- Vulnerability: Backdoor Command Execution of UnrealIRCD
- Explanation: A malicious backdoor was added to UnrealIRCD version 126.96.36.199
- Vulnerability: suid executable viewuser
- Explanation: It can execute as root and is looking for another command to execute in which we can exploit
nmap -p- -A -T4 10.10.10.117
TCP 22: OpenSSH 6.7p1 TCP 80: Apache 2.4.10 TCP 111: RCP #100000 TCP 6697, 8067, 65534: UnrealIRCd TCP 48953: RPC #100024
Initial Shell Exploitation
Let’s first check out the website at port 80
There’s only an image and a simple text talking about IRC. There’s no other links and no robots.txt. I then run a gobuster scan but does not return any additional webpage of interest.
I then do a quick check on unrealIRCd ports 6697, 8067 and 65534 but do not find any additional information.
There’s not much else to check so I check to see if there’s any vulnerability in unrealIRCd.
There’s a Backdoor Command Execution exploit available in Metasploit for UnrealIRCd version 188.8.131.52. Let’s give it a try.
use exploit/unix/irc/unreal_ircd_3281_backdoor set rhosts 10.10.10.117 set rport 6697
low shell as ircd obtained
Privilege Escalation – Part 1
Let’s do some poking around the /home folder. User ircd does not have any files of interest. But there’s a file .backup that looks interesting under user djmardov’s Documents folder:
There seems to be a password. Let’s try to log in as djmardov using the password:
Unfortunately, that doesn’t work. Let’s examine the .backup file again. There was a sentence ‘Super elite steg backup pw’. The word steg could potentially mean the password is hidden using some steganography technique.
Recalling there is an unhappy smiley face in the website. Let’s download it and see if any information is hidden in there using command steghide:
All right! We got another password. Let’s try to ssh into account djmardov:
That is! We get in as djmardov! And we get the user.txt!
Privilege Escalation – Part 2
After poking around the system for a while, I find a file with suid privilege that looks interesting. The below command will look for files with suid privilege that are owned by root:
find / -perm -4000 -user root 2> /dev/null
The command viewuser looks interesting. Let’s try to run it:
It does not result in root account but it shows the the execution looks for a file /tmp/listusers. Let’s copy command dash to it and try again:
Bingo! root shell obtained. Let’s get our root flag:
Thank you for the box Irked, MrAgent!