Irked - [HTB]
![Cover Image for Irked - [HTB]](/assets/images/blog/irked-htb/Irked.png)
![Marmeus](/mstile-150x150.png)
Table of Contents
Introduction
Today, I will show you how to get the user’s and root’s flag for the IRKED Virtual Machine.
![](/assets/images/blog/irked-htb/10000000000005F3000000246C6F5332D0698C1E.png)
Enumeration
As always we must be connected to the HTB network and start scanning irked’s ports.
nmap -sS -p- -sV -A 10.10.10.117
![](/assets/images/blog/irked-htb/1000000000000291000001258C932D7DFD0A92A2.png)
This time there are a lot of services, so many I do not even know what are they used for.
SSH: There is always one of this for each VM
HTTP (Apache): Updated
- There is a weird picture at the main page
![](/assets/images/blog/irked-htb/1000020100000425000002CE0FE182523C582DCE.png)
Could be an IRC program running? vectortoons.com? Something hidden in the picture?
- I did not found anything interesting
wfuzz -c -z file,/usr/share/wfuzz/wordlist/general/common.txt --hc 404
![](/assets/images/blog/irked-htb/1000000000000550000002C73735E0151572BD90.png)
Explotation
rpcbind: Doing some research I found an auxiliary module in metasploit, but it did not work.
![](/assets/images/blog/irked-htb/10000000000001720000004BE8776FC65BDF388B.png)
ircs-u: Searching on Google I found an exploit that might work.
![](/assets/images/blog/irked-htb/10000000000003E2000001A5AD2BCF0EF532D04D.png)
It works!!!
Infi-async: I did not find anything on Google.
52346 & 65534: Same as before
It’s time to go for the user flag.
![](/assets/images/blog/irked-htb/1000000000000214000000B6B8D957D8C8DE1205.png)
It seems I do not have permissions to read the flag… But What is inside the .backup file?
![](/assets/images/blog/irked-htb/10000000000000F3000000493076DD865A72124E.png)
It seems like a password, but I tried in SSH and It did not work out, so I thought it could be the passphrase in order to extract data from that weird image seen before.
![](/assets/images/blog/irked-htb/10000201000001DA000000B5790B73A7CB347E48.png)
There is data inside, so it is time to extract it.
![](/assets/images/blog/irked-htb/100000000000021700000070A35D68EDB0350A68.png)
As you can see there is another password, could it be the one for the ssh service?
![](/assets/images/blog/irked-htb/100000000000029E000000CBBE0ADA1ECC4BFE96.png)
It is the correct password.
User flag:
![](/assets/images/blog/irked-htb/100000000000017B000000294A3164F4C0A5C7BA.png)
Privilege escalation
Once, we have got the user flag, it is time to escalate privileges and get the root’s flag. Thx b1ond
find / -perm -u=s -type f 2\>/dev/null
Find files in which suid is set, and if there is an error don’t show it.
![](/assets/images/blog/irked-htb/10000201000001F4000001B59D6501DB5C686E21.png)
There are a lot of files, which they didn’t seem. However, “*usr/*bin/viewuser” it is different…
![](/assets/images/blog/irked-htb/100000000000028D000000C770B458AA96455AE4.png)
What is this file???
![](/assets/images/blog/irked-htb/10000000000001AB000000283A24728F2CFFE67E.png)
It doesn’t exist.
As I found out, looking what the other guys was doing with this file. It seems that is capable of executing scripts. Hence, let’s create a script which reads the root’s flag.
So, I just need to create that file and add it executable permissions.
![](/assets/images/blog/irked-htb/10000000000002EE00000094190B5D4BE5C539DC.png)
Finally, I just need to execute the program viewuser
![](/assets/images/blog/irked-htb/10000000000002810000011CF0A12FC85F33404A.png)
GOTCHAAA!!!