14 January, 2019

HackTheBox is a free pen-testing lab where you can prove yourself as a hacker

So let's nmap this box.

nmap -sC -sV

We see an open port 80. Lets check that website. A weird big smiley and a message:

IRC is almost working!

so lets nmap again but scan all ports - speed it up with the -T parameter

nmap -sC -sV -p- -T5

Ah some ports for IRC. I download Hexchat and connect to these.

With /list I get all channels but there is none. With /admin I get infos about the admin,

but there is none. With /info I get info about the server and I see that this is a Unreal3.2.8.1


After a while I decided to ask metasploit if it maybe knows an exploit for that IRC-server.

It does and quickly opens a connection via a backdoor I dont care to understand emoji-see_no_evil.

Before we continue: There was also another HTTP port on 8000. There was a user.txt which lead to 404 and a .backup which contained a password and a hint that I have to use stenography.

I download the image from port 80 and use steghide with the password I found and retrieved another password.

Back to the backdoored shell: I checkout /etc/passwd and got a user which i promptly used for a SSH connection. Together with the password I just retrieved, I got a proper SSH connection.

emoji-triangular_flag_on_post user-flag secured.

Now to the root-flag.

I take with scp to the server and execute it. Some unusual setuid flags. I don't know viewuser. When executing it, the returning messages contain spelling-mistakes. Yes - this got to be it.

It needs permission for the listusers directory.. or file? Trying both with 777 permissions. Then executing viewuser again. Nothing happens. Maybe write a command into the listusers-file? Something easy like id. Again executing viewuser - well I guess this viewuser binary executes anything written into the listusers file. You can figure out the rest, can't you?

No wonder this box got owned in about 10 minutes. emoji-bomb

Author: Marcel Michelfelder

Add a comment

Want to get in touch?