IRC 667
Basic Information
IRC was originally a plain text protocol (although later extended), which on request was assigned port 194/TCP by IANA. However, the de facto standard has always been to run IRC on 6667/TCP and nearby port numbers (for example TCP ports 6660–6669, 7000) to avoid having to run the IRCd software with root privileges.
See Spaghetti from Proving Grounds
Enumeration
nc -vn <IP> <PORT>
Manual
#Connection with random nickname
USER ran213eqdw123 0 * ran213eqdw123
NICK ran213eqdw123
#If a PING :<random> is responded you need to send
#PONG :<received random>
VERSION
HELP
INFO
LINKS
HELPOP USERCMDS
HELPOP OPERCMDS
OPERATOR CAPA
ADMIN #Admin info
USERS #Current number of users
TIME #Server's time
STATS a #Only operators should be able to run this
NAMES #List channel names and usernames inside of each channel -> Nombre del canal y nombre de las personas que estan dentro
LIST #List channel names along with channel banner
WHOIS <USERNAME> #WHOIS a username
USERHOST <USERNAME> #If available, get hostname of a user
USERIP <USERNAME> #If available, get ip of a user
JOIN <CHANNEL_NAME> #Connect to a channel
#Operator creds Brute-Force
OPER <USERNAME> <PASSWORD>SCAN
BruteForce RFC
spaceWe can now list available channels by simply running the list command.
see
The channel #mailAssistant is the one we saw listed on the web server. Let’s join that channel using the join command.
Joining the channel also provides us with a list of users in the channel. We see there is a user by the name of spaghetti_BoT. Let’s try posting a message into the channel we just joined by using the privmsg command.
Spaghetti_BoT responded instructing us to send it a private message of !command to see a list of commands. Let’s do exactly that with the privmsg command again.
It appears that we only have a couple of functions available with spaghetti_BoT. We can send an email address and description and the administrator is supposed to get back to us. We also have the !about function. Let’s try that first.
We find the referenced GitHub page with the source code of the bot written in python. The most interesting file is irc_bot.py.
Exploitation
Exploiting IRC
We have two inputs to work with: email and description. If we try anything in the email field, the code checks if it is a valid email address. We can see there is a regex filter on the email field.
In the response from the bot, it said “email will be sent to the administrator”, and the bot appears to be running on the same system as the IRC server based on its localhost IP address:
In our nmap scan, we discovered that this server is running postfix. This could be an easy way to send email internally, and in the IRC bot source code we can see a send_message function that calls the mail system command:
In the function above, there is a variable named cmd that is passed to a subprocess.Popen() call which runs shell commands on the host system. The echo {} part that contains the body of the email is not properly escaped, so it may be possible to inject additional commands.
Let’s try to use this bot to spawn a reverse shell back to our kali box. We can create a script containing a bash reverse shell to pull to the target using this IRC bot.
We can save that as rev.sh and start a python webserver to host it.
Back in our IRC session, let’s send the spaghetti_BoT a command to download our script. We have to supply a valid email address and then enter some text for the description field followed by a pipe character | and then the command we want to inject. In our case, we’ll use wget to pull the script to the target system.
We can verify that this worked by looking at our python webserver output:
Next, we will need to make the script on the target system executable by sending a chmod command using the same method as before.
Let’s start a Netcat listener on our kali box:
Last updated
Was this helpful?