search
GitHubPsMapExec

UT99

Proving Grounds PG Practice ClamAV writeup

hashtag
Nmap

sudo nmap 192.168.142.44 -p- -sS -sV                               

PORT     STATE SERVICE      VERSION
21/tcp   open  ftp          FileZilla ftpd
80/tcp   open  http         Apache httpd 2.4.16 (OpenSSL/1.0.1p PHP/5.6.12)
443/tcp  open  ssl/http     Apache httpd 2.4.16 (OpenSSL/1.0.1p PHP/5.6.12)
3306/tcp open  mysql        MySQL (unauthorized)
6660/tcp open  irc          InspIRCd
-
-
7000/tcp open  irc          InspIRCd
6673/tcp open  vision_elmd?
7001/tcp open  tcpwrapped
7005/tcp open  tcpwrapped
7007/tcp open  irc          InspIRCd
Service Info: Hosts: localhost, www.example.com, irc.madcowz.localdomain; 
OS: Windows; CPE: cpe:/o:microsoft:window

Whilst FTP open I was unable to connect successfully without valid credentials as shown below:

Trying the web server we see we are taken to the MadCowz website.

Running whatweb against the web server shows it is running Apache 2.4.16 on a 32-bit Windows host.

From here nothing else too interesting was found on the web sever by means of exploitation. MySQL login was also denied to my attacking machine.

However, we do have IRC open on a large range of ports 6660-7000,7007. Connecting to these ports with command line options was proving unreliable due to frequent disconnections. Installing HexChat proved much more successful.

With HexChat open add a network and use the settings as per shown below. Ensuring the correct IP is set.

After doing so close the window and then connect to the new network. You should see a similar screen as below:

From here go to Server --> Channel List --> Perform a wildcard * search on the defaultsettings to find the channel #ut99.

This channel identifies the server is intended for Unreal Tournament 99 which we know is also running on Windows due to previous enumeration. Joining the channel also reveals the user Daisy.

Searching for Unreal Tournament 99 exploits for Windows on exploit-db shows the following:

LogoUnreal Tournament - Remote Buffer Overflow (SEH)Exploit Databasechevron-right

After downloading the exploit code and looking through it we see the following usage example:

We know from the HexChat and Nmap enumeration that the server for UT99 is running on port 7778. I set up a netcat listener on my attacking machine to port 80. I then used the following command to connect to the target server.

Resulting in a reverse shell.

From here with standard enumeration we find the directory C:\ftp containing the following contents.

The version of Foxit Reader shown 7.0.6.1126 appears to be vulnerable to an unquoted service path privilege escalation.

LogoFoxit Reader 7.0.6.1126 - Unquoted Service Path Privilege EscalationExploit Databasechevron-right
Exploit Link

Checking installed software on the target system we can see Foxit Reader is installed.

Querying the service on the target systems shows the service is running in the context of SYSTEM and the binary path indeed contains spaces and is not wrapped in quotes.

I then tested for write privileges in the binary path by creating a text file in the C:\Program Files (x86)\Foxit Software\Foxit Reader\ path.

Checking the contents of the directory after doing so we see the test.txt file.

I then performed a test reboot of the machine and confirmed that as the user Daisy I was able to reboot the machine. Currently this looks like we have a path to privilege escalation.

Firstly using msfvenom I created a stageless reverse shell.

I then uploaded this to the directory C:\Program Files (x86)\Foxit Software\Foxit Reader\

After the upload was completed I started a netcat listener on my attacking machine then rebooted the target system.

Shortly after I was able to obtain privileges as SYSTEM.

Last updated