SunsetNoontide Vulnhub Walkthrough

As always we start off with a nmap scan of the box. This will help us have a good idea on the services that are running on the box. Looking at the results returned by nmap we can see that only one port is open and it is running UnrealIRCd

I’ve see a box on HackTheBox platform that has similar vulnerability and since i had seen it’s exploitation before it wasn’t hard to know what to do. Metasploit has a module that exploits the vulnerability but in our case we’ll be performing the exploit manually using netcat

Reading through previous proof of concept article i figured that by backdoor was disguised to look as a debug statement and all you needed to do is start the command with AB; and the command placed afterward will directly be passed to system

Let’s exploit the vulnerability.

First i tried pinging myself to ensure that my exploit worked

I did set up a tcpdump listener that will show us if we get a ping back to our box

Next i connected to the IRC port and ran the payload

Looking at screenshot above the tcpdump listener got a callback. Next let’s get a shell on the box

I did set up a netcat listener and used netcat to get a shell on the box

Going to the user’s home directory we have the user flag

Next i uploaded linpeas to the box and ran it but specified to linpeas to perform all checks using the command below

bash -a

Looking at the linpeas result we see that the root users password is root

Sweet let’s utilize su to get a root shell on the box

Looking at the screenshot above we are root. Let’s get the root users flag from the root’s folder

And the box is done. Sweet

Hope you enjoyed the walkthrough if so don’t forget to clap and follow me so that you won’t miss any upcoming articles



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store