this file and then run viewuser?
Here is me creating a file named listusers:
Here is the result after running viewuser with the new file created:
As we can see - the original output of "not found" has changed to "Permission denied".
But what if we tried making listusers executable and then running it?
Now that's interesting.. Permission denied has disappeared completely. What if we tried making a command executable?
For example: What if we input passwd instead of test? Would we be able to change the password of root?
It worked! We can change the password of the root user and then login:
As you can see - I was able to successfully log in as root with the password I set.
Also.. I found this picture while writing this walkthrough and I thought it was incredibly appropriate:
All that's left is navigating to root.txt and submitting the root flag:
This machine was really fun to own. After completing the box and reading posts on the HackTheBox forum I saw that a lot of people had trouble with enumeration - whether that was in the initial nmap scan, steganography password, or even the SUID files. I think that Irked tests your knowledge and has a nice little CTF twist.
It's also important to mention that obtaining the credentials to djmardov isn't needed to complete this box. Once a shell has been popped via metasploit you could create the listusers file, obtain root, and then grab the user.txt and root.txt flags.
Thanks for reading! I hope you learned something new.