HTB — IRKED

MACHINE IP :- 10.10.10.117

Nmap

Here when we start enumeration we got to see that there is an image at http port we got a image and nothing else but a hint “IRC is almost working!” and at nmap we got see that there is a service running at port 6697 irc UnrealIRCD when we begin to search for exploit we got a metasploit exploit

So here we get our user shell , now let’s check for post exploitation but before that let’s take a proper shell using python command

Now let’s search for some config files so that we can get some hints to move for root shell

and here we got our user.txt flag but are unable to read it because other users are not having permission to read it but at .backup we find some sensitive information which can help us in getting djmardov user as we can see that .backup file is having a password which indicates STEG = Steganography it is a technique to hide secret inside a file

Now we are having the password to open the steg file but the main way is to find the file having the secret , after lot of enumeration i came to hint as steg can be hidden in jpg,wav file , i remember a JPG file at port http

And then i search for Steganographic Decoder and found it at decoder here i placed the password we got from .backup and placed downloaded image we got from http 👆

BINGO!!! we got the password “Kab6h+m+bbp2J:HG” now let’s try to connect to ssh using this password for djmardov and yup we got in the ssh using this password

YUP we got the djmardov user and now we can read the user flag

Now coming to root privilege escalation i begin with LinEnum.sh file to enumerate and there i found a suid file which seems to be new to suid

As this is new to suid i was very curious to see what it does so i run it and it came with a error showing /tmp/listusers not found and when i made listusers file manually it runs properly

As we know that this is taking something form listusers file what if we give our nc shell in listusers file ,let’s check it out are we getting any solution or not

THANKYOU …. 😄 🏁

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store