# HackTheBox write-up - Irked

Hello lurkers.

I've recently met the mysterious pentest guy who convinced me to participate
in the hack night I wrote about months ago.  We talked about many things,
eventually I ranted how nothing ever came out of discussing the topic of a
CTF group.  To my surprise he announced to make one now and then and invited
all kinds of people via Telegram to show up regularly at the hackerspace.
For this reason I cleared my first box on hackthebox.eu and wanted to share
the details with you.

You start with an IP address to connect to.  An initial scan with nmap
reveals that ports 22, 80 and 111 are open.  SSH and rpcbind aren't that
interesting for now, but a web server always is.  When heading to the website
in a browser, my worst fears are confirmed: This challenge is indeed about an
IRCd, just as the name alludes to.  I perform a full scan this time and get a
few more ports, including 6697, an IRC port.  Using irssi I can successfully
connect to a network using UnrealIRCd.  There is nothing else of interest
there.

Typically you have to find a way to spawn a shell and this challenge is no
different.  What's unusual here though is that msfconsole actually lists an
IRC-related exploit, a backdoor distributed with a specific version of
UnrealIRCd that has actually made the rounds on the internet.  The exploit
works flawlessly, giving me a shell.  It can be upgraded to something more
user-friendly using python -c "import pty; pty.spawn('/bin/sh')".

There are a few interesting things on this host.  A full GNOME session shows
up running in the process list, besides that there's apache2 and exim.  The
user I'm looking to exploit is djmardov.  I can locate their flag, but not
read it.  More interestingly there's a hidden .backup file, it claims to have
a "Super elite steg backup pw".  This refers to a sneaky way of hiding your
password in another file, typically a bitmap image.  The only one I've come
across so far was on the website.  Using steghide with that password yields
the user password which allows me to become the regular user and read their
flag.

To obtain the root flag, privilege escalation is required.  There's no sudo
on the machine, crontab doesn't show anything interesting, but surprisingly
enough there's a suid binary that looks a bit off.  It prints a typo-riddled
usage hint, a list of users and an error because it cannot find
/tmp/listusers.  This is easily rectified by creating that file.  Subsequent
attempts to run the suid binary now complain about it not being executable,
this confirms that you'll only have to turn it into a program giving you the
flag.  After some more experimentation it printed out the files owned by
root, then exfiltrated the flag's contents.

Now for some ranting.  This write-up makes things look far easier and
straight-forward than they actually were.  Actually solving the box was far
more confusing because many people messed with it.  You could never be sure
which files and processes were part of the challenge unless you used a reset
token on it, thereby killing everyone's progress.  People made liberal use of
these tokens.  It took me three attempts to get the root flag because someone
kept doing resets every few minutes.  The only thing that helps here is
paying for VIP access :(  In case you're not willing to do this, I can only
recommend to not waste time and approach the problem with a clear plan to
execute your exploitation quickly.