SecGen Boot-to-Root UnrealIRC CTF Writeup

This is a write-up of one of the first practical - of many to come, whom we were given in accordance to my CREST CPSA Certification Module at University. Read more....

Preface

This virtual machine has been generated from the SecGen framework, ultimately with the unrealIRC vulnerability, but we'll act as if we don't know that is the main point of entry.


This is a write-up of one of the first practical - of many to come, whom we were given in accordance to my CREST CPSA Certification Module at University.

Table of Contents:

Task:

Ultimately to escalate to root privileges via the four stages:

  1. Reconnaissance
  2. Scanning
  3. Gaining Access
  4. Maintaining Access
  5. Covering Tracks

Lets begin!

Reconnaissance

What can be discovered about the host just by visiting it? is there a web server running? If so, we could probably get a pretty good indication of what the target operating system is, and its functionality - all from normal behavior as if we were a regular visitor.

I.E. IIS indicates Microsoft Windows, Apache or Nginx usually indicates a Linux-based environment. We now reduce the scope of possible vulnerabilities and things to test for later on.

Connecting to the ToE reveals no web server, or at least one that's running on the default port of 80
![navigating-to-in-browser]()

So, lets move on to scanning...

Scanning & Enumeration

Nmap scan for running services, their ports and purposed versions (useful for vulnerability detection) nmap -sV 192.168.0.45

21/tcp ProFTPD 1.3.5b

22/tcp SSH OpenSHH 7.4

6667/tcp IRC ircd

Testing for FTP Vulnerability

![]()

Reveals the interesting exploit (CVE-2015-3306)

Following the CVE, I'll attempt to login to the FTP server using "Anonymous" credentials. However, I find that "Anonymous Mode" is disabled, and we have no other credentials to use to authenticate - so we cannot use this exploit.

Testing for UnrealIRC Vulnerability

![searchsploit-unrealirc-vuln]()

Now this is a bit more interesting! I can see exploits that detail the facility to:

  • Denial of Service (Disruptive, sure, but not productive in the slightest...)
  • Remote Download/Execute
  • Backdoor Command Execution (With Metasploit providing a module)

Lets investigate:

https://www.rapid7.com/db/modules/exploit/unix/irc/unreal_ircd_3281_backdoor

To summarise, there was a backdoor added to the software package of a specific UnrealIRC version, which happens to the be version the ToE is running.

Exploiting UnrealIRC with Metasploit

I'm using Metasploit for both convenience and reliability. Why re-invent the wheel? The other vulnerabilities involves us manually creating specific payloads to the ToE hoping that they work.

I won't run through the details of how to get started with Metasploit, but this is the final options in the end:

![setup-metasploit-for-unrealirc]()

After running, we can see we have a successful shell by executing shell commands (the output such as whoami and irc is from the remote host / ToE):

![metasploit-successful]()

We have now gained access, note I have not screenshotted every single step.

Lets figure out the following:

  • Who are we connected as (IRC)
  • What directory are we in (unrealirc software directory)
  • What permissions do we have and where?
  • What Kernel is running, can we use this kernel version for privilege escalation?

![checking-kernel]()

We can use DirtyCow here, but I've used that before and it's got a 50/50 chance of success (it could break the remote Operating System due to how it modifies the /etc/shadow and /etc/passwd files), so I wanted to explore another manual route for educational purposes.

Are there any services running as Root that we could use to escalate with?

![check-for-installed-services-as-root]()
(this is just a snippet)
Nothing that stands out.

What applications are installed in the root bin?

/usr/bin is for your normal users, /usr/sbin is for root
![check-for-installed-apps-as-root]()

One thing that stands out is chkrootkit, where we can see a version number. Lets lookup for any vulnerabilities with chkrootkit 0.49

And sure enough, there is.

![searchsploit-chkrootkit]()

There's a Metasploit module, but since we already have a shell to ToE, we may as well use the other one first.

![viewing-chkrootkit-vuln]()
This is just a snippet, but it details that we can escalate to root by a mis-configuration of a function when chkrootkit is executed.

You can read up on it yourself, but essentially, if there is an executable file in /tmp/update, chkrootkit will run as root.

We can leverage this to input malicious code into /tmp/update to escalate privileges in a few ways. I done the most easiest and one that I know will work using pure Bash (or so I think)

echo 'chmod 777' /etc/sudoers && echo "irc ALL=NOPASSWD: ALL" >> /etc/sudoers && chmod 400 /etc/sudoers' > /tmp/update

Essentially the code does the following:

  1. Change the permissions of /etc/sudoers to 777, as /tmp/update is executed by root, this is allowed. Changing to 777 means anybody has any access to it.
  2. echo our current user irc into the /etc/sudoers file, allowing full SUDO command execution without requiring a password
  3. Changing /etc/sudoers back to 400 permissions, reverting it back to read-only as it needs to be.
  4. Finally, pipe all of this code into /tmp/update where it will be executed, again, with chkrootkit as root

At the moment the file is only a text file, so chkrootkit will not execute it. Lets make it executable so that the vulnerability can be facilitated.

chmod +x /tmp/update

chkrootkit runs on a crontab, default 24 hours, we can search for a crontab that says otherwise - but that's beyond scope of this, as we know the file will eventually execute.

This box has been designed so that chkrootkit is executed every minute or so.

We can check for successful execution:

![checking-for-escalation]()

Because /etc/sudoers now has an entry where the user irc can execute sudo commands without a password prompt, we can switch to the root user.

The figure above proves this, eventually using whoami to confirm we are root. We now have full control of this box, so looking for flags (should) be easy!

Lets check usual directories like home directories for files (I mean you can just regex find for anything containing "{}" for example)

![finding-flag]()

The value of the flag is randomly generated, but the file it is within is always the same (I think?)

Summary

Was a fun challenge, got to use Metasploit after discovering and enumerating vulnerable services using common fingerprinting techniques, once a shell was created, we managed to escalate from the irc user, whom is not a regular user as they have no home directory or shell environment.

We escalated to root by discovering installed applications that run as root, identifying if any of them can be exploited to ultimately gain privileges!

We didn't escalate directly to root, I placed simple bash code that added the irc user into the sudoers group, and because they are not a regular user, the irc user does not have a password - so the sudoers file was modified accommodating this.

When chkrootkit executes the /tmp/update file and the sudoers file is modified, we simply use the newly gained sudo privileges to switch to the root user.

As always, So long and thanks for all the fish!