Hack the Box Writeup: Irked

This was a pretty fun and straightforward little box and would be great practice for anyone studying for the OSCP.

Nmap shows a few things running:

PORT      STATE SERVICE REASON         VERSION
22/tcp    open  ssh     syn-ack ttl 63 OpenSSH 6.7p1 Debian 5+deb8u4 (protocol
2.0)
80/tcp    open  http    syn-ack ttl 63 Apache httpd 2.4.10 ((Debian))
| http-methods:
|  Supported Methods: OPTIONS GET HEAD POST
|_http-server-header: Apache/2.4.10 (Debian)
|http-title: Site doesn't have a title (text/html).
111/tcp   open  rpcbind syn-ack ttl 63 2-4 (RPC #100000)
| rpcinfo:
|   program version   port/proto  service
|   100000  2,3,4        111/tcp  rpcbind
|   100000  2,3,4        111/udp  rpcbind
|   100024  1          41522/udp  status
|  100024  1          57945/tcp  status
6697/tcp  open  irc     syn-ack ttl 63 UnrealIRCd
8067/tcp  open  irc     syn-ack ttl 63 UnrealIRCd
57945/tcp open  status  syn-ack ttl 63 1 (RPC #100024)
65534/tcp open  irc     syn-ack ttl 63 UnrealIRCd

UnrealIRCd sticks out so I look at that first. Searchsploit shows some exploits:

I give the Metasploit exploit a shot and get a reverse shell:

I poke around and while I don't have permission to view the user flag, I do find what looks to be a steganography password:

Steganography is concealing data within another file (typically but not limited to image or sound files). I check the webserver and see this:

I saved the image named 'irked.jpg' and use steghide to extract a password:

This password lets me ssh in as djmardov:

In his home directory is the user flag:

While enumerating the system, I search for SUID files and come across /usr/bin/viewuser. Let's see what happens when I try to run it:

Error messages like that are usually juicy clues for the next step. I check out /tmp/listusers and see that ircd has write access to it:

I use Metasploit again to get a shell as ircd and overwrite it with a one-liner reverse shell (nc was conveniently already on the system)

Make it executable:

With a netcat listener on my attacking machine, I return to the djmardov ssh session and run /usr/bin/viewuser to get a root reverse shell and the root flag: