Irked

Reconnaissance: NMAP

┌──(kali💀kali)-[~]
└─$ sudo nmap -sC -sV -O 10.10.10.117

22/tcp  open  ssh     OpenSSH 6.7p1 Debian 5+deb8u4 (protocol 2.0)
| ssh-hostkey: 
|   1024 6a:5d:f5:bd:cf:83:78:b6:75:31:9b:dc:79:c5:fd:ad (DSA)
|   2048 75:2e:66:bf:b9:3c:cc:f7:7e:84:8a:8b:f0:81:02:33 (RSA)
|   256 c8:a3:a2:5e:34:9a:c4:9b:90:53:f7:50:bf:ea:25:3b (ECDSA)
|_  256 8d:1b:43:c7:d0:1a:4c:05:cf:82:ed:c1:01:63:a2:0c (ED25519)

80/tcp  open  http    Apache httpd 2.4.10 ((Debian))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.10 (Debian)

111/tcp open  rpcbind 2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|   100000  3,4          111/udp6  rpcbind
|   100024  1          52645/tcp6  status
|   100024  1          53154/udp   status
|   100024  1          53543/udp6  status
|_  100024  1          60050/tcp   status

Aggressive OS guesses: Linux 3.12 (96%), Linux 3.13 (96%), Linux 3.16 (96%), Linux 3.18 (96%), Linux 3.2 - 4.9 (96%), Linux 3.8 - 3.11 (96%), Linux 4.4 (95%), Linux 4.2 (95%), Linux 4.8 (95%), ASUS RT-N56U WAP (Linux 3.4) (95%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

We get back the following result showing that nine ports are open:

  • Port 22: running OpenSSH 6.7p1

  • Port 80: running Apache httpd 2.4.10

  • Port 111: running rpcbind 2–4

  • Ports 6697, 8067 & 65534: running UnrealIRCd

  • Port 51881: running an RPC service

  • Port 111: running rpcbind

  • Port 5353: running zeroconf

Enumeration: HTTP Port 80/tcp

Let’s start with enumerating port 80. Visit the machine’s IP address in the browser. We get back the following page.

http://10.10.10.117/

Let’s view the page source (right click > View Page Source) to see if that gives us any extra information.

view-source:http://10.10.10.117/

Gobuster:

The /manual directory leads us to the default Apache HTTP server page.

http://10.10.10.117/manual/en/index.html Version 2.4

Enumeration: UnrealIRCd Ports 6697, 8067 & 65534

Another dead end. Let’s move on to other ports. Ports 22 and 111 running OpenSSH 6.7p1 and rpcbind 2–4 don’t look promising. Ports 6697, 8067 & 65534 are running UnrealIRCd. A version of this service was vulnerable to a backdoor command execution. Let’s see if there are any nmap scripts that check for this vulnerability.

Logoirc-unrealircd-backdoor NSE script — Nmap Scripting Engine documentationnmap.org

Documentation tells us that not only can nmap detect it, but it can also be used to start a netcat listener that would give us a shell on the system. First, run an nmap scan to see which of these ports are vulnerable to the backdoor.

Shell as ircd

The next obvious step would be to get a reverse shell on the machine by exploiting the UnrealIRCd backdoor vulnerability. After attempting to do that, I spent an hour trying to figure out why neither my netcat reverse or bind shells are not working. It turns out that if you add the flag “-n” which stands for “do not do any DNS or service lookups on any specified address”, the shell doesn’t work. I’m not sure why. I’ll update this blog when I figure it out.

OPTION 1:

For now, set up a listener on the attack machine.

Send a reverse shell to our listener from the target machine.

Let’s upgrade it to a better shell.

This gives us a partially interactive bash shell. To get a fully interactive shell, background the session (CTRL+ Z) and run the following in your terminal which tells your terminal to pass keyboard shortcuts to the shell.

Once that is done, run the command “fg” to bring netcat back to the foreground.

OPTION 2:

Based on what I found during reconnaissance, I think I can just connect with nc and enter AB; [some command] and get it to run. I’ll test with a ping. I have tcpdump running listening for icmp. Now I’ll connect, and test out my theory:

In my other window:

Shell:

Now I can use this to get a shell:

Privesc: ircd –> djmardov

Let’s see if we have enough privileges to get the user.txt flag.

We don’t. We need to escalate privileges. In that same directory, there’s a hidden .backup file:

Steg:

With the reference to steg, I immediately think of the big image on the website. I’ll download a copy:

SU: That password works as djmardov’s password with su:

SSH: I can also ssh in:

Privesc: djmardov –> root

Let’s transfer the LinEnum script from our attack machine to the target machine.

LogoLinEnum/LinEnum.sh at master · rebootuser/LinEnumGitHub

In the attack machine, start up a server in the same directory that the script resides in.

In the target machine download the LinEnum script.

Give it execute privileges.

viewuser

After sifting through all the output from the script, we notice the following file which has the SUID bit set.

Let’s try and execute the file to see what it outputs.

It seems to be running a file /tmp/listusers, however, the file does not exist. Since the SUID bit is set for this file, it will execute with the level of privilege that matches the user who owns the file. In this case, the file is owned by root, so the file will execute with root privileges. It’s in the /tmp directory, which we have access to, so let’s create the file and have it run a bash shell.

PreviousTartarSauceNextFriendZone

Last updated