We begin with the standard tcp port scan, leading to the discovery of several open ports:
/tmp/tmp.QedYPECF6V ❯ hping3 -S --scan 1-65535 10.10.10.117 | grep -v "Not" | tee general/hping3/syn_scan 27s root@kali
Scanning 10.10.10.117 (10.10.10.117), port 1-65535
65535 ports to scan, use -V to see all the replies
+----+-----------+---------+---+-----+-----+-----+
|port| serv name | flags |ttl| id | win | len |
+----+-----------+---------+---+-----+-----+-----+
All replies received. Done.
22 ssh : .S..A... 63 0 29200 44
80 http : .S..A... 63 0 29200 44
111 sunrpc : .S..A... 63 0 29200 44
6697 ircs-u : .S..A... 63 0 7300 44
8067 : .S..A... 63 0 7300 44
57624 : .S..A... 63 0 29200 44
65534 : .S..A... 63 0 7300 44
While waiting for a more detailed nmap scan, we visit the page hosted at port 80:
Its just a single image with some text on it. Hmmm… IRC… Interesting. We make a note of that.
A more detailed scan using nmap reveals some interesting information:
/tmp/tmp.QedYPECF6V ❯ nmap -sS -sC -sV -p- 10.10.10.117 -oA general/nmap/popular 25s root@kali
Starting Nmap 7.92 ( <https://nmap.org> ) at 2024-06-22 17:19 NZST
Nmap scan report for 10.10.10.117
Host is up (0.031s latency).
Not shown: 65528 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.7p1 Debian 5+deb8u4 (protocol 2.0)
| ssh-hostkey:
| 1024 6a:5d:f5:bd:cf:83:78:b6:75:31:9b:dc:79:c5:fd:ad (DSA)
| 2048 75:2e:66:bf:b9:3c:cc:f7:7e:84:8a:8b:f0:81:02:33 (RSA)
| 256 c8:a3:a2:5e:34:9a:c4:9b:90:53:f7:50:bf:ea:25:3b (ECDSA)
|_ 256 8d:1b:43:c7:d0:1a:4c:05:cf:82:ed:c1:01:63:a2:0c (ED25519)
80/tcp open http Apache httpd 2.4.10 ((Debian))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.10 (Debian)
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
| 100000 3,4 111/udp6 rpcbind
| 100024 1 33020/udp6 status
| 100024 1 34275/tcp6 status
| 100024 1 56604/udp status
|_ 100024 1 57624/tcp status
6697/tcp open irc UnrealIRCd (Admin email [email protected])
8067/tcp open irc UnrealIRCd (Admin email [email protected])
57624/tcp open status 1 (RPC #100024)
65534/tcp open irc UnrealIRCd (Admin email [email protected])
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at <https://nmap.org/submit/> .
Nmap done: 1 IP address (1 host up) scanned in 26.55 seconds
For starters, we get the openssh and apache versions which turns out to be of no consequence. We discover a possible username djmardov and a hostname irked.htb. We also learn that the box is running UnrealIRCd on several ports including 6697.
Running searchsploit against the nmap results leads to a possible code backdoor against UnrealIRCd
/tmp/tmp.QedYPECF6V ❯ searchsploit --nmap general/nmap/popular.xml | tee general/searchsploit
[i] /usr/bin/searchsploit -t unrealircd
------------------------------------------------------------------------------------------------------------------------ ---------------------------------
Exploit Title | Path
------------------------------------------------------------------------------------------------------------------------ ---------------------------------
UnrealIRCd 3.2.8.1 - Backdoor Command Execution (Metasploit) | linux/remote/16922.rb
UnrealIRCd 3.2.8.1 - Local Configuration Stack Overflow | windows/dos/18011.txt
UnrealIRCd 3.2.8.1 - Remote Downloader/Execute | linux/remote/13853.pl
UnrealIRCd 3.x - Remote Denial of Service | windows/dos/27407.pl
------------------------------------------------------------------------------------------------------------------------ ------------------------
Some further research using google leads to the discovery that a specific version of UnrealIRCD is vulnerable to backdoor command execution.
scrolling further down we discover how to trigger the exploit.
