14 January, 2019
HackTheBox is a free pen-testing lab where you can prove yourself as a hacker
nmap this box.
nmap -sC -sV 10.10.10.117
We see an open port 80. Lets check that website. A weird big smiley and a message:
IRC is almost working!
so lets nmap again but scan all ports - speed it up with the -T parameter
nmap -sC -sV -p- -T5 10.10.10.117
Ah some ports for
IRC. I download
Hexchat and connect to these.
With /list I get all channels but there is none. With /admin I get infos about the admin,
but there is none. With /info I get info about the server and I see that this is a Unreal18.104.22.168
After a while I decided to ask
metasploit if it maybe knows an exploit for that IRC-server.
It does and quickly opens a connection via a backdoor I dont care to understand .
Before we continue: There was also another HTTP port on
8000. There was a user.txt which lead to 404 and a .backup which contained a password and a hint that I have to use stenography.
I download the image from port
80 and use
steghide with the password I found and retrieved another password.
Back to the backdoored shell: I checkout
/etc/passwd and got a user which i promptly used for a SSH connection. Together with the password I just retrieved, I got a proper SSH connection.
Now to the root-flag.
LinEnum.sh with scp to the server and execute it. Some unusual
setuid flags. I don't know
viewuser. When executing it, the returning messages contain spelling-mistakes. Yes - this got to be it.
It needs permission for the
listusers directory.. or file? Trying both with
777 permissions. Then executing
viewuser again. Nothing happens. Maybe write a command into the
listusers-file? Something easy like
id. Again executing
viewuser - well I guess this
viewuser binary executes anything written into the
listusers file. You can figure out the rest, can't you?
No wonder this box got owned in about 10 minutes.
Author: Marcel Michelfelder