SunsetNoontide Vulnhub Walkthrough

Hello guys back again with another short walkthrough this time we are going to be tackling SunsetNoontide from vulnhub a really simple beginner box. It start of by finding the server is running a backdoored version of IRC and exploit the vulnerability manually and gain a shell on the box. Running Linpeas which if all checks is specified runs a brute force using common passwords we see that the user root is using the simplest password root ever and use that password to escalate our privileges to root. Without much say let’s jump in

As always we start off with a nmap scan of the box. This will help us have a good idea on the services that are running on the box. Looking at the results returned by nmap we can see that only one port is open and it is running UnrealIRCd

I’ve see a box on HackTheBox platform that has similar vulnerability and since i had seen it’s exploitation before it wasn’t hard to know what to do. Metasploit has a module that exploits the vulnerability but in our case we’ll be performing the exploit manually using netcat

Reading through previous proof of concept article i figured that by backdoor was disguised to look as a debug statement and all you needed to do is start the command with AB; and the command placed afterward will directly be passed to system

Let’s exploit the vulnerability.

First i tried pinging myself to ensure that my exploit worked

I did set up a tcpdump listener that will show us if we get a ping back to our box

Next i connected to the IRC port and ran the payload

Looking at screenshot above the tcpdump listener got a callback. Next let’s get a shell on the box

I did set up a netcat listener and used netcat to get a shell on the box

Going to the user’s home directory we have the user flag

Next i uploaded linpeas to the box and ran it but specified to linpeas to perform all checks using the command below

bash -a

Looking at the linpeas result we see that the root users password is root

Sweet let’s utilize su to get a root shell on the box

Looking at the screenshot above we are root. Let’s get the root users flag from the root’s folder

And the box is done. Sweet

Hope you enjoyed the walkthrough if so don’t forget to clap and follow me so that you won’t miss any upcoming articles

Penetration Tester/Analytical Chemist who Loves Cybersecurity. GitHub(, ExploitDB(