🟢irked

IRC | .BACKUP | VULNERABLE BINARY

Recon & Enum

port scan

PORT      STATE SERVICE
22/tcp    open  ssh
80/tcp    open  http
111/tcp   open  rpcbind
6697/tcp  open  ircs-u
8067/tcp  open  infi-async
60188/tcp open  unknown
65534/tcp open  unknown

Directory scan

/.html                (Status: 403) [Size: 292]
/index.html           (Status: 200) [Size: 72]
/manual               (Status: 301) [Size: 313] [--> http://10.10.10.117/manual/]
/.html                (Status: 403) [Size: 292]
/server-status        (Status: 403) [Size: 300]

website

their is just a picture on the web page

shell as ircd

just google a little & i found this exploit for irc

Unreal-IRC-exploit/unrealIRCd_exploit.py at master · Ch4ng3TheW0rld/Unreal-IRC-exploitGitHub

privesc ircd =>djmardov

i found a .backup file , it has a steg password.

ircd@irked:/home/djmardov/Documents$ cat .backup

Super elite steg backup pw
UPupDOWNdownLRlrBAbaSSss

Now i think the image on web page is related to this because the password says steg backup pw we are able to extract the information of a stego file using this setg password

steghide extract -sf irked.jpg 

Kab6h+m+bbp2J:HG

we got a new password Kab6h+m+bbp2J:HG , with this we can do su or ssh

privesc djmardov => root

linpeas.sh

i found a binary viewuser in /usr/bin , on executing :-

djmardov@irked:/usr/bin$ viewuser
This application is being devleoped to set and test user permissions
It is still being actively developed
(unknown) :0           2023-05-10 02:44 (:0)
djmardov pts/1        2023-05-10 05:56 (10.10.16.4)
sh: 1: /tmp/listusers: not found

in last line it says /listusers not found , so i created a file in tmp directory , inserted reverse shell in it & make it executable , and after that when i run viewuser , i got the rev shell as root