Write up :- Hackthebox Irked
USER Owned
- I started from scanning the given IP -> 10.10.10.117
- By Nmap result I came to know that apache, ssh , and irc service are working, So I opened the IP in Browser, I got this.
- On the webpage Its clearly written that IRC is working.
- I used Searchsploit for Exploiting IRC.
- Command -> searchsploit Unreal.
User Owning
- So the exploit is available is Metasploit Framework.
- I started msfconsole and search UnrealIRCd
- I got the module
- Commands :-
- use exploit/unix/irc/unreal_ircd_3281_backdoor
- set RPORT 6697
- set RHOST 10.10.10.117
- exploit
- From this I got Shell of the server.
- Then I started to find flag
- Using the IRC exploit we got the Low Privilege shell, searching for the user.txt file, I found that user.txt is in the other user Documents folder but we don’t have the permission to open the file.
- .backup file gives us some interesting info.
- So I used steghide on the png I downloaded from the webpage.
- Command :- steghide extract -sf irked.png
- password :- UPupDOWNdownLRlrBAbaSSss
- It Created a file name pass.txt where I got this password.
- Password: Kab6h+m+bbp2J:HG
- So I tried to login ssh from user djmardov and Password :- Kab6h+m+bbp2J:HG
- I successfully login in ssh and Started digging it out.
- Here I again tried to cat user.txt and i got the user flag
- I started from scanning the given IP -> 10.10.10.117
Root Owning
- Now i need to find root flag but problem was that i was a user not a root.
- I started digging google for escalation and find one command.
find / -perm -u=s -type f 2>/dev/null- By this I founded a suspicious file named viewuser in /usr/bin/viewuser.
- By executing that file I gained Root access in ssh.
- I founded a file named root.txt in root directory.
