Irked – HacktheBox
I learned about SUID with this box. The user access I found easy, I think I got user in under 10 minutes – that’s a first for me. The PE part took me sometime, which a few nudges!
Skills Required
SUID knowledge
Skills Learned
Searching for sticky bits
Understanding a bit more about standard linux binaries
Adding echo command to a file to see if it executes it.
START
nmap -sC -sV -oA all -vv -p- 10.10.10.117
I see that there is an IRC server and take took a look for a metasploit module.
After upgrading the shell I browsed to the home directory to see what users there were. I seen there was ircd – which I was logged in as and djmardov. Traversing into the djmardov user there were a few files – laid out in the Windows style
ircd@irked:/home/djmardov$ ls
ls
Desktop Documents Downloads Music Pictures Public Templates Videos
ircd@irked:/home/djmardov$
I ran ls -laR to search for files within all the directories in djmardov and found the user.txt file as well as another hidden file called .backup.
I tried to view user.txt but couldnt – I’m not the user djmardov.
ircd@irked:/home/djmardov/Documents$ cat user.txt
cat user.txt
cat: user.txt: Permission denied
ircd@irked:/home/djmardov/Documents$
I checked to see what was in the contents of .backup.txt
ircd@irked:/home/djmardov/Documents$ cat .backup
cat .backup
Super elite steg backup pw
UPupDOWNdownLRlrBAbaSSss
Humm so I have a steg password for something – probably an image.
Back to review the nmap scan and see there is a http server.
It reveals an image – I guessed that this is the image that the steg password is for.
I downloaded the image to kali
For some reason steghide is not installed by default in Kali so I did an apt-get install steghide to install it. Following the help page of it I extracted the data from the file as shown below.
I ssh’d in as dj
djmardov@irked:~$ cat Documents/user.txt
4a66a78b12dc0e661a59d3f5c0267a8e
djmardov@irked:~$
The PE part took me a lot of time and I needed a few nudges. I’ll go through some my thoughts, some commands I used and what I was looking for.
djmardov@irked:/tmp$ sudo -l
-bash: sudo: command not found
djmardov@irked:/tmp$
Test to see what sudo command djmardov can run. He has not been given access to sudo. Sometimes you get lucky with this PE route.
What is the server's Architecture cat /proc/version; uname -a; uname -mrs; rpm -q kernel; dmesg | grep Linux; ls /boot | grep vmlinuz-; file /bin/ls; cat /etc/lsb-releasels -alh /usr/bin/; ls -alh /sbin/; dpkg -l; rpm -qa; ls -alh /var/cache/apt/archivesO; ls -alh /var/cache/yum/*;nothing looks out of place here – checking versions of some apps.
Looking for writeable config files – none found find /etc/ -writable -type f 2>/dev/nullcrontab -l; ls -alh /var/spool/cron; ls -al /etc/ | grep cron; ls -al /etc/cron*; cat /etc/cron*; cat /etc/at.allow; cat /etc/at.deny; cat /etc/cron.allow; cat /etc/cron.denycat ~/.bash_history; cat ~/.nano_history; cat ~/.atftp_history; cat ~/.mysql_history; cat ~/.php_historyfind / -perm -g=s -o -perm -4000 ! -type l -maxdepth 6 -exec ls -ld {} \; 2>/dev/nullWhat I initially noticed was the date of /usr/bin/viewuser- it was 2018 meaning recently modified. I copied and pasted the other commands in to see what would happen. I also ran the command on my Kali machine
You could get that binary to execute a reverse shell with root access.
I learned some important stuff with this box. Check for sticky bits and look for binaries which are not standard in that version of linux. Also if your not sure what file is doing, add and echo command to see if it executes it.