hackthebox.eu: Irked Walkthrough

Starting a second hackthebox entry!

First the usual -sC -sV output

So I’ve learned something interesting that goes back to my penetration testing roots. It seems that CTF or CTF-like boxes will have some differences that are necessary to create puzzles that are interesting. There is much argument as to whether these configurations are “realistic” or not. I’m sure that every CTF configuration example is possible somewhere in the world, so I’m not going to argue either way at this point.

However, my usual nmap command process would be useful here. First do a quick scan for low hanging fruit, THEN do a full port scan to look in every corner. That’s where I found the meat of this one.

To be fair, there was also a clue on the website. I was a bit foolish at first and just hunted and pecked for common IRC ports instead of just scanning for all ports. Guess I was trying to be too targeted.

So now that we have a solid target, let’s do some research. Running a google search for UnrealIRCd exploit gets us a bunch of good walkthroughs that point toward the metasploit module "unix/irc/unreal_ircd_3281_backdoor”. I had to tweak options and the payload to get what I wanted but then I had a shell!

Now for some enumeration to see what I can find. Poking around a bit I found a user.txt file, but I don’t have permissions to view it. Hmmm…

After some looking around I found a password and a hint to the solution in the .backup file in /home/djmardov/Documents/ and after banging my head on the wall for about forever (and getting some assistance from my friend Kahuna) I got a hint that it might be in the image from the web server. LOVED the Konami code password.

Now it’s time to learn how to use steghide in Kali. (Confession: I HATE stego challenges). After some messing around and some thoroughly unhelpful error messages I got to this command.

Then I entered the super secret password from the backup and got extracted data to pass.txt

The contents of the resulting file showed a password that looks likely for the target user.

Trying it out with the su command results in success! User owned.

Now for root. Back to enumeration. It seems like SUID binaries may be the sauce.

Ok so there’s a trick to this. A good place to start is some Linux enumeration scripts. These remind me of powerup for windows or maybe powerup should remind me of these. These give you a lot of information to start from, but you need a comparison. I found that taking a look at a local Linux host was helpful to sort out false positives AND then checking google for my possibles to see if search results came back. When I found a binary that didn’t have a lot of information I thought I was on the right track.

The next thing I found was that navigating directly to the location of the file and running it via ./ gave me better results than running it from the command line by name. I’m really not sure why this is, but it’s a good thing to learn for the future. Programs can run differently depending on where you run them from.

Once I ran the program this way, I got my next hint pointing to a file that didn’t exist. With that I knew I could try writing to this file. I just added a couple of simple things to verify I was on the right track and got success!

The last thing was to use this access as a slow way of getting to the data I needed. I’m sure that I could have done more to try and actually gain a root shell but I’m of the opinion that the target is the target and once I get there I can move on.

I would say if you’re stuck and don’t mind some cryptic hints that may or may not get you toward where you’re going (ymmv) check out the forums for HTB and see if something jogs your memory.