HackTheBox Irked Walkthrough - UnrealIRCd Exploit
0Hack The Box is an online platform allowing you to test your penetration testing skills and exchange ideas and methodologies with other members of similar interests. It was founded in 2017 by Haris Pylarinos.
Time stamps:
0:00 Introduction
0:06 Nmap scan
0:44 Exploring web server
1:35 IRC exploitation
5:36 Steganography
7:03 Connecting to ssh
8:07 Finding vulnerable programs
9:15 Exploiting vulnerable program
In this HackTheBox Irked walkthrough, you will be walked through the Irked machine from Hack The Box. The first thing to do is to run nmap scan to determine which ports are open and which programs are using them. Going through the results, there is a web server running on port 80 as well as 2 UnrealIRC servers on ports 6697 and 8067. Trying to access the web server results in a page containing an image and the phrase “IRC is almost working” and looking for robots.txt file results in a 404 not found page. Since the web server did not provide anything useful for the time being, the focus is shifted towards the IRC servers. By searching for exploits for UnrealIRC, the results show that a Metasploit module exists for exploiting it. Running the exploit would grant a shell access to the machine. Browsing the files reveals a file containing “steg pw” which is a hint for steganography password. By downloading the image from the web servers and using steghide, a file is extracted from the image and it contains the password for the other user on the machine. This password is used to connect to the machine as the other user via ssh. After the connection is established, gaining root access is attempted. Start by searching for root owned programs which have suid permission set, which means they get executed as root. This will show a non-standard linux program called viewuser which tries to execute a non-existing file. By creating this file with content that execute bash, a shell with root permission is obtained.
By finishing this htb irked tutorial, you will learn some ways to approach and break into a machine, like using nmap to detect programs listening on some ports in a remote machines, looking up exploit and executing them with Metasploit and how to look for potentially vulnerable programs that might allow escalating privileges to root.
Discussion: https://bit.ly/32JZoqp
Support us on Patreon: http://bit.ly/38mnveC
This video is made by Ismael Vasquez Jr:
Website - https://ismaelvazquezjr.com
Twitter - https://twitter.com/IsmaelVazquezJr
Facebook - https://facebook.com/vazquezjrismael
Github - https://github.com/ismaelvazquezjr
LinkedIn - https://linkedin.com/in/ismael-vazquez-jr-a6abb119b
HTB Irked is a relatively easy Linux box with an IRC server vulnerability. You can use this vulnerability to get a shell, then there is a simple steganography challenge which gives us a password. To get root you use an SUID with a binary that is executed in /tmp/listusers.
After an nmap scan we find a web server with a irked.jpg emoji image and an UnrealIRCd server, the IRCd server has an exploit we can use to get a shell. Browsing around the file system you find a .backup file with a steganograpy backup password in the user's documents folder. We extract the data from the hash which is the user's password. We use /tmp.istusers to execute a binary to get privelage escalation. And that's it.
Donate on our Forum : http://bit.ly/2HkOco9
Follow us on Facebook : http://bit.ly/2vvHfhk
Follow us on Twitter : http://bit.ly/3bC7J1i
Follow us on Twitch : http://bit.ly/39ywOZ2
Follow us on Reddit : http://bit.ly/3bvOB57
Follow us on GitHub : http://bit.ly/2HoNXIS
Follow us on Instagram : http://bit.ly/2SoDOlu