Irked | HTB | Write-up

4 min readJan 19, 2021

Irked is an easy level retired box on Hackthebox.

Initially, thorough scanning reveals an interesting service. Using that, we get a shell. Then we do some manual enumeration to get shell as another user, followed by abusing a binary to gain full control as root.

With that said, let us begin.

SCANNING :

A short quick scan reveals ports 22, 80 and 111 to be open.

Then a service version scan on the found ports, reveals OpenSSH 6.7p1 is running on port 22, Apache httpd 2.4.10 on port 80 and rpcbind on port 111.

ENUMERATION :

Since HTTP has large attack vector, let us begin with that first.

The webpage on port 80 looks like :

It says there is an IRC service at work. But I do not remember any port hosting an IRC service.

Let us do a full port-scan to see if I did miss something.

Indeed! There is lot more going on.

Let us now do a service version scan on the extra ports.

Now we know UnrealIRCd is being run on the server.

After some googling, I found unrealIRCd version 3.2 contains a backdoor trojan in it’s download archive. This allows a hacker to execute arbitrary code by sending the string ‘AB’, which triggers the backdoor, followed by the payload. You can learn more about it here.

However, I found this exploit on github, that does the same thing. Let us try it out.

EXPLOITATION :

Let us set up a netcat listener and run the python code.

It worked! And we now have shell as user ircd.

SHELL AS djmardov :

There is an interesting stuff in the Documents directory of user DjMardov’s home directory.

If we look at .backup file :

It seems to contain password for some stego job. As far I remember, there is only one image that I saw in the website’s root directory. Let us save that and see if we can get something.

I got some interesting thing with the passphrase and the image. It seems to be password for the user DjMardov. Let us try that out.

We got shell as DjMardov. Now you can read the user flag.

PRIVILEGE ESCALATION :

Let us check for SUID bit set files.

Everything is fine, but the /usr/bin/viewuser took my eye.

As you can see, it is owned by the root and SUID bit set.

If I do strings on the binary :

This binary seems to run another binary /tmp/listusers. By this, I may be able to escalate my privileges. I can create my own binary in the /tmp directory and run it with the viewuser binary.

I created a C code snippet in /tmp and compiled it with gcc with name listusers. So, when the viewuser binary is run, it will cause the /tmp/listusers to run and that will pop /bin/sh shell as root for us. Let us do that.