Hackthebox :- Irked (Root Owned)

Write up :- Hackthebox  Irked 


    • USER Owned

      • I started from scanning the given IP -> 10.10.10.117 

         

      • By Nmap result I came to know that apache, ssh , and irc service are working, So I opened the IP in Browser, I got this.
          

      • On the webpage Its clearly written that IRC is working.
      • I used Searchsploit for Exploiting IRC.
        • Command -> searchsploit Unreal.
      • User Owning 

      • So the exploit is available is Metasploit Framework.
      • I started msfconsole and search UnrealIRCd
      • I got the module 

        • Commands :-
          • use exploit/unix/irc/unreal_ircd_3281_backdoor
          • set RPORT 6697
          • set RHOST 10.10.10.117
          • exploit
      •  From this I got Shell of the server.
       

      •  Then I started to find flag
      • Using the IRC exploit we got the Low Privilege shell, searching for the user.txt file, I found that user.txt is in the other user Documents folder but we don’t have the permission to open the file.
      •  .backup file gives us some interesting info.
      • So I used steghide on the png I downloaded from the webpage.
        • Command :- steghide extract -sf irked.png 
        • password :- UPupDOWNdownLRlrBAbaSSss
      • It Created a file name pass.txt where I got this password. 
        • Password: Kab6h+m+bbp2J:HG
      • So I tried to login ssh from user djmardov and Password :- Kab6h+m+bbp2J:HG
       
      • I successfully login in ssh and Started digging it out.
      • Here I again tried to cat user.txt and i got the user flag
  •  Root Owning

      • Now i need to find root flag but problem was that i was a user not a root.
      • I started digging google for escalation and find one command.
        • find / -perm -u=s -type f 2>/dev/null
      • By this I founded a suspicious file named viewuser in /usr/bin/viewuser.
      • By executing that file I gained Root access in ssh.
      • I founded a file named root.txt in root directory.

Follow by Email