Irked
14 January, 2019
HackTheBox is a free pen-testing lab where you can prove yourself as a hacker
So let's nmap this box.
nmap -sC -sV 10.10.10.117We see an open port 80. Lets check that website. A weird big smiley and a message:
IRC is almost working!
so lets nmap again but scan all ports - speed it up with the -T parameter
nmap -sC -sV -p- -T5 10.10.10.117Ah some ports for IRC. I download Hexchat and connect to these.
With /list I get all channels but there is none. With /admin I get infos about the admin,
but there is none. With /info I get info about the server and I see that this is a Unreal3.2.8.1
Server.
After a while I decided to ask metasploit if it maybe knows an exploit for that IRC-server.
It does and quickly opens a connection via a backdoor I dont care to understand 
.
Before we continue: There was also another HTTP port on 8000. There was a user.txt which lead to 404 and a .backup which contained a password and a hint that I have to use stenography.
I download the image from port 80 and use steghide with the password I found and retrieved another password.
Back to the backdoored shell: I checkout /etc/passwd and got a user which i promptly used for a SSH connection. Together with the password I just retrieved, I got a proper SSH connection.
user-flag secured.
Now to the root-flag.
I take LinEnum.sh with scp to the server and execute it. Some unusual setuid flags. I don't know viewuser. When executing it, the returning messages contain spelling-mistakes. Yes - this got to be it.
It needs permission for the listusers directory.. or file? Trying both with 777 permissions. Then executing viewuser again. Nothing happens. Maybe write a command into the listusers-file? Something easy like id. Again executing viewuser - well I guess this viewuser binary executes anything written into the listusers file. You can figure out the rest, can't you?
No wonder this box got owned in about 10 minutes. 
Author: Marcel Michelfelder