Irked – HacktheBox

I learned about SUID with this box. The user access I found easy, I think I got user in under 10 minutes – that’s a first for me. The PE part took me sometime, which a few nudges!

where to order Pregabalin Skills Required
SUID knowledge

buy Pregabalin usa Skills Learned
Searching for sticky bits
Understanding a bit more about standard linux binaries
Adding echo command to a file to see if it executes it.

START

nmap -sC -sV -oA all -vv -p- 10.10.10.117

nmap imported into pentest.ws

I see that there is an IRC server and take took a look for a metasploit module.

metasploit search on pentest.ws
set RHOST and RPORT
have shell as ircd – need to upgrade shell.
I chose python 2  and upgraded to a better shell

After upgrading the shell I browsed to the home directory to see what users there were. I seen there was ircd – which I was logged in as and djmardov. Traversing into the djmardov user there were a few files – laid out in the Windows style

ircd@irked:/home/djmardov$ ls 
ls
Desktop Documents Downloads Music Pictures Public Templates Videos
ircd@irked:/home/djmardov$

I ran ls -laR to search for files within all the directories in djmardov and found the user.txt file as well as another hidden file called .backup.

I tried to view user.txt but couldnt – I’m not the user djmardov.

ircd@irked:/home/djmardov/Documents$ cat user.txt
cat user.txt
cat: user.txt: Permission denied
ircd@irked:/home/djmardov/Documents$

I checked to see what was in the contents of .backup.txt

ircd@irked:/home/djmardov/Documents$ cat .backup
cat .backup
Super elite steg backup pw
UPupDOWNdownLRlrBAbaSSss

Humm so I have a steg password for something – probably an image.

Back to review the nmap scan and see there is a http server.

It reveals an image – I guessed that this is the image that the steg password is for.

image on homepage

I downloaded the image to kali

I notice that the file name is irked – adding to my suspicions that this is the image that i need to decode

For some reason steghide is not installed by default in Kali so I did an apt-get install steghide to install it. Following the help page of it I extracted the data from the file as shown below.

captured another password – probably for the user djmardov
added creds to pentest.ws

I ssh’d in as dj

djmardov@irked:~$ cat Documents/user.txt 
4a66a78b12dc0e661a59d3f5c0267a8e
djmardov@irked:~$

The PE part took me a lot of time and I needed a few nudges. I’ll go through some my thoughts, some commands I used and what I was looking for.

djmardov@irked:/tmp$ sudo -l
-bash: sudo: command not found
djmardov@irked:/tmp$

Test to see what sudo command djmardov can run. He has not been given access to sudo. Sometimes you get lucky with this PE route.

nothing of note running as root
What is the server's Architecture cat /proc/version; uname -a; uname -mrs; rpm -q kernel; dmesg | grep Linux; ls /boot | grep vmlinuz-; file /bin/ls; cat /etc/lsb-release
Find apps installed;
ls -alh /usr/bin/; ls -alh /sbin/; dpkg -l; rpm -qa; ls -alh /var/cache/apt/archivesO; ls -alh /var/cache/yum/*;

nothing looks out of place here – checking versions of some apps.
Looking for writeable config files – none found
find /etc/ -writable -type f 2>/dev/null
What Scheduled jobs? – None
crontab -l; ls -alh /var/spool/cron; ls -al /etc/ | grep cron; ls -al /etc/cron*; cat /etc/cron*; cat /etc/at.allow; cat /etc/at.deny; cat /etc/cron.allow; cat /etc/cron.deny
check to see if the system saves any history – maybe capture a password or username or interesting file in there – no luck

cat ~/.bash_history; cat ~/.nano_history; cat ~/.atftp_history; cat ~/.mysql_history; cat ~/.php_history
Look for binaries with the SUID or GUID bits set.

find / -perm -g=s -o -perm -4000 ! -type l -maxdepth 6 -exec ls -ld {} \; 2>/dev/null

What I initially noticed was the date of /usr/bin/viewuser- it was 2018 meaning recently modified. I copied and pasted the other commands in to see what would happen. I also ran the command on my Kali machine

I compared it to my Kali machine as it is Debian based. Again viewuser stood out so requires more investigation 
running the binary says its looking for /tmp/listusers and can’t find it.
contents of /tmp
I created listusers with ‘echo this is a test’ inside it and ran. Permission denied. Meaning it found the file but obviously doesn’t have the permission to run it. I need to chmod it.
It worked! but what permissions does this file run as. Added whoami to the file
Success! It is running as root. Now to capture root.txt
root captured

You could get that binary to execute a reverse shell with root access.

I learned some important stuff with this box. Check for sticky bits and look for binaries which are not standard in that version of linux. Also if your not sure what file is doing, add and echo  command to see if it executes it.

rowbot

Share

Leave a Reply

Your email address will not be published. Required fields are marked *

Post comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.