Irked is an Easy, retired machine that is listed on Hack The Box. It was first released on November 17th, 2018, and was designed by MrAgent. There are likely many ways to exploit this box, but I used a trojan horse that was included on many mirror sites that distributed IRC server software called Unreal IRC. The CVSS Version 2.0 score for this is 7.5, which is classified as High. This CVE is identified as CVE 2010–2075.
Part One: Enumeration
As always, using a port scan is the crucial first step in identifying a solid pivot point. I enjoy using Legion for this, which also helps me identify CVEs. Usually. A port scan revealed several open ports.
So, we see OpenSSH and Apache, neither of which are in current versions, but they’re not old enough to be immediately interesting. As the scan continues, we see three IRC ports. IRC is both obscure and old, which is interesting. The name of the box furthers this intrigue.
Part Two: Discovering File Architecture
Any time a port scan reveals an open http port (usually 80 or 443), a Dirbuster scan is worth using. After a long scan, fairly little was found. Accessing the page through a web browser revealed this image:
There is nothing in the page source that is interesting here. This image is worth saving and checking for steganography, as it is all there is for the open http port, but it might just be pointing the user towards the IRC vulnerability.
Part Three: Is EFnet still a thing?
Legion didn’t return anything interesting related to the Unreal IRC software. Several search results exceeded the 5.0 CVE threshold, but none of them are compelling enough to stop pursuing an IRC exploitation.
Searchsploit is a good place to look next. This is very promising.
In practice, all four of these would be pretty interesting, but since this is a Hack The Box machine, Backdoor Command Execution and Remote Execute both sound like good options. Since both of these options use the same version of the software, I am going to attempt to use them without knowing for sure which version of Unreal IRC is being used. If I were less confident in this information, I would use an IRC client to connect to one of the open ports, and try to gain version information in a more formal process. However, I am confident that I have gamed this out reasonably well.
Part Four: Metasploit, From The Top
Starting Metasploit, I set local port and IP info specific to Hack The Box, and prepare to try the first exploit on the Searchsploit list.
Everything seems to go according to plan, until I have connectivity issues. After the second failure, I opened another terminal, and tried to ping Irked. Since it did not respond right away, I wait to see an ICMP packet come back before I try again. Well played, Hack The Box.
Metasploit is reliable, and I have a shell. I am ircd. From here, I assume the user flag is accessible.
That was a bad assumption. Whatever is in .backup is likely to offer a pivot point.
First, djmardov uses an IRC server, and now they are protecting steganography with the code that got me 30 free lives in the Contra machine at Skate Land? I can’t help but feel nostalgic.
Part Five: irked.jpg is Clearly Relevant
The note left in .backup suggests that steganography will provide the next pivot point, and only one image has been found. Steghide returns what is likely a password, and since there were no apparent web logins, this is likely djmardov’s SSH password.
Part Six: Using SSH Credentials to Find The User Flag
Noting that I had connection issues earlier, I make the suggested adjustments to my ovpn file, and get back at it. This does not work, which starts the “ping and wait” process again. I know where I am going, so getting the user flag is straightforward.
Part Seven: Root Access
Looking for files with the SUID flag set, I type find / -perm -4000 2>/dev/null. There is a binary that stands out to me, /usr/bin/viewuser. This file is trying to use a file in /tmp/listusers. After more connection issues, I add a file that will run /bin/sh/and I try using viewuser again. This proves to offer root access, and immediate access to the root flag.
