Irked

Overview

Initial Foothold : Exploit of UnrealIrcd vulnerability

Privilege Escalation : SUID Bit was enabled on viewuser command

Enumeration

Port Scanning

Starting with full port scanning

kali@kali:~/htb/10.10.10.117$ sudo nmap -sS -T4 -A -p- 10.10.10.117
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 6.7p1 Debian 5+deb8u4 (protocol 2.0)
| ssh-hostkey: 
|   1024 6a:5d:f5:bd:cf:83:78:b6:75:31:9b:dc:79:c5:fd:ad (DSA)
|   2048 75:2e:66:bf:b9:3c:cc:f7:7e:84:8a:8b:f0:81:02:33 (RSA)
|   256 c8:a3:a2:5e:34:9a:c4:9b:90:53:f7:50:bf:ea:25:3b (ECDSA)
|_  256 8d:1b:43:c7:d0:1a:4c:05:cf:82:ed:c1:01:63:a2:0c (ED25519)
80/tcp   open  http    Apache httpd 2.4.10 ((Debian))
|_http-server-header: Apache/2.4.10 (Debian)
|_http-title: Site doesn't have a title (text/html).
111/tcp  open  rpcbind 2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|   100000  3,4          111/udp6  rpcbind
|   100024  1          50423/udp6  status
|   100024  1          53648/tcp6  status
|   100024  1          56193/tcp   status
|_  100024  1          58340/udp   status
6697/tcp open  irc     UnrealIRCd
8067/tcp open  irc     UnrealIRCd

There was nothing important on webpage

This was showing that IRC is working and from our nmap scan we confirmed that UnrealIRC was running on port 6697 and 8067

Lets search this on google

Got some exploits

Summary

Got exploits for vulnerable version of IRC

Exploitation

Lets use exploit from github for getting reverse shell

GitHub - Ranger11Danger/UnrealIRCd-3.2.8.1-Backdoor: My backdoor script for a vulnerable version of UnrealIRCdGitHub

I used the above exploit for exploiting this version of IRC

This exploit requires to change the local ip and local port in its script

Lets run this exploit and before setup netcat listener at port 80

Got the shell as ircd user

Privilege Escalation

Lets find out which command has suid bit enabled

find / -perm /4000 2>/dev/null

viewuser is looking non-standard command that has SUID bit enabled

Lets run that command

After review the output this command was trying to run binary listusers in /tmp folder

and there wasn't any listusers binary in /tmp folder

may be we can create our own executable binary named listusers in /tmp folder then we will run the command viewuser again and as suid bit is enabled this command will run as root user and we will have root shell

Create binary using C language

Write code in C for getting root privileges

Then compile the above code and put the binary with name listusers in /tmp folder

gcc listuesrs.c -o listusers

now again re-run the viewuser command

And got the root access

Create binary using bash

Simply create binary using bash scirpt

Got the shell as root user

That's all for this box

Thank you :)