Irked

Ping

Nmap Scans

mapit 10.10.10.117

Nmap Default Scan

Nmap Service and Script Scan

Nmap All Port Scan

Nmap Service and Script Scan for New ports

On Port 80 http://10.10.10.117

Gobuster Scan

gobuster dir -u http://10.10.10.117 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 50 -x php,html,txt,bak,aspx -s 200,204,301,302,307,403 -k --status-codes "" -o gobuster.txt

This Look’s like IRC exploit, there are 4 open UnrealIRCD ports, will check for public exploits

Found a public exploit https://github.com/Ranger11Danger/UnrealIRCd-3.2.8.1-Backdoor/blob/master/exploit.py

Have saved the program in file named exp.py and modified a bit with my local ip and listening port for reverse shell then executed it

First i have tried with port 6697 and it worked

python3 exp.py -payload bash 10.10.10.117 6697

Can’t read user.txt as ircd

There is a password in .Documents directory

Will try this password for djmardov Didn’t work.

Steg is image content extractor, will try the password to extract hidden info from the image, But i can’t find any image in the machine. So will try with image in the website

I have downloaded the image and extracted the hidden content using Steghide, use the link to understand Steghide usage https://medium.com/the-kickstarter/steganography-on-kali-using-steghide-7dfd3293f3fa

steghide extract -sf irked.jpg

Will use this password to switch as djmardov

su djmardov

User.txt

Will Jump to Privilege Escalation…!

Actually We can directly escalate our Privilege to root with the help of viewuser without getting access to DJmardov, because viewuser have SUID assigned.