SunsetNoontide
nmap
(base) [psdon@arch sunsetnoontide]$ sudo rustscan -a 192.168.85.120 --ulimit 5000 -- -T4 -A -oA nmap/all-ports-service-scan
[sudo] password for psdon:
.----. .-. .-. .----..---. .----. .---. .--. .-. .-.
| {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| |
| .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ |
`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: https://discord.gg/GFrQsGy :
: https://github.com/RustScan/RustScan :
--------------------------------------
Please contribute more quotes to our GitHub https://github.com/rustscan/rustscan
[~] The config file is expected to be at "/root/.rustscan.toml"
[~] Automatically increasing ulimit value to 5000.
Open 192.168.85.120:6667
Open 192.168.85.120:6697
Open 192.168.85.120:8067 You can see there's 3 ports open running UnrealIRCd
Login to IRC using Hexchat
First add a server in the Hexcat application
Edit the configuration with the machine IP Address and the port, and close the window
After doing that you should be able to connect, and you can see the UnrealIRCd version (3.2.8.1)
Searchsploit
Let's copy UnrealIRCd 3.2.8.1 - Remote Downloader/Execute exploit to our local machine
If you will analyze the source code, you will notice the script is just sending the payload directly to the IRC Server right after being connected to it
And the payloads are prepended with BC; before the command execution
It means we can send this payload using netcat
Netcat
First let's set a netcat listener
Connect to the target machine on port 8067, and right after you have received the very first response from the server, you have to send the payload straight away
And you should get a reverse shell.
Privilege Escalation
Last updated
Was this helpful?