Greetings everyone!
In today’s post, I’ll be changing things up by attacking a system that can be found on a website called hackthebox.eu. I’m fairly new to this site, but essentially the premise is that you can connect to their servers via VPN, and attempt to hack the systems, by grabbing a user flag and a root flag, and uploading them to your profile! This system is called Irked, so let’s get to it!
After establishing a VPN connection to the HTB server, we can see that our IP is 10.10.14.16, and the machine called Irked is at 10.10.10.117.
Knowing this information, we’ll start things off with an nmap scan with the command nmap -A -T4 -p- 10.10.10.117.
We see that port 80 is open, so of course we’re going to browse to 10.10.10.117 in a web browser to see what we can find!
Here, we are greeted with a picture of a face that I can only assume resembles my face when watching the Bills play (pre Josh Allen era, that is). There is a comment on the web page that says “IRC is almost working!” We also got a return from our nmap scan for UnrealIRC. Well let’s see if we can find an exploit for it in Metasploit!
Found a backdoor exploit! The only options that we need to set are the RHOSTS and RPORT. Then we can type “run” in order to fire off the exploit!
Alright! We have a low-priv shell of the user ircd. Now let’s start looking around!
After a bit of exploring, we find a user called djmardov in the home directory, that also has a user flag that we’ll need to grab!
Well, I guess that would have been too easy. There must be something else here that can help us read that flag! There is another filed called “.backup”, maybe something is in there?
Hey, that definitely looks like a password! But before we get too excited, let’s examine the message returned: “super elite steg backup pw”. Hmm. Steg as in steganography? Steganography refers to hiding a message or file inside of another file, image, video, or even audio. Well we noticed that big yellow face when we browsed to the website, so let’s download it and see if we can extract any information!
For this, we’ll use a tool called Steghide.
Okay, now let’s read the contents of pass.txt.
There is a good chance that this is djmardov’s password, so let’s try it out!
Success! Now let’s grab the user flag.
That’s one flag down! Now let’s try to find that pesky root flag!
For this, we’re going to need to escalate our privileges. Let’s start by searching for SUID files that can be abused.
After a bit of research, the /usr/bin/viewuser seems to be the most unusual, so let’s look into this some more.
So it appears that a shell is attempting to run /tmp/listusers, however the file is not found. What if we were to manually create this file and insert our own shell in it?
Here, the only option to create the file was Vi, however I had a ton of issues trying to get it to work. It still bothers me that I had trouble with it. So, I tried another option! Since we had the credentials of djmardov, why not just SSH into the system with those credentials, and see if we had access to another text editor? Sure enough, this path led to the use of nano!
Now, let’s run “viewuser” again.
Bingo! Now time to grab the flag!
This was a very fun machine, and a good way to get an idea of what the systems on HTB are like. I’m sure they will only get more difficult, but we’ll be up for the challenge!
Thanks for reading!