InfoSec LAB

Irked_IRC

Created: 2 min read

IRC

Nmap discovered a IRC service running on the target port 6698, 8067, and 65534

internet relay chat (irc) is a text-based chat system for instant messaging. IRC is designed for group communication in discussion forums, called channels, but also allows one-on-one communication via private messages as well as chat and data transfer, including file sharing.

internet relay chat is implemented as an application layer protocol to facilitate communication in the form of text. The chat process works on a client–server networking model. Users connect, using a client—which may be a web app, a standalone desktop program, or embedded into part of a larger program—to an IRC server, which may be part of a larger IRC network. Examples of programs used to connect include Mibbit, IRCCloud, KiwiIRC, and mIRC.

unrealircd is “one of the most popular and full-featured IRC daemons”, and is used on the largest number of IRC servers, according to SearchIRC.com. This server is described as having “possibly the most security features of any IRC server.”

There also is a security issue to the version 3.2.8.1, I will keep an eye on this.

nmap also enumerated that the exact service, unrealircd, as well as an admin email address attached to it; djmardov@irked.htb.

As the email address contains a domain information, I appended it to the /etc/hosts file on Kali for local DNS resolution

Kali does not come with any IRC client by default, so I’m going to need one for enumeration. i will go with irssi

irssi

┌──(kali㉿kali)-[~/archive/htb/labs/irked]
└─$ irssi $IP

Initializing

Upon entering, I am greeted with a prompt.

Port 6697

I was able to connect to the target IRC server on port 6697 The IRC server is running Unreal 3.2.8.1

With the /admin command, I got the admin’s username; bob

It would appear there isn’t any channel in this IRC server

Port 65534

The IRC server on the target port 65534 also uses Unreal 3.2.8.1 It also notes there is an invisible user.

It doesn’t seem like there is any channel here either.

Vulnerablity

┌──(kali㉿kali)-[~/archive/htb/labs/irked]
└─$ searchsploit UnrealIRCd 3.2.8.1
------------------------------------------------------------- ---------------------------------
 Exploit Title                                               |  Path
------------------------------------------------------------- ---------------------------------
UnrealIRCd 3.2.8.1 - Backdoor Command Execution (Metasploit) | linux/remote/16922.rb
UnrealIRCd 3.2.8.1 - Local Configuration Stack Overflow      | windows/dos/18011.txt
UnrealIRCd 3.2.8.1 - Remote Downloader/Execute               | linux/remote/13853.pl
------------------------------------------------------------- ---------------------------------
shellcodes: No Results
papers: No Results

Upon searching on Exploit-DB, I discovered that UnrealIRCd 3.8.2.1 is [[Irked_CVE-2010-2075#CVE-2010-2075|vulnerable]] to a number of exploits

Interactive Graph View

Backlinks