Exploiting UnrealIRCd on Metasploitable 3's Port 6697
This article will describe the process of hacking metasploitable 3 port 6697 using kali linux in a virtual lab environment. The lab environment is set up in Virtual Box. I have attached screenshots.
The first step was to scan for vulnerabilities using nmap.
$nmap -sV -Pn -T4 -p 1-65535 -oX portstatistics.xml 192.168.56.102
This command queries all available ports (-p 1-65535) and performs a service version detection and returns the results in an portstatistics.xml file.
Results of the scan:
The results show that several ports in the metasploitable machine are open and also identified services running on the target machine and their versions. This information will be used to determine which versions may contain vulnerabilities.
Here are some of the open ports and services:
Port 21/tcp: FTP service (vsftpd 3.0.2) : File Transfer Protocol, allowing the transfer of files between computers.
Port 22/tcp: SSH service (OpenSSH 6.6.1p1) : Secure Shell, a secure protocol for remote login and file transfer.
Port 80/tcp: HTTP service (Apache httpd 2.4.7): Hypertext Transfer Protocol, the protocol used to transmit web pages.
Port 6697/tcp: IRC service (UnrealIRCd): Internet Relay Chat, a text-based chat protocol.
We will try to exploit Port 6697/tcp: IRC service (UnrealIRCd):
The port is used to run UnrealIRCD which is an open source internet relay chat daemon service. It is used for real-time chat, file sharing, remote control and even gaming.
First start postgresql. Metasploit leverages PostgreSQL to store important data gathered during penetration testing activities.
Opening metasploit framework;
$msfconsole
Searching for the exploit.
$search unrealircd
We will use the UnrealIRCD 3.2.8.1 Backdoor Command Execution
This module exploits a malicious backdoor that was added to the Unreal IRCD 3.2.8.1 download archive. This backdoor was present in the Unreal3.2.8.1.tar.gz archive between November 2009 and June 12th 2010.
use exploit/unix/irc/unreal_ircd_3281_backdoor
show payloads lists all available payloads that can be used with the currently selected exploit module. A payload is the part of an exploit that executes a specific task on the target machine, such as establishing a reverse shell.
use the show options command to see the configurations required for the exploit.
The only thing needed to be configured is RHOSTS. This is the ip address of the metasploitable machineset RHOST <metasploitable3 ip >
Set the payload:
use payload/cmd/unix/reverse_perl
This payload has been designed to establish a reverse shell connection from a Unix-based system to an attacker's machine. It utilizes Perl, a scripting language, to execute commands on the compromised system and send the output back to the attacker.
Execute the exploit using exploit or run
We were able to establish the connection and run commands on the vulnerable machine.
The following commands were executed to gather relevant information about the machine:
whoami
hostname
pwd
Listing files on the directory with details on permissions
ls -la
Displaying user accounts
Attempts to dump the contents of /etc/passwd and /etc/shadow, can be used for example, to enable offline password cracking. Most modern Linux operating systems use a combination of /etc/passwd and /etc/shadow to store user account information including password hashes in /etc/shadow. By default, /etc/shadow is only readable by the root user.
Getting details about the user ID linux distro:
lsb_release -a
Displaying routing table
Displaying disk usage information
df -h
Displaying information about devices connected to the system
lspci
In this article, we were able to establish a reverse shell connection on the remote metasploitable 3 machine by exploiting a vulnerability on the unrealircd service running on port 6697.
Resources
Setting up the Lab Environment: https://aboutvirtualmachines.hashnode.dev/setting-up-the-lab-environment-for-exploiting-metasploitable
UnrealIRCD 3.2.8.1 Backdoor Command Execution https://www.rapid7.com/db/modules/exploit/unix/irc/unreal_ircd_3281_backdoor/