Let’s look at port 6667.
Nmap doesn’t show you the version of the Unreal ircd. Another way to find out the version of the IRC server is to connect to it using an IRC client. There are many clients to choose from, however for starters look at “HexChat”.
Install HexChat and connect to the IRC server to find out and verify the version.
Fire up your Kali attacker and vulnerable Metasploitable 2 machines.
Searching Metasploit Console
Startup Metasploit framework on Kali using the "msfconsole" command.
Enter the command: search unreal
This command will tell the msfconsole to search it’s database for anything relating to “unreal”
3 exploit have been found. If you’ve completed the challenge above you will know that the 2nd exploit is what we need as it matches the version of IRC on the Metasploitable 2 machine.
UnrealIRCD 126.96.36.199 Backdoor Exploit
Enter the command: use exploit/unix/irc/unreal_ircd_3281_backdoor
After the exploit is set, we use “show options” command to fill in any required setting that is unfilled.
Looks like the “RHOST” is unfilled. RHOST stands for Remote Host a.k.a Target machine.
Enter the command: set RHOST <<target IP address>>
We are all set now. Enter the command: exploit
And there we have our root access.
You will notice a new command here - "grep root /etc/shadow". Google what is the shadow file.
If you understood this well, congratulations. You are now a script kiddie.
More seasoned security people most often tweak these exploits by manually selecting compatible preferred payloads, while the experts prefer to manually edit the whole exploit code to their liking.
Bitcrack's Advanced Hacking course is built specifically to teach you how fully customize your exploits to your likes, slice open malware's and more. Send us a tweet to find out more or reach out to us from here.
-Jayesh Kerai (@secjay)